On 04/14/12 06:48 AM, Vinnie wrote: >> From: Alan Coopersmith <alan.coopersm...@oracle.com> >> >> A pretty convenient way to make your software full of security holes >> and other bugs if you don't spend the time to update it for every upstream >> patch, at which point you'll find that it's not all that convenient >> compared to just using a shared library. > > *sigh* people assume FreeType is only used for operating systems. How many > times do I have to repeat the use-case for embedding both FreeType, and a > font, within a desktop or smartphone application? For cases where the user > cannot choose the font, there is no security hole.
Do you know where most of the FreeType security issues in the past few years has been found? By people trying to hack smartphones via downloads of malicious PDF's or opening webpages with bad webfonts. Quite a few of the jailbreaks for Apple's iOS have resulted in FreeType security patches coming out - you can see credits to both Apple & Google for providing fixes in the various advisories. Of course, those smartphone OS'es are providing system font rendering using FreeType so you don't have to shove in another copy there. -- -Alan Coopersmith- alan.coopersm...@oracle.com Oracle Solaris Engineering - http://blogs.oracle.com/alanc _______________________________________________ Freetype-devel mailing list Freetype-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-devel