| 제목 | nothings stb (stb_truetype.h) ≤ 1.26 Out-of-Bounds Read |
|---|
| 설명 |
A heap buffer overflow (out-of-bounds read) vulnerability exists in `stbtt__buf_get8()` in stb_truetype.h v1.26 and earlier. The function at line 1137 reads a single byte from a buffer object without properly validating that the current cursor position is within bounds. When processing a crafted font file with a CFF (Compact Font Format) table containing invalid offsets, the read exceeds the allocated buffer.
This is triggered during `stbtt_InitFont_internal()` at line 1424 when parsing CFF font data. Any application that calls `stbtt_InitFont()` on untrusted CFF/OpenType font data is affected.
ASAN output:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61100000012e
READ of size 1 at 0x61100000012e
#0 stbtt__buf_get8 stb_truetype.h:1137
#1 stbtt_InitFont_internal stb_truetype.h:1424
#2 stbtt_InitFont stb_truetype.h:4956
0x61100000012e is located 26 bytes to the right of 212-byte region
``` |
|---|
| 원천 | ⚠️ https://gist.github.com/d0razi/c11dd07c75f3b795e4f8bbfd6e2f0d29 |
|---|
| 사용자 | d0razi (UID 96474) |
|---|
| 제출 | 2026. 03. 16. AM 01:12 (23 날 ago) |
|---|
| 모더레이션 | 2026. 04. 01. PM 02:40 (17 days later) |
|---|
| 상태 | 수락 |
|---|
| VulDB 항목 | 354647 [Nothings stb 까지 1.26 TTF File stb_truetype.h stbtt__buf_get8 정보 공개] |
|---|
| 포인트들 | 20 |
|---|