A heap based buffer overflow was found in the "ft_var_readpackedpoints()" function in src/truetype/ttgxvar.c when processing TrueType GX fonts.
If a user opened a specially crafted TrueType GX font file, with an application complied with freetype library, it could cause denial of service (application crash) or potentially execute arbitrary code with the privileges of the user
running that application.
The following commit fixes this issue:
Created attachment 454745 [details]
Created freetype tracking bugs for this issue
Affects: fedora-all [bug 651764]
This issue has been addressed in following products:
Red Hat Enterprise Linux 4
Red Hat Enterprise Linux 5
Red Hat Enterprise Linux 6
Via RHSA-2010:0889 https://rhn.redhat.com/errata/RHSA-2010-0889.html