Bug 800604 (CVE-2012-1142)
Summary: | CVE-2012-1142 freetype: incorrect computation of number of glyphs in FNT_Face_Init() for FNT/FON files (#35659) | ||
---|---|---|---|
Product: | [Other] Security Response | Reporter: | Jan Lieskovsky <jlieskov> |
Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
Status: | CLOSED ERRATA | QA Contact: | |
Severity: | high | Docs Contact: | |
Priority: | high | ||
Version: | unspecified | CC: | behdad, fonts-bugs, jrusnack, kevin, mkasik |
Target Milestone: | --- | Keywords: | Security |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | Doc Type: | Bug Fix | |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2015-02-24 21:02:12 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | 806266, 806267, 806268, 806269, 806270, 806271, 889398 | ||
Bug Blocks: | 800639 |
Description
Jan Lieskovsky
2012-03-06 18:58:26 UTC
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16 This issue affects the versions of the freetype package, as shipped with Red Hat Enterprise Linux 5 and 6. -- This issue affects the versions of the freetype package, as shipped with Fedora release of 15 and 16. This flaw is in the driver for reading Windows FNT/FON file (i.e. not TTF files as mentioned in comment #0). FreeType did not check that last_char >= first_char, which resulted in incorrect computation of the number of glyphs in the file. The number of glyphs was set to a negative value. When using ftbench, this resulted in NULL pointer dereference, as ftbench's test_load_advances uses num_glyphs as argument to calloc, but does not check its return value. The impact on different applications using freetype may be different. This issue has been addressed in following products: Red Hat Enterprise Linux 5 Red Hat Enterprise Linux 6 Via RHSA-2012:0467 https://rhn.redhat.com/errata/RHSA-2012-0467.html |