The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font. Upstream issue: http://code.google.com/p/google-security-research/issues/detail?id=153 Upstream patches: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a185cd8dae7d03059abec8a5662c35ecd3 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a26e591d01494567df9dec7f72d59551f6e
Created freetype tracking bugs for this issue: Affects: fedora-all [bug 1191191]
freetype-2.5.3-15.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
freetype-2.5.0-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
(Private) upstream bug: https://savannah.nongnu.org/bugs/?43538 Issue was fixed upstream in 2.5.4. There are multiple integer overflow issues in the Mac_Read_POST_Resource() function. They can cause freetype to allocate buffer of insufficient size and later write data past its boundaries. This will lead to memory corruption that can cause crash and possibly code execution. These flaw make it possible to bypass boundary check added to address CVE-2010-2808 (see bug 621907). This is related to issue tracked via bug 1191096, and the following patches were applied to address problems reported via these two bugs: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=35252ae http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4533167 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=1720e81 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a2 Unified diff for all the above changes: http://git.savannah.gnu.org/cgit/freetype/freetype2.git/diff/src/base/ftobjs.c?id2=5aff853&id=cd4a5a2
This issue has been addressed in the following products: Red Hat Enterprise Linux 6 Red Hat Enterprise Linux 7 Via RHSA-2015:0696 https://rhn.redhat.com/errata/RHSA-2015-0696.html