Closed Bug 553433 (CVE-2009-0946) Opened 10 years ago Closed 10 years ago

Multiple integer overflows in FreeType 2.3.9 and earlier


(Core :: Layout: Text and Fonts, defect, critical)

Not set



Tracking Status
status2.0 --- ?
status1.9.2 --- ?
status1.9.1 --- ?


(Reporter: reed, Assigned: jfkthame)




(Whiteboard: [sg:critical?] not sure if affects us yet)


(2 files)


Multiple integer overflows in FreeType 2.3.9 and earlier allow remote attackers to execute arbitrary code via vectors related to large values in certain inputs in (1) smooth/ftsmooth.c, (2) sfnt/ttcmap.c, and (3) cff/cffload.c.

We have FreeType 2.3.7 on 1.9.1, 1.9.2, and trunk (1.9.3). Need to see if these issues affect us, and if so, get them patched in our code (or even see about doing a complete FreeType upgrade).
Severity: normal → critical
Jonathan: can you please renominate if we can confirm that we're affected by this?
blocking1.9.1: ? → ---
blocking1.9.2: ? → ---
blocking2.0: ? → ---
we haven't shipped a release that uses this code on 1.9.1 or 1.9.2, so I don't think we need to care about it there.  We plan to ship off of trunk using it though, so I think we should  just update trunk to 2.3.12
Don't our Linux releases use it? Or secondary platforms such as OS/2?
to my knowledge, only windows mobile and android use it.  Our linux platforms use system fontconf/freetype
I'll look into updating our freetype, if nobody else has jumped in already. Should be pretty straightforward, I hope.
Assignee: nobody → jfkthame
Seems like a painless upgrade. Maemo builds OK on tryserver; I don't have other FT2-using build environments on hand at the moment.

I think it makes sense to do this first, then look into bug 553273 again.

Patch is compressed (.bz2) because otherwise it exceeds bugzilla's limit for attachment size.
Attachment #434907 - Flags: review?(bugmail)
Attachment #434907 - Attachment is patch: true
Attachment #434907 - Attachment mime type: application/octet-stream → text/plain
Blocks: 553273
maemo doesn't build this, so I tried building android with this patch and got the following error:

../../../modules/freetype2/src/autofit/aflatin2.c:19:10: error: #include expects "FILENAME" or <FILENAME>

which is from:
#include FT_ADVANCES_H
adding ftheader.h as an additional forced include fixes this for me. still trying to confirm that everything still renders correctly.
text renders fine, looking over the patch now
Comment on attachment 434907 [details] [diff] [review]
update freetype sources to v2.3.12 (from

looks fine, just change the to be:

-DEFINES += -DFT2_BUILD_LIBRARY -DFT_OPTION_AUTOFIT2 -FI $(srcdir)/include/freetype/config/ftstdlib.h
+ifdef _MSC_VER
+DEFINES += -FI $(srcdir)/include/freetype/config/ftstdlib.h -FI $(srcdir)/include/freetype/config/ftheader.h
+DEFINES += -include $(srcdir)/include/freetype/config/ftstdlib.h -include $(srcdir)/include/freetype/config/ftheader.h
Attachment #434907 - Flags: review?(bugmail) → review+
OK, thanks. Pushed this, with the fix.
Closed: 10 years ago
Resolution: --- → FIXED
I updated the date in the freetype license notice as part of the 2.3.12 update, and also added maemo to the platforms mentioned there; this was incorrect, but we should instead mention android (see comment #7).
Attachment #435171 - Flags: review?(bugmail)
Comment on attachment 435171 [details] [diff] [review]
followup to correct freetype notice in about:license

its not clear to me that OS/2 still uses freetype, but that portion of this dates to pre-1.9.0.
Attachment #435171 - Flags: review?(bugmail) → review+
Pushed followup:

(The gfxOS2Fonts code uses freetype, so unless the platform or another package provides it, I presume we're still building it there. If this is out-of-date, the OS/2 people can fix it separately.)
Group: core-security → core-security-release
Group: core-security-release
You need to log in before you can comment on or make changes to this bug.