Hi, I wrote a fuzzer and tried it on Image Magick. I found some bugs and one critical in TTF format. I don't want to publish to much informations since I think that it's a serious security bug (may lead to arbitrary code execution).
It's hard to track the error but it's near line 325 in src/truetype/ttgload.c (function Get_VMetrics()). Status of the function on the crash: n_contours = 1 n_points = -12526 (negative) tags = NULL Problems: signed/unsigned integers conversion (stange instruction: « cont[0] = FT_GET_USHORT(); ») --> negative number of points tags in NULL (why?) Contact me if you would like to get more informations or the bug to reproduce the bug. Does Freetype use a bug tracker? Is the source repository (cvs/svn) public? Victor -- Victor Stinner http://www.inl.fr/ _______________________________________________ Freetype-devel mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/freetype-devel
