Vigil@nce - FreeType: integer overflow via CID-keyed
November 2011 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can invite the victim to open a malicious PostScript
font with an application linked to FreeType, in order to create an
integer overflow, leading to code execution.
Severity: 2/4
Creation date: 15/11/2011
IMPACTED PRODUCTS
– Debian Linux
– Fedora
– Mandriva Enterprise Server
– Mandriva Linux
– Red Hat Enterprise Linux
– Unix - plateform
DESCRIPTION OF THE VULNERABILITY
The FreeType library processes TrueType character fonts.
The CID-keyed (Character IDentifier) format is used to store
numerous characters in structure, composed of dictionaries. The
cid_load_keyword() and parse_font_matrix() functions of the
src/cid/cidload.c file do not check if the number of dictionaries
is too large.
A CID SubrMap ("subroutines map") indicates the position of
functions processing the character shape. The cid_read_subrs()
function of the src/cid/cidload.c file does not check if the
number of functions is too large.
An attacker can therefore invite the victim to open a malicious
PostScript font with an application linked to FreeType, in order
to create an integer overflow, leading to code execution.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/FreeType-integer-overflow-via-CID-keyed-11160