>> Does this vulnerability affect older (< 2.10.3) versions of >> FreeType as well?
Yes, down to 2.6, AFAICS. > It appears that something like this was fixed with 54abd22891 but > the fix there came too late (after a narrowing conversion) leaving > some values unchecked. I think the problem is rather commit 01f0842eb0, which changes the cast to `unsigned short`. > Werner, I see a commit in the FreeType repo, but it seems to be just > a change log entry, probably just didn't 'git add' pngshim.c? (I do > things like that embarrassingly frequently.) Nope. Everything should be fine in the git repository. Werner