Red Hat Bugzilla – Bug 611927
freetype: write to non-mapped memory in base/ftojbs.c:1563
Last modified: 2010-07-07 13:45:18 EDT
Robert Swiecki reported a possibly exploitable write to non-mapped memory in the way freetype handles certain font .
The original report has two sample font files that caused the tested version to crash with a SIGSEGV (sigsegv16.pfb) and SIGABRT (sigabrt24.ttf). When reproducing, observed behaviour was:
RHEL3 (freetype 2.1.4): pass on both files
RHEL4 (freetype 2.1.9): crashes (segfault) on both files
RHEL5 (freetype 2.2.1): crashes (segfault) on sigsegv16.pfb only
Fedora (freetype 2.3.11): crashes (segfault) on sigsegv16.pfb only
The upstream bug report claims this may be potentially exploitable for more than just a crash. A patch was posted to correct the issue . This needs to be looked at to determine whether or not this can be exploited to execute arbitrary code.
There is actually 21 crashes reported upstream:
Roughly half of these are NULL pointer derefs or stack exhaustion. This bug, and bug 30083, were noted as being higher risk.
I'm going to close this bug and file individual bugs for each freetype flaw found (there are several)