An out-of heap-based buffer read flaw was found in the way FreeType font rendering engine performed conversion of ASCII string objects, contained within glyph bitmap distribution format (BDF) font file, into signed short integers. A remote attacker could provide a specially-crafted BDF file, which once processed by an application linked against FreeType would lead to that application crash.
Upstream bug report:
[1] https://savannah.nongnu.org/bugs/?35658
Upstream patch:
[2] http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=d9c1659610f9cd5e103790cb5963483d65cf0d2d
Acknowledgements:
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
This issue affects the versions of the freetype package, as shipped with Red Hat Enterprise Linux 5 and 6.
--
This issue affects the versions of the freetype package, as shipped with Fedora release of 15 and 16.