I'm disinclined to unilaterally assign a CVE here: - ftgrid doesn't feel like it's useful beyond freetype developers -- try it out for yourself on a font on your system. (For me, quite a lot of the window space is filled with the previous contents of the screen, but perhaps if you're not running a tiling window manager the window will be the exact required size. What's left doesn't look like it's end-user or even font-designer oriented.)
- I don't think the linked patches completely address the undefined behavior due to signed integer overflows: typedef struct grBitmap_ { int rows; int width; int pitch; grPixelMode mode; int grays; unsigned char* buffer; } grBitmap; static void bitmap_scale( GridStatus st, grBitmap* bit, int scale ) { unsigned char* s = bit->buffer; unsigned char* line; int pitch; int width; int i, j, k; pitch = bit->pitch > 0 ? bit->pitch : -bit->pitch; width = bit->width; /* limit bitmap size */ if ( pitch * scale <= 0xFFFF && bit->rows * scale <= 0xFFFF ) line = (unsigned char*)malloc( (size_t)( pitch * bit->rows * scale * scale ) ); else line = NULL; What happens if pitch * scale or bit->rows * scale cause an integer overflow and the compiler emits code that causes the result to become negative? Or the compiler omits the code entirely, because signed integer overflow is undefined? All these values are signed integers and I can't quickly spot code that would limit these to suitable values. I don't see any security value in debugging this demo program. If upstream disagrees and thinks this deserves a CVE, I won't stand in their way, but I also don't think assigning one here would encourage them to care about the CVE process. Fixing one specific integer overflow while ignoring two more on the previous line doesn't feel productive. If you, dear reader, actually care about this specific program, I encourage a few steps to explore it further: - build it with -fsanitize=undefined and fuzz it. I bet there's dozens more of these errors. - build it with -fsanitize=address and fuzz it. I bet there's a few more of these errors. - submit the project to scan.coverity.com. Unless Coverity is already part of the workflow, it'll probably find dozens of flaws, some of which will represent real bugs reachable by maliciously built fonts or operating users or other X clients or the X server. Thanks -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2059852 Title: Invalid free called during libfreetype FT_Done_Glyph To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs