Vigil@nce: FreeType, several integer overflows
April 2009 by Vigil@nce
An attacker can create a malicious font in order to execute code
on computers of FreeType users.
– Severity: 2/4
– Consequences: user access/rights
– Provenance: document
– Means of attack: no proof of concept, no attack
– Ability of attacker: expert (4/4)
– Confidence: confirmed by the editor (5/5)
– Diffusion of the vulnerable configuration: high (3/3)
– Number of vulnerabilities in this bulletin: 4
– Creation date: 17/04/2009
IMPACTED PRODUCTS
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The FreeType2 library handles character fonts and is used by
several applications. It has several vulnerabilities.
The ft_smooth_render_generic() function does not check the glyph
size. [grav:2/4]
Several functions of src/sfnt/ttcmap.c do not check the size of an
array. [grav:2/4]
A compressed font generates an error in the ft_lzwstate_io()
function. [grav:2/4]
An integer overflow occurs in the cff_charset_load() function.
[grav:2/4]
An attacker can therefore create a malicious font and invite the
victim to use it in order to execute code with rights of the
application.
CHARACTERISTICS
– Identifiers: 491384, BID-34550, CVE-2009-0946, VIGILANCE-VUL-8649
– Url: http://vigilance.fr/vulnerability/FreeType-several-integer-overflows-8649