--- Comment #3 from Riccardo Schirone <> ---
Vulnerable versions of fontforge allows to set the layer_cnt field of the
SplineFont parser to a very big number, which is parsed as a negative number,
through the usage of the LayerCount token. This bypass the reallocation of the
layers array and subsequently, during the parsing of the Layer token, it writes
starting one byte before the beginning of the array. The out-of-bounds write
overwrites heap metadata which may be abused to crash the program or possibly
execute code.

You are receiving this mail because:
You are on the CC list for the bug.
fonts-bugs mailing list --
To unsubscribe send an email to
Fedora Code of Conduct:
List Guidelines:
List Archives:

Reply via email to