Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0

[Marc Deslauriers <marc.deslauriers () canonical com>]

Hi Michel,

On 2025-03-13 22:54, Michel Lind wrote:
> The fixes I'm working with both the Meta security folks and the EL
> community (CentOS / AlmaLinux) can be tracked
> herehttps://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8/diffs

I think if you're removing the 4 "phantom points" from outline.n_point and 
outline.n_contours, you probably need to add them back in other places, like the 
parts you are missing from this patch does:

https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f

Is there a reproducer available for this CVE? I was thinking of just doing a 
minimal fix for older freetype versions in Ubuntu, maybe something like this:

-- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1957,6 +1957,13 @@

         limit = (short)gloader->current.num_subglyphs;

+        /* make sure this isn't negative as we're going to add 4 later */
+        if ( limit < 0 )
+        {
+          error = FT_THROW( Invalid_Argument );
+          goto Exit;
+        }
+
         /* construct an outline structure for              */
         /* communication with `TT_Vary_Apply_Glyph_Deltas' */
         outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );


Marc.