On Fri, Mar 14, 2025, at 7:55 AM, Marc Deslauriers wrote:
> Hi Michel,
>
> On 2025-03-13 22:54, Michel Lind wrote:
>>
>> The fixes I'm working with both the Meta security folks and the EL
>> community (CentOS / AlmaLinux) can be tracked
>> herehttps://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8/diffs
>
> I think if you're removing the 4 "phantom points" from outline.n_point
> and
> outline.n_contours, you probably need to add them back in other places,
> like the
> parts you are missing from this patch does:
>
> https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f
>
That's a good call. I've been slightly concerned about those 4 points too. Will
probably have to cut another fix
> Is there a reproducer available for this CVE? I was thinking of just doing a
> minimal fix for older freetype versions in Ubuntu, maybe something like this:
>
> -- a/src/truetype/ttgload.c
> +++ b/src/truetype/ttgload.c
> @@ -1957,6 +1957,13 @@
>
> limit = (short)gloader->current.num_subglyphs;
>
> + /* make sure this isn't negative as we're going to add 4 later */
> + if ( limit < 0 )
> + {
> + error = FT_THROW( Invalid_Argument );
> + goto Exit;
> + }
> +
> /* construct an outline structure for */
> /* communication with `TT_Vary_Apply_Glyph_Deltas' */
> outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
>
>
I'll ask the security folks to weigh in again
Thanks,
--
_o) Michel Lind
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
README: https://michel-slm.name/
