FreeType 2.10.4 has been released.
It is available from
http://savannah.nongnu.org/download/freetype/
or
http://sourceforge.net/projects/freetype/files/
The latter site also holds older versions of the FreeType library.
See below for the relevant snippet from the CHANGES file.
>> Does this vulnerability affect older (< 2.10.3) versions of
>> FreeType as well?
Yes, down to 2.6, AFAICS.
> It appears that something like this was fixed with 54abd22891 but
> the fix there came too late (after a narrowing conversion) leaving
> some values unchecked.
I think the problem
On Mon, Oct 19, 2020, 6:19 PM Hugh McMaster
wrote:
> Hi Werner,
>
> On Tue, 20 Oct 2020 at 09:07, Werner LEMBERG wrote:
>
>>
>> I've just fixed a heap buffer overflow that can happen for some
>> malformed `.ttf` files with PNG sbit glyphs. It seems that this
>> vulnerability gets already
Hi Werner,
On Tue, 20 Oct 2020 at 09:07, Werner LEMBERG wrote:
>
> I've just fixed a heap buffer overflow that can happen for some
> malformed `.ttf` files with PNG sbit glyphs. It seems that this
> vulnerability gets already actively used in the wild, so I ask all
> users to apply the
I've just fixed a heap buffer overflow that can happen for some
malformed `.ttf` files with PNG sbit glyphs. It seems that this
vulnerability gets already actively used in the wild, so I ask all
users to apply the corresponding commit as soon as possible.
Tomorrow I will do a 2.10.4 release.
>> For my taste the 'FT' glyphs are a bit tall. What do you think of
>> reducing the height a bit?
>
> It has to be grid-fitted into a 16x16 icon, which is rather
> universal with larger sizes scaled up. There is 1 pixel margin on
> all sides. I could not convince myself to adjust these margins
> For my taste the 'FT' glyphs are a bit tall. What do you think of
> reducing the height a bit?
>
It has to be grid-fitted into a 16x16 icon, which is rather universal with
larger sizes scaled up. There is 1 pixel margin on all sides. I could not
convince myself to adjust these margins yet: it