Common Vulnerabilities and Exposures assigned CVE-2014-9671 to the following issue:
Off-by-one error in the pcf_get_properties function in pcf/pcfread.c in FreeType
before 2.5.4 allows remote attackers to cause a denial of service (NULL pointer
dereference and application crash) via a crafted PCF file with a 0xffffffff size
value that is improperly incremented.
Upstream bug is:
Issue was fixed upstream in 2.5.4.
This is an integer overflow issue, rather than off-by-one. A string_size value is read from input font file. If value 0xffffffff is used and later 1 is added to it when FT_NEW_ARRAY() is called to allocate strings buffer, the addition will overflow (32bit overflow) and leads to attempt to allocate zero sized buffer. Freetype memory allocation functions return NULL in that case, which leads to crash when the buffer is populated later.
Note that this issue was introduced by the CVE-2012-1130 fix (see bug 800587) in the following commit:
The fix for this issue was found to introduce a regression that prevented loading of certain PCF fonts. Upstream bug and fix:
Reported for Fedora in bug 1195652.
This issue has been addressed in the following products:
Red Hat Enterprise Linux 6
Red Hat Enterprise Linux 7
Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html