oss-sec mailing list archives

Previous By Date Next
Previous By Thread Next

Re: CVE-2025-27363: out of bounds write in FreeType <= 2.13.0

From: "Michel Lind" <michel () michel-slm name>
Date: Fri, 14 Mar 2025 09:14:15 -0500


On Fri, Mar 14, 2025, at 7:55 AM, Marc Deslauriers wrote:

Hi Michel,

On 2025-03-13 22:54, Michel Lind wrote:


The fixes I'm working with both the Meta security folks and the EL
community (CentOS / AlmaLinux) can be tracked
herehttps://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8/diffs


I think if you're removing the 4 "phantom points" from outline.n_point 
and 
outline.n_contours, you probably need to add them back in other places, 
like the 
parts you are missing from this patch does:

https://gitlab.freedesktop.org/freetype/freetype/-/commit/47103b2f195e0f9664c9470182f063cb7d41dc9f


That's a good call. I've been slightly concerned about those 4 points too. Will probably have to cut another fix


Is there a reproducer available for this CVE? I was thinking of just doing a 
minimal fix for older freetype versions in Ubuntu, maybe something like this:

-- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -1957,6 +1957,13 @@

          limit = (short)gloader->current.num_subglyphs;

+        /* make sure this isn't negative as we're going to add 4 later */
+        if ( limit < 0 )
+        {
+          error = FT_THROW( Invalid_Argument );
+          goto Exit;
+        }
+
          /* construct an outline structure for              */
          /* communication with `TT_Vary_Apply_Glyph_Deltas' */
          outline.n_points   = (short)( gloader->current.num_subglyphs + 4 );



I'll ask the security folks to weigh in again

Thanks,

-- 
 _o) Michel Lind
_( ) identities: https://keyoxide.org/5dce2e7e9c3b1cffd335c1d78b229d2f7ccc04f2
     README:     https://michel-slm.name/
Previous By Date Next
Previous By Thread Next

Current thread: