Freetype

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow

CVE-2022-27404 9.8 - Critical - April 22, 2022

FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.

Memory Corruption

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation

CVE-2022-27405 7.5 - High - April 22, 2022

FreeType commit 53dfdcd8198d2b3201a23c4bad9190519ba918db was discovered to contain a segmentation violation via the function FNT_Size_Request.

Out-of-bounds Read

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation

CVE-2022-27406 7.5 - High - April 22, 2022

FreeType commit 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 was discovered to contain a segmentation violation via the function FT_Request_Size.

Out-of-bounds Read

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111

CVE-2020-15999 6.5 - Medium - November 03, 2020

Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.

Memory Corruption

FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.

CVE-2015-9383 6.5 - Medium - September 03, 2019

FreeType before 2.6.2 has a heap-based buffer over-read in tt_cmap14_validate in sfnt/ttcmap.c.

Out-of-bounds Read

An issue was discovered in FreeType 2 through 2.9

CVE-2018-6942 6.5 - Medium - February 13, 2018

An issue was discovered in FreeType 2 through 2.9. A NULL pointer dereference in the Ins_GETVARIATION() function within ttinterp.c could lead to DoS via a crafted font file.

NULL Pointer Dereference

FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.

CVE-2017-8287 9.8 - Critical - April 27, 2017

FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.

Buffer Overflow

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

CVE-2017-8105 9.8 - Critical - April 24, 2017

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.

Memory Corruption

FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.

CVE-2016-10328 9.8 - Critical - April 14, 2017

FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.

Memory Corruption

FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.

CVE-2017-7864 9.8 - Critical - April 14, 2017

FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.

Memory Corruption

FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

CVE-2017-7858 9.8 - Critical - April 14, 2017

FreeType 2 before 2017-03-07 has an out-of-bounds write related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

Memory Corruption

FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

CVE-2017-7857 9.8 - Critical - April 14, 2017

FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.

Memory Corruption

The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure

CVE-2016-10244 7.8 - High - March 06, 2017

The parse_charstrings function in type1/t1load.c in FreeType 2 before 2.7 does not ensure that a font contains a glyph name, which allows remote attackers to cause a denial of service (heap-based buffer over-read) or possibly have unspecified other impact via a crafted file.

Out-of-bounds Read

Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3

CVE-2014-2240 - March 12, 2014

Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.

Buffer Overflow

The _bdf_parse_glyphs function in FreeType before 2.4.11

CVE-2012-5670 - January 24, 2013

The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.

Buffer Overflow

The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation

CVE-2012-5669 - January 24, 2013

The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.

Buffer Overflow

FreeType before 2.4.11

CVE-2012-5668 - January 24, 2013

FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1135 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the NPUSHB and NPUSHW instructions in a TrueType font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1144 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1143 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (divide-by-zero error) via a crafted font.

Numeric Errors

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1142 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph-outline data in a font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1141 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted ASCII string in a BDF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1140 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted PostScript font object.

Buffer Overflow

Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1139 - April 25, 2012

Array index error in FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid stack read operation and memory corruption) or possibly execute arbitrary code via crafted glyph data in a BDF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1138 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors involving the MIRP instruction in a TrueType font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1137 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted header in a BDF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font

CVE-2012-1136 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font that lacks an ENCODING field.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1134 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted private-dictionary data in a Type 1 font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1133 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1132 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted dictionary data in a Type 1 font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms

CVE-2012-1131 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, on 64-bit platforms allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via vectors related to the cell table of a font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1130 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a PCF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1129 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via a crafted SFNT string in a Type 42 font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1128 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (NULL pointer dereference and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1127 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted glyph or bitmap data in a BDF font.

Buffer Overflow

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products

CVE-2012-1126 - April 25, 2012

FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap read operation and memory corruption) or possibly execute arbitrary code via crafted property data in a BDF font.

Buffer Overflow

Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file

CVE-2010-3311 - January 07, 2011

Integer overflow in base/ftstream.c in libXft (aka the X FreeType library) in FreeType before 2.4 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted Compact Font Format (CFF) font file that triggers a heap-based buffer overflow, related to an "input stream position error" issue, a different vulnerability than CVE-2010-1797.

Numeric Errors

Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier

CVE-2010-3855 - November 26, 2010

Buffer overflow in the ft_var_readpackedpoints function in truetype/ttgxvar.c in FreeType 2.4.3 and earlier allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted TrueType GX font.

Buffer Overflow

Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier

CVE-2010-3814 - November 26, 2010

Heap-based buffer overflow in the Ins_SHZ function in ttinterp.c in FreeType 2.4.3 and earlier allows remote attackers to execute arbitrary code or cause a denial of service (application crash) via a crafted SHZ bytecode instruction, related to TrueType opcodes, as demonstrated by a PDF document with a crafted embedded font.

Buffer Overflow

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which

CVE-2010-2807 - August 19, 2010

FreeType before 2.4.2 uses incorrect integer data types during bounds checking, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Incorrect Conversion between Numeric Types

Integer underflow in glyph handling in FreeType before 2.4.0

CVE-2010-2497 - August 19, 2010

Integer underflow in glyph handling in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Integer underflow

The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file

CVE-2010-2498 - August 19, 2010

The psh_glyph_find_strong_points function in pshinter/pshalgo.c in FreeType before 2.4.0 does not properly implement hinting masks, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly execute arbitrary code via a crafted font file that triggers an invalid free operation.

Memory Corruption

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0

CVE-2010-2499 - August 19, 2010

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted LaserWriter PS font file with an embedded PFB fragment.

Classic Buffer Overflow

Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0

CVE-2010-2500 - August 19, 2010

Integer overflow in the gray_render_span function in smooth/ftgrays.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Integer Overflow or Wraparound

Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0

CVE-2010-2519 - August 19, 2010

Heap-based buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.0 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted length value in a POST fragment header in a font file.

Memory Corruption

Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled

CVE-2010-2520 - August 19, 2010

Heap-based buffer overflow in the Ins_IUP function in truetype/ttinterp.c in FreeType before 2.4.0, when TrueType bytecode support is enabled, allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Memory Corruption

Multiple buffer overflows in demo programs in FreeType before 2.4.0

CVE-2010-2527 - August 19, 2010

Multiple buffer overflows in demo programs in FreeType before 2.4.0 allow remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Classic Buffer Overflow

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2

CVE-2010-2541 - August 19, 2010

Buffer overflow in ftmulti.c in the ftmulti demo program in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Classic Buffer Overflow

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which

CVE-2010-2805 - August 19, 2010

The FT_Stream_EnterFrame function in base/ftstream.c in FreeType before 2.4.2 does not properly validate certain position values, which allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via a crafted font file.

Improper Input Validation

Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2

CVE-2010-2806 - August 19, 2010

Array index error in the t42_parse_sfnts function in type42/t42parse.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via negative size values for certain strings in FontType42 font files, leading to a heap-based buffer overflow.

out-of-bounds array index

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2

CVE-2010-2808 - August 19, 2010

Buffer overflow in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (memory corruption and application crash) or possibly execute arbitrary code via a crafted Adobe Type 1 Mac Font File (aka LWFN) font.

Classic Buffer Overflow

bdf/bdflib.c in FreeType before 2.4.2

CVE-2010-3053 - August 19, 2010

bdf/bdflib.c in FreeType before 2.4.2 allows remote attackers to cause a denial of service (application crash) via a crafted BDF font file, related to an attempted modification of a value in a static string.

Improper Input Validation

Multiple integer overflows in FreeType 2.3.9 and earlier

CVE-2009-0946 - April 17, 2009

Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.

Integer Overflow or Wraparound

Multiple off-by-one errors in FreeType2 before 2.3.6

CVE-2008-1808 - June 16, 2008

Multiple off-by-one errors in FreeType2 before 2.3.6 allow context-dependent attackers to execute arbitrary code via (1) a crafted table in a Printer Font Binary (PFB) file or (2) a crafted SHC instruction in a TrueType Font (TTF) file, which triggers a heap-based buffer overflow.

Numeric Errors

Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might

CVE-2007-2754 - May 17, 2007

Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.

Integer overflow in FreeType before 2.2

CVE-2006-3467 - July 21, 2006

Integer overflow in FreeType before 2.2 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted PCF file, as demonstrated by the Red Hat bad1.pcf test file, due to a partial fix of CVE-2006-1861.

Numeric Errors

ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file

CVE-2006-2661 - May 30, 2006

ftutil.c in Freetype before 2.2 allows remote attackers to cause a denial of service (crash) via a crafted font file that triggers a null dereference.

NULL Pointer Dereference

Multiple integer overflows in FreeType before 2.2

CVE-2006-1861 - May 23, 2006

Multiple integer overflows in FreeType before 2.2 allow remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via attack vectors related to (1) bdf/bdflib.c, (2) sfnt/ttcmap.c, (3) cff/cffgload.c, and (4) the read_lwfn function and a crafted LWFN file in base/ftmac.c. NOTE: item 4 was originally identified by CVE-2006-2493.

Numeric Errors