Bug 1444911 (CVE-2017-7864) - CVE-2017-7864 freetype: heap-based buffer overflow related to the tt_size_reset function
Summary: CVE-2017-7864 freetype: heap-based buffer overflow related to the tt_size_res...
Keywords:
Status: CLOSED NOTABUG
Alias: CVE-2017-7864
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1444915 1444916 1444917
Blocks: 1444919
TreeView+ depends on / blocked
 
Reported: 2017-04-24 14:24 UTC by Adam Mariš
Modified: 2019-09-29 14:11 UTC (History)
21 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-06-29 04:53:12 UTC
Embargoed:


Attachments (Terms of Use)

Description Adam Mariš 2017-04-24 14:24:23 UTC
FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.

Bug report:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509

Upstream patch:

https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=e6699596af5c5d6f0ae0ea06e19df87dce088df8

Comment 1 Adam Mariš 2017-04-24 14:29:36 UTC
Created freetype tracking bugs for this issue:

Affects: fedora-all [bug 1444917]


Created mingw-freetype tracking bugs for this issue:

Affects: epel-7 [bug 1444915]
Affects: fedora-all [bug 1444916]

Comment 2 Marek Kašík 2017-04-28 16:29:45 UTC
This is the same case as #1444898 and #1444904. I can reliably reproduce the issue with the "regressed" commit from the original report but not with any freetype we distribute in Fedora.


Note You need to log in before you can comment on or make changes to this bug.