| 제목 | nothings stb (stb_truetype.h) ≤ 1.26 Out-of-Bounds Read |
|---|
| 설명 | A heap buffer overflow (out-of-bounds read) vulnerability exists in `stbtt_InitFont_internal()` in stb_truetype.h v1.26 and earlier. The function `ttUSHORT()` at line 1286 reads 2 bytes from the font data buffer without validating that the offset is within the buffer bounds. When processing a crafted TrueType/OpenType font file with malformed table directory entries, the read exceeds the allocated buffer boundary.
The vulnerability is triggered during font initialization when parsing the cmap table entries. Any application that calls `stbtt_InitFont()` on untrusted font data is affected.
ASAN output:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000144
READ of size 1 at 0x612000000144
#0 ttUSHORT stb_truetype.h:1286
#1 stbtt_InitFont_internal stb_truetype.h:1472
#2 stbtt_InitFont stb_truetype.h:4956
0x612000000144 is located 0 bytes to the right of 260-byte region
``` |
|---|
| 원천 | ⚠️ https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 |
|---|
| 사용자 | d0razi (UID 96474) |
|---|
| 제출 | 2026. 03. 16. AM 01:11 (23 날 ago) |
|---|
| 모더레이션 | 2026. 04. 01. PM 02:40 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354646 [Nothings stb 까지 1.26 TTF File stb_truetype.h stbtt_InitFont_internal 정보 공개] |
|---|
| 포인트들 | 20 |
|---|