| + |
An out of bounds write exists in FreeType versions 2.13.0 and below |
| + |
when attempting to parse font subglyph structures related to TrueType |
| + |
GX and variable font files. The vulnerable code assigns a signed short |
| + |
value to an unsigned long and then adds a static value causing it to |
| + |
wrap around and allocate too small of a heap buffer. The code then |
| + |
writes up to 6 signed long integers out of bounds relative to this |
| + |
buffer. This may result in arbitrary code execution. This vulnerability |
| + |
may have been exploited in the wild. |