On 04/14/12 06:48 AM, Vinnie wrote:
>> From: Alan Coopersmith <alan.coopersm...@oracle.com>
>>
>> A pretty convenient way to make your software full of security holes
>> and other bugs if you don't spend the time to update it for every upstream
>> patch, at which point you'll find that it's not all that convenient 
>> compared to just using a shared library.
> 
> *sigh* people assume FreeType is only used for operating systems. How many 
> times do I have to repeat the use-case for embedding both FreeType, and a 
> font, within a desktop or smartphone application? For cases where the user 
> cannot choose the font, there is no security hole.

Do you know where most of the FreeType security issues in the past few years
has been found?   By people trying to hack smartphones via downloads of
malicious PDF's or opening webpages with bad webfonts.    Quite a few of the
jailbreaks for Apple's iOS have resulted in FreeType security patches coming
out - you can see credits to both Apple & Google for providing fixes in the
various advisories.

Of course, those smartphone OS'es are providing system font rendering using
FreeType so you don't have to shove in another copy there.

-- 
        -Alan Coopersmith-              alan.coopersm...@oracle.com
         Oracle Solaris Engineering - http://blogs.oracle.com/alanc

_______________________________________________
Freetype-devel mailing list
Freetype-devel@nongnu.org
https://lists.nongnu.org/mailman/listinfo/freetype-devel

Reply via email to