Bug 1191078 (CVE-2014-9656)

Summary: CVE-2014-9656 freetype: integer underflow in the tt_sbit_decoder_load_image()
Product: [Other] Security Response Reporter: Vasyl Kaigorodov <vkaigoro>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED NOTABUG QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: behdad, fonts-bugs, kevin, mkasik
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: freetype 2.5.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-02-19 15:33:13 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 1191099    
Bug Blocks: 1191102    

Description Vasyl Kaigorodov 2015-02-10 12:49:56 UTC
Common Vulnerabilities and Exposures assigned CVE-2014-9656 to the following issue:

The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before
2.5.4 does not properly check for an integer overflow, which allows remote
attackers to cause a denial of service (out-of-bounds read) or possibly have
unspecified other impact via a crafted OpenType font.


Comment 1 Vasyl Kaigorodov 2015-02-10 12:55:03 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1191099]

Comment 2 Tomas Hoger 2015-02-19 15:29:39 UTC
Upstream bug is:


Issue was fixed upstream in 2.5.4.

This is an integer underflow issue in an integer overflow check, which guards against buffer over-read.  This can easily trigger crash.

The problem was introduced in the following commit:


Additionally, prior to upstream version 2.5, affected code was only built and used when FT_CONFIG_OPTION_OLD_INTERNALS macro was not defined.  It was defined by default in upstream versions prior to 2.4.12:


The freetype packages in Red Hat Enterprise Linux are based on older upstream versions and do not override this upstream setting, i.e. they define FT_CONFIG_OPTION_OLD_INTERNALS.  Therefore, they were not affected by this issue, or the problem commit e4ecce3b attempted to address.


This issue did not affect the versions of freetype as shipped with Red Hat Enterprise Linux 5, 6, and 7.