https://bugzilla.redhat.com/show_bug.cgi?id=1790041



--- Comment #3 from Riccardo Schirone <rschi...@redhat.com> ---
Vulnerable versions of fontforge allows to set the layer_cnt field of the
SplineFont parser to a very big number, which is parsed as a negative number,
through the usage of the LayerCount token. This bypass the reallocation of the
layers array and subsequently, during the parsing of the Layer token, it writes
starting one byte before the beginning of the array. The out-of-bounds write
overwrites heap metadata which may be abused to crash the program or possibly
execute code.

-- 
You are receiving this mail because:
You are on the CC list for the bug.
_______________________________________________
fonts-bugs mailing list -- fonts-bugs@lists.fedoraproject.org
To unsubscribe send an email to fonts-bugs-le...@lists.fedoraproject.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/fonts-bugs@lists.fedoraproject.org

Reply via email to