Bug 183676 - CVE-2006-0747 Freetype integer underflow (CVE-2006-2661)
CVE-2006-0747 Freetype integer underflow (CVE-2006-2661)
Product: Red Hat Enterprise Linux 4
Classification: Red Hat
Component: freetype (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Carl Worth
Brock Organ
: Security
Depends On:
  Show dependency treegraph
Reported: 2006-03-02 14:20 EST by Josh Bressers
Modified: 2007-11-30 17:07 EST (History)
4 users (show)

See Also:
Fixed In Version: RHSA-2006-0500
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2006-07-18 06:05:06 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2006:0500 normal SHIPPED_LIVE Moderate: freetype security update 2006-07-18 00:00:00 EDT

  None (edit)
Description Josh Bressers 2006-03-02 14:20:00 EST
Freetype integer underflow

While fuzzing some pdf files a few weeks back, I ended up finding an
integer underflow in freetype2.  Upstream did commit some fixes, so
this issue is somewhat public.

1.ttf will generate this error.


The problem is the number of blue values needs to be even.  If a font
file claims it's odd, freetype2 doesn't handle it well.

The crash is seen in src/pshinter/pshglob.c:psh_blues_set_zones_0()

What was basically happening is since read_count is an unsigned
integer, and is decremented by 2, it is possible to cause an integer
underflow by ensuring the value of read_count is an odd number.  Once
read_count underflows, the loop starts dumping garbage onto the heap.
Normally I wouldn't think this is exploitable as it should crash
before anything exciting can happen, most graphical applications are
multi-threaded, so this does worry me.  At the very least this issue
is a denial of service bug.

The 2.ttf file in the testcase will also trigger a NULL pointer
dereference, which I'm not considering a secuirty issue.  The patch is


This issue also affects RHEL3
This issue also affects RHEL2.1
Comment 1 Josh Bressers 2006-03-02 14:22:34 EST
attachment 125556 [details] contains the testcase
Comment 2 Matthew Barnes 2006-05-05 17:35:48 EDT
RHEL 3 and RHEL 4 packages are built, will do RHEL 2.1 next week.
Comment 3 Matthew Barnes 2006-05-10 15:19:45 EDT
RHEL 2.1 packages are built.
Comment 4 Josh Bressers 2006-05-15 14:00:44 EDT
Lifting embargo
Comment 5 Josh Bressers 2006-05-30 15:02:59 EDT
The NULL pointer dereference has been assigned CVE-2006-2661
Comment 7 Red Hat Bugzilla 2006-07-18 06:05:06 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.