Red Hat Bugzilla – Bug 800593
CVE-2012-1135 freetype: heap off by one read in boundary check for NPUSHB and NPUSHW instructions in TTF BIC (#35640)
Last modified: 2015-07-31 11:21:41 EDT
An out-of heap-based buffer read flaw was found in the way TrueType bytecode / opcode interpreter of the FreeType font rendering engine performed execution of NPUSHB and NPUSHW instructions. A remote attacker could provide a specially-crafted font file, which once opened in an application linked against FreeType would lead to that application crash.
Upstream bug report:
Red Hat would like to thank Mateusz Jurczyk of the Google Security Team for reporting this issue.
Added CVE as per http://www.openwall.com/lists/oss-security/2012/03/06/16
This flaw is in the TrueType bytecode interpreter (BCI) implementation. BCI is not enabled in Red Hat Enterprise Linux 4, 5, and 6 freetype packages (it was disabled by default upstream because of the patent concerns). BCI support is now enabled by default in upstream versions 2.4 and later, as relevant patents expired: http://www.freetype.org/patents.html
Not vulnerable. This issue did not affect freetype packages as shipped with Red Hat Enterprise Linux 5 and 6, as they do not enable TrueType bytecode interpreter.