Fedora Account System
Red Hat Associate
Red Hat Customer
In libXfont2's BitmapScaleBitmaps() function, a 32-bit variable keeps the number of bytes to allocate. If the value overflows due to excessive per-glyph byte counts, the resulting calloc() allocates a buffer too small for the subsequent operations. An attacker can trigger this by loading a crafted PCF font via SetFontPath + OpenFont at a scale factor that inflates per-glyph byte counts.