https://bugzilla.redhat.com/show_bug.cgi?id=1191094
Tomas Hoger <thoger(a)redhat.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Priority|medium |low
Fixed In Version| |freetype 2.5.4
Summary|CVE-2014-9671 freetype: |CVE-2014-9671 freetype:
|Off-by-one error in the |integer overflow in
|pcf_get_properties function |pcf_get_encodings() leading
|in pcf/pcfread.c |to NULL pointer dereference
Whiteboard|impact=moderate,public=2014 |impact=low,public=20141124,
|1124,reported=20150210,sour |reported=20150210,source=cv
|ce=cve,cvss2=3.7/AV:L/AC:H/ |e,cvss2=4.3/AV:N/AC:M/Au:N/
|Au:N/C:P/I:P/A:P,fedora-all |C:N/I:N/A:P,cwe=CWE-190->CW
|/freetype=affected,rhel-5/f |E-476,rhel-4/freetype=notaf
|reetype=new,rhel-6/freetype |fected,rhel-5/freetype=wont
|=new,rhel-7/freetype=new |fix,rhel-6/freetype=affecte
| |d,rhel-7/freetype=affected,
| |rhev-m-3/mingw-virt-viewer=
| |affected,fedora-all/freetyp
| |e=affected,fedora-all/mingw
| |-freetype=affected,epel-7/m
| |ingw-freetype=affected
Severity|medium |low
--- Comment #1 from Tomas Hoger <thoger(a)redhat.com> ---
Upstream bug is:
https://savannah.nongnu.org/bugs/?43547
Issue was fixed upstream in 2.5.4.
This is an integer overflow issue, rather than off-by-one. A string_size value
is read from input font file. If value 0xffffffff is used and later 1 is added
to it when FT_NEW_ARRAY() is called to allocate strings[] buffer, the addition
will overflow (32bit overflow) and leads to attempt to allocate zero sized
buffer. Freetype memory allocation functions return NULL in that case, which
leads to crash when the buffer is populated later.
Note that this issue was introduced by the CVE-2012-1130 fix (see bug 800587)
in the following commit:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17
--
You are receiving this mail because:
You are on the CC list for the bug.
Unsubscribe from this bug
https://bugzilla.redhat.com/token.cgi?t=u9Jm2RfmwU&a=cc_unsubscribe