An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine retrieved properties information from Portable Compiled Format (PCF) bitmap font files. A remote attacker could provide a specially-crafted PCF font file, which once opened in an application linked against FreeType would lead to that application crash.
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35603
Upstream patch:
[2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=c776fc17bfeaa607405fc96620e9445e7a0965c3
Acknowledgements:
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
This issue affects the versions of the freetype package, as shipped with Red Hat Enterprise Linux 5 and 6.
--
This issue affects the versions of the freetype package, as shipped with Fedora release of 15 and 16.
The problem here is in pcf_get_properties(), which does not ensure that a string read form PCF font file is properly NUL terminated before passing it to strdup. This may possibly cause program crash.