Vigil@nce - FreeType: buffer overflow of ft_var_readpackedpoints
October 2010 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to display a malicious character
font, with an application linked to FreeType, in order to create a
denial of service and possibly to execute code.
Severity: 2/4
Creation date: 20/10/2010
DESCRIPTION OF THE VULNERABILITY
The FreeType library processes character fonts.
A TrueType GX font contains additional tables describing fonts for
Apple QuickDraw GX. The truetype/ttgxvar.c of FreeType implements
the support of TrueType GX.
The ft_var_readpackedpoints() function extracts groups of points
from the TrueType GX font file. However, if the number of points
is too high, a buffer overflow occurs.
An attacker can therefore invite the victim to display a malicious
character font, with an application linked to FreeType, in order
to create a denial of service and possibly to execute code.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeType-buffer-overflow-of-ft-var-readpackedpoints-10056