On 8/26/05, Antoine Leca <[EMAIL PROTECTED]> wrote: > DSIG is a MS thing, and they have (thanks to the monolithic architecture > which integrates the GUI with the kernel, while targetting both workstations > and servers) to think about these issues. > > > > I don't see how a bad font can have any real effect on the integrity > > of my system. > > Right now, neither am I. However it seems that in security, paranoia is a > needed skill.
I have actually been able to crash Windows 2000 a few times while playing with TrueType instructions. Though I'd be the first to say Microsoft had better fix their interpreter, there may be other problems. I think it may be possible to construct GSUB or GPOS tables that do weird things; I think glyphs with points that are wildly out of bounds may cause massive memory allocation on some systems. The digital signature seems a manager solution to a technical problem. How paranoid must we be about security problems? I seem to remember talk about testing FreeType on randomly corrupted fonts; has any work on this been done? Regards, Rogier _______________________________________________ Freetype-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/freetype-devel
