| タイトル | nothings stb (stb_truetype.h) ≤ 1.26 Out-of-Bounds Read |
|---|
| 説明 | A heap buffer overflow (out-of-bounds read) vulnerability exists in `stbtt_InitFont_internal()` in stb_truetype.h v1.26 and earlier. The function `ttUSHORT()` at line 1286 reads 2 bytes from the font data buffer without validating that the offset is within the buffer bounds. When processing a crafted TrueType/OpenType font file with malformed table directory entries, the read exceeds the allocated buffer boundary.
The vulnerability is triggered during font initialization when parsing the cmap table entries. Any application that calls `stbtt_InitFont()` on untrusted font data is affected.
ASAN output:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000144
READ of size 1 at 0x612000000144
#0 ttUSHORT stb_truetype.h:1286
#1 stbtt_InitFont_internal stb_truetype.h:1472
#2 stbtt_InitFont stb_truetype.h:4956
0x612000000144 is located 0 bytes to the right of 260-byte region
``` |
|---|
| ソース | ⚠️ https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 |
|---|
| ユーザー | d0razi (UID 96474) |
|---|
| 送信 | 2026年03月16日 01:11 (18 日 ago) |
|---|
| モデレーション | 2026年04月01日 14:40 (17 days later) |
|---|
| ステータス | 承諾済み |
|---|
| VulDBエントリ | 354646 [Nothings stb 迄 1.26 TTF File stb_truetype.h stbtt_InitFont_internal 情報漏えい] |
|---|
| ポイント | 20 |
|---|