Hi Michel,
On 2025-03-13 22:54, Michel Lind wrote:
The fixes I'm working with both the Meta security folks and the EL
community (CentOS / AlmaLinux) can be tracked
herehttps://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8/diffs
I think if you're removing the 4 "phantom points" from outline.n_point and
outline.n_contours, you probably need to add them back in other places, like the
parts you are missing from this patch does:
https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f
Is there a reproducer available for this CVE? I was thinking of just doing a
minimal fix for older freetype versions in Ubuntu, maybe something like this:
-- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1957,6 +1957,13 @@
limit = (short)gloader->current.num_subglyphs;
+ /* make sure this isn't negative as we're going to add 4 later */
+ if ( limit < 0 )
+ {
+ error = FT_THROW( Invalid_Argument );
+ goto Exit;
+ }
+
/* construct an outline structure for */
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
Marc.
