Hi list, Posting here for transparency reasons. A 16k stars project, used in, I can imagine game engines, UI, Android/iOS/embedded. Used in another 30k stars project and 11k from even Google (also possibly not fixed). OpenCV 55k stars seems to be also affected (new branch only). Attack vector through malicious font. Buy me a beer if you will get bounty on it and initial fuzzing person https://github.com/nothings/stb/issues/618
Should this have a codename "BadSTB" lol. Thoughts? Per Developer library was not intended to work with untrusted data. Be careful when using it, consider a replacement. This is PSA. Thanks, P.S Full thread here: https://twitter.com/marcinguy/status/1421740689516339200?s=19 _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
