Hi Marc, On Thu, Mar 13, 2025 at 10:50:38AM -0400, Marc Deslauriers wrote: > Hi, > > On 2025-03-12 16:57, Michel Lind wrote: > > Description: > > > > An out of bounds write exists in FreeType versions 2.13.0 and below > > when attempting to parse font subglyph structures related to TrueType > > GX and variable font files. The vulnerable code assigns a signed short > > value to an unsigned long and then adds a static value causing it to > > wrap around and allocate too small of a heap buffer. The code then > > writes up to 6 signed long integers out of bounds relative to this > > buffer. This may result in arbitrary code execution. This vulnerability > > may have been exploited in the wild. > > > > https://www.facebook.com/security/advisories/cve-2025-27363 > > > > This commit fixes most of the issue - except `limit` is still signed > > short - but needs to be redone if you're backporting to 2.10.4 > > > > https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d > > > > Perhaps I need more coffee this morning, but I'm having trouble > consolidating that patch with the description. If "limit" is the signed > short, what is the unsigned long?
It is related to this: https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 see https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322#note_2822105 . The commit self is only in 2.13.3. > Also, if this is meant as the fix: > > - if ( FT_NEW_ARRAY( points, limit + 4 ) || > - FT_NEW_ARRAY( tags, limit + 4 ) || > - FT_NEW_ARRAY( contours, limit + 4 ) || > - FT_NEW_ARRAY( unrounded, limit + 4 ) ) > + if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) || > + FT_QNEW_ARRAY( outline.tags, limit ) || > + FT_QNEW_ARRAY( outline.contours, limit ) || > + FT_QNEW_ARRAY( unrounded, limit + 4 ) ) > > ...not only would the remaining + 4 wrap around too, but FT_NEW_ARRAY > already checks for a value < 0, so I'm not sure that is it. > > What am I not seeing? Do you have already working backport set for 2.12.1 based version? Regards, Salvatore
