[patch] [security] print/freetype2 fix for heap overflow

Nick Barkas snb at threerings.net
Fri May 18 20:49:50 UTC 2007 

>Submitter-Id:	current-users
>Originator:	Nick Barkas
>Organization:	Three Rings Design
>Confidential:	no
>Synopsis:	[patch] [security] print/freetype2 fix for heap overflow
>Severity:	critical
>Priority:	high
>Category:	ports
>Class:		update
>Release:	FreeBSD 6.1-RELEASE-p6 i386
>Environment:
FreeBSD lab1.earth.threerings.net 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #5: Wed
Sep 13 17:45:32 PDT 2006
root at lab1.earth.threerings.net:/usr/obj/usr/src/sys/SMP  i386
>Description:
See http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2754

"Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier
might allow remote attackers to execute arbitrary code via a crafted TTF image
with a negative n_points value, which leads to an integer overflow and
heap-based buffer overflow."

This bug can allow remote code execution, so this should probably be added to
the VuXML. Maintainer has been CC'd.
>How-To-Repeat:
>Fix:
The latest release of FreeType does not seem to include a fix for this, but this
patch should fix the problem. I put it in the port's files directory,
incremented portrevision, and portupgrade took care of updating the port for me.

--- patch-src_truetype_ttgload.c begins here ---
--- src/truetype/ttgload.c.orig	Tue Feb 14 12:44:56 2006
+++ src/truetype/ttgload.c	Fri May 18 13:05:34 2007
@@ -269,7 +269,11 @@
 
     n_points = 0;
     if ( n_contours > 0 )
+    {
       n_points = cont[-1] + 1;
+      if ( n_points < 0 )
+        goto Invalid_Outline;
+    }
 
     /* note that we will add four phantom points later */
     error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 );
@@ -677,7 +681,7 @@
     FT_GlyphLoader  gloader = loader->gloader;
     FT_Error        error   = TT_Err_Ok;
     FT_Outline*     outline;
-    FT_UInt         n_points;
+    FT_Int          n_points;
 
 
     outline  = &gloader->current.outline;
@@ -704,7 +708,7 @@
       /* Deltas apply to the unscaled data. */
       FT_Vector*  deltas;
       FT_Memory   memory = loader->face->memory;
-      FT_UInt     i;
+      FT_Int      i;
 
 
       error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face),
--- patch-src_truetype_ttgload.c ends here ---

More information about the freebsd-gnome mailing list