Bug 183677 - CVE-2006-0747 Freetype integer underflow
Summary: CVE-2006-0747 Freetype integer underflow
Alias: None
Product: Fedora
Classification: Fedora
Component: freetype
Version: 5
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Behdad Esfahbod
QA Contact: Brock Organ
Whiteboard: source=redhat,reported=20060302,embar...
Depends On:
TreeView+ depends on / blocked
Reported: 2006-03-02 19:20 UTC by Josh Bressers
Modified: 2008-03-11 01:01 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-03-11 01:01:29 UTC

Attachments (Terms of Use)
testcase (4.18 KB, application/octet-stream)
2006-03-02 19:21 UTC, Josh Bressers
no flags Details

Description Josh Bressers 2006-03-02 19:20:14 UTC
Freetype integer underflow

While fuzzing some pdf files a few weeks back, I ended up finding an
integer underflow in freetype2.  Upstream did commit some fixes, so
this issue is somewhat public.

1.ttf will generate this error.


The problem is the number of blue values needs to be even.  If a font
file claims it's odd, freetype2 doesn't handle it well.

The crash is seen in src/pshinter/pshglob.c:psh_blues_set_zones_0()

What was basically happening is since read_count is an unsigned
integer, and is decremented by 2, it is possible to cause an integer
underflow by ensuring the value of read_count is an odd number.  Once
read_count underflows, the loop starts dumping garbage onto the heap.
Normally I wouldn't think this is exploitable as it should crash
before anything exciting can happen, most graphical applications are
multi-threaded, so this does worry me.  At the very least this issue
is a denial of service bug.

The 2.ttf file in the testcase will also trigger a NULL pointer
dereference, which I'm not considering a secuirty issue.  The patch is


Comment 1 Josh Bressers 2006-03-02 19:21:41 UTC
Created attachment 125556 [details]

Comment 2 Josh Bressers 2006-05-15 18:01:09 UTC
Lifting embargo

Comment 3 Josh Bressers 2006-05-15 18:01:48 UTC
This issue also affects FC4

Note You need to log in before you can comment on or make changes to this bug.