Libspiro through 20190731 has a stack-based buffer overflow in the spiro_to_bpath0() function in spiro.c. Reference: https://github.com/fontforge/libspiro/issues/21
Created libspiro tracking bugs for this issue: Affects: fedora-all [bug 1786742]
Upstream fix: https://github.com/fontforge/libspiro/commit/35233450c922787dad42321e359e5229ff470a1e
The function test_curve() in tests/call-test.c declares a double array of size 5 and later calls spiro_to_bpath0() in spiro.c by passing the array as third argument. spiro_to_bpath0() accesses the last element of the array with index 5. This causes an off-by-one error which leads to a stack-based buffer overflow. It is worth noting that even though the buffer overflow takes place in spiro.c, the affected array is declared in the test suite (only used for testing purposes) and *not* in the library itself.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2019-19847
Statement: This issue did not affect the versions of libspiro as shipped with Red Hat Enterprise Linux 6, 7, and 8 as they did not include the vulnerable code. The vulnerable function was introduced in a newer version of the package.