[3.0] freetype: multiple integer overflows Mac_Read_POST_Resource() leading to heap-based buffer overflows (CVE-2014-9674)
The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType
before 2.5.4
proceeds with adding to length values without validating the original
values,
which allows remote attackers to cause a denial of service (integer
overflow
and heap-based buffer overflow) or possibly have unspecified other
impact via a crafted Mac font.
Fixed in version:
freetype 2.5.4
References:
https://bugzilla.redhat.com/show\_bug.cgi?id=CVE-2014-9674
https://code.google.com/p/google-security-research/issues/detail?id=153
Patches:
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=240c94a185cd8dae7d03059abec8a5662c35ecd3
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=cd4a5a26e591d01494567df9dec7f72d59551f6e
(from redmine: issue id 5139, created on 2016-02-18, closed on 2016-02-22)
- Relations:
- parent #5138 (closed)
- Changesets:
- Revision 1d2c50f3 on 2016-02-19T11:25:42Z:
main/freetype: security upgrade to 2.5.4 (CVE-2014-9674). Fixes #5139