Bug 1661454 (CVE-2018-19876) - CVE-2018-19876 cairo: Invalid free in cairo_ft_apply_variations() resulting in a denial of service
Summary: CVE-2018-19876 cairo: Invalid free in cairo_ft_apply_variations() resulting i...
Alias: CVE-2018-19876
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
Depends On: 1661455 1661456 1661457 1663110
Blocks: 1661458
TreeView+ depends on / blocked
Reported: 2018-12-21 10:04 UTC by Andrej Nemec
Modified: 2021-10-27 03:20 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2021-10-27 03:20:15 UTC

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
WebKit Project 191595 0 None None None 2020-03-18 16:35:51 UTC

Description Andrej Nemec 2018-12-21 10:04:15 UTC
cairo 1.16.0, in cairo_ft_apply_variations() in cairo-ft-font.c, would free memory using a free function incompatible with WebKit's fastMalloc, leading to an application crash with a "free(): invalid pointer" error.

Upstream issue:


Upstream MR:


Comment 1 Andrej Nemec 2018-12-21 10:04:31 UTC
Created cairo tracking bugs for this issue:

Affects: fedora-all [bug 1661456]

Created mingw-cairo tracking bugs for this issue:

Affects: epel-7 [bug 1661455]
Affects: fedora-all [bug 1661457]

Comment 2 Huzaifa S. Sidhpurwala 2019-01-03 08:19:27 UTC

This is essentially a bug in which cairo tries to free a FT_MM_Var data structure using system free() rather than using FT_Done_MM_Var() when freetype 2.9 is used. This bug is triggered when WebKit tries to use its internal fastMalloc() for allocating and free'ing cairo data structures. This is really cairo and freetype version specific and the trigger factor is how WebKit deals with these data structures.

Based on the complexity of the overall problem and the trigger factor, it is safe to call this low impact.

Note You need to log in before you can comment on or make changes to this bug.