https://bugzilla.redhat.com/show_bug.cgi?id=1790041
--- Comment #3 from Riccardo Schirone <rschi...@redhat.com> --- Vulnerable versions of fontforge allows to set the layer_cnt field of the SplineFont parser to a very big number, which is parsed as a negative number, through the usage of the LayerCount token. This bypass the reallocation of the layers array and subsequently, during the parsing of the Layer token, it writes starting one byte before the beginning of the array. The out-of-bounds write overwrites heap metadata which may be abused to crash the program or possibly execute code. -- You are receiving this mail because: You are on the CC list for the bug. _______________________________________________ fonts-bugs mailing list -- fonts-bugs@lists.fedoraproject.org To unsubscribe send an email to fonts-bugs-le...@lists.fedoraproject.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/fonts-bugs@lists.fedoraproject.org