Closed Bug 576997 Opened 10 years ago Closed 10 years ago
Need to upgrade in-tree Free
Type to 2 .4 .0 once it has been released
Robert Święcki of Google Switzerland GmbH reported multiple (possibly security-related) bugs in FreeType 2.3.12 and earlier. Once FreeType 2.4.0 has been released, we need to upgrade our in-tree copies to ensure we have the fixes for these issues. Filing this as a tracker bug to ensure we do that and don't miss it.
Is anything on 1.9.2 or 1.9.1 using the in-free FreeType yet?
Summary: Need to upgrade in-tree FreeType to 2.4.0 once it has been released → Need to upgrade in-tree FreeType to 2.4.0 once it has been released
I recommend checking out the http://code.google.com/p/ots/ - as far as i know it's been written to support OTF/TTF/WOFF in chromium. But the library is pretty portable, so maybe you should think about using it as well (none of the bugs I've reported affects chromiu, even though it's using freetype under linux/macos)
We don't use in-tree Freetype in any desktop build. We may be using it on some mobile builds, I'm not sure.
(In reply to comment #3) > We don't use in-tree Freetype in any desktop build. We may be using it on some > mobile builds, I'm not sure. We haven't had an official release using in-tree freetype yet
Well, libots is a very robust sanitizer. It's not only protecting against libfreetype bugs (I managed to find only one that passed libots verigication, a NULL-ptr deref. in freetype, but it's already been fixed). I think that it's even more useful when protecting Windows' in-kernel font renderer (sic!:). Not sure what firefox is using on windows to render fonts, but if it's this ingenious Microsoft's idea of ring-0 font renderer, then I'd use some sanitizer ;).
> it's this ingenious Microsoft's idea of ring-0 font renderer, > then I'd use some sanitizer ;). Oh... and in the light of recent Microsoft's PR wars against security researchers: This is solely my opinion; it does not necessarily reflect opinions of my employer etc. etc.. :)
Yeah, it might make a lot of sense to use a sanitizer before we pass downloaded fonts to the system glyph rasterizer. That should be treated as a separate issue though.
This blocks android only.
Assignee: nobody → blassey.bugs
Attachment #458674 - Flags: review?(benjamin)
FT 2.4.1 is released, no need to keep this bug hidden.
Status: NEW → RESOLVED
Closed: 10 years ago
Resolution: --- → FIXED
You need to log in before you can comment on or make changes to this bug.