Fedora Account System
Red Hat Associate
Red Hat Customer
In libXfont2's pcfReadFont() function, the repadded bitmap buffer is allocated using a bitmapSizes[] value read directly from the PCF file without cross-validation against per-glyph metrics. Writing to that array uses the per-glyph metrics from the file also without validation. A malicious PCF font can declare a tiny bitmapSizes[] value (e.g. 16 bytes) for the server's glyph pad index and a per-glyph metrics that exceeds this size, causing a write past the end of the allocation with attacker-controlled content from the PCF BITMAPS payload. No rendering is needed -- the overflow occurs during font parsing itself.