Project Zero today made four bugs in FreeType publicly visible.
Fixes appears to have been committed to FreeType's git repo, but no new release made yet, and no CVE id's are listed in the bug reports or commits. Each individual bug report, on either the Project Zero tracker or the FreeType gitlab, has more details, including technical analysis, reproducers, and suggested fixes from the researchers. ------------------------------------------------------------------------------ FreeType: Heap Buffer Overflow via Improper Limit Calculation in TrueType SHZ Instruction https://project-zero.issues.chromium.org/issues/505355061 Vulnerability Type: Heap Buffer Overflow (Read/Write) Affected Component: TrueType Bytecode Interpreter (ttinterp.c) Affected Versions: Confirmed on v2.14.3 and git head (f2b3f969) Credit: Mateusz Jurczyk of Google Project Zero A heap buffer overflow vulnerability exists in the FreeType library's TrueType bytecode interpreter. The vulnerability is triggered by the SHZ (Shift Zone) instruction when executed within a composite glyph context. Improper calculation of the loop limit leads to an out-of-bounds memory access (both read and write) in the Move_Zp2_Point function. An attacker can leverage this to cause an application crash or potentially achieve arbitrary code execution. Reported at: https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1420 Fixed by https://gitlab.freedesktop.org/freetype/freetype/-/commit/1803559c4ee407d0bcbf2a67dbe96690cee869d2 and several follow-up commits. ------------------------------------------------------------------------------ FreeType: Integer Overflow leading to Out-of-Bounds Read in TrueType IUP Instruction https://project-zero.issues.chromium.org/issues/505357209 Vulnerability Type: Integer Overflow / Out-of-Bounds Read / Denial of Service Affected Component: TrueType Bytecode Interpreter (ttinterp.c) Affected Versions: Confirmed on v2.14.3 and git head (f2b3f969) Credit: Mateusz Jurczyk of Google Project Zero An integer overflow vulnerability exists in the FreeType library's TrueType bytecode interpreter's handling of the IUP (Interpolate Untouched Points) instruction. By using a signed 16-bit integer for a loop counter that iterates over glyph contours, the interpreter can be forced into an infinite loop or an out-of-bounds read if a glyph contains more than 32,767 contours. This leads to a Denial of Service (DoS) and potential information leakage. Reported at: https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1421 Fixed in https://gitlab.freedesktop.org/freetype/freetype/-/commit/7974be74d8b5a2fbf99aa88f0461d1f80af51cee. ------------------------------------------------------------------------------ FreeType: Heap Buffer Overflow via Signedness Mismatch in TrueType Variation Handling (tt_interpolate_deltas) https://project-zero.issues.chromium.org/issues/506902245 Vulnerability Type: Heap Buffer Overflow / Integer Wrap-around Affected Component: TrueType Variation Handling (ttgxvar.c) Affected Versions: Confirmed on v2.14.3 and git head (5d109934) Credit: Mateusz Jurczyk of Google Project Zero A heap-based buffer overflow vulnerability exists in FreeType 2.14.3 when processing composite glyphs in variable fonts. The flaw is caused by a signed 16-bit integer wrap-around in a loop counter within the variation delta interpolation logic. An attacker can leverage this by providing a font with a composite glyph containing more than 32,767 components, leading to out-of-bounds memory access. This vulnerability can potentially result in arbitrary code execution in applications that use FreeType to process untrusted font files. Reported in https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1423. Fixed in https://gitlab.freedesktop.org/freetype/freetype/-/commit/0d45c7f1911bc6db0bf072eea0c8cdccd77bc6b3. ------------------------------------------------------------------------------ FreeType: Heap Buffer Over-read in tt_face_colr_blend_layer via Sub-byte Bitmaps Vulnerability Type: Heap Buffer Over-read / Information Disclosure Affected Component: COLR v0 Blending (ttcolr.c) Affected Versions: Confirmed on v2.14.3 and git head (5d109934) Credit: Mateusz Jurczyk of Google Project Zero A heap-based buffer over-read vulnerability exists in FreeType 2.14.3's COLR v0 layer blending function tt_face_colr_blend_layer. When a COLR v0 base glyph references a layer glyph backed by an embedded bitmap with a sub-byte pixel mode (1bpp MONO, 2bpp GRAY2, or 4bpp GRAY4), the blending loop incorrectly treats the source bitmap as 8-bit grayscale. This causes the function to read beyond the end of the heap-allocated packed bitmap buffer. The over-read data is directly encoded into the output pixel values, allowing for potential information disclosure of heap memory bytes in applications that process untrusted font files. Reported in https://gitlab.freedesktop.org/freetype/freetype/-/work_items/1425 Fixed in https://gitlab.freedesktop.org/freetype/freetype/-/commit/cbe12767ea73d1006edc75fcd61c0b0d2a88f34e. -- -Alan Coopersmith- [email protected] Oracle Solaris Engineering - https://blogs.oracle.com/solaris
