| Título | nothings stb (stb_truetype.h) ≤ 1.26 Out-of-Bounds Read |
|---|
| Descrição | A heap buffer overflow (out-of-bounds read) vulnerability exists in `stbtt_InitFont_internal()` in stb_truetype.h v1.26 and earlier. The function `ttUSHORT()` at line 1286 reads 2 bytes from the font data buffer without validating that the offset is within the buffer bounds. When processing a crafted TrueType/OpenType font file with malformed table directory entries, the read exceeds the allocated buffer boundary.
The vulnerability is triggered during font initialization when parsing the cmap table entries. Any application that calls `stbtt_InitFont()` on untrusted font data is affected.
ASAN output:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000144
READ of size 1 at 0x612000000144
#0 ttUSHORT stb_truetype.h:1286
#1 stbtt_InitFont_internal stb_truetype.h:1472
#2 stbtt_InitFont stb_truetype.h:4956
0x612000000144 is located 0 bytes to the right of 260-byte region
``` |
|---|
| Fonte | ⚠️ https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 |
|---|
| Utilizador | d0razi (UID 96474) |
|---|
| Submissão | 16/03/2026 01h11 (há 21 dias) |
|---|
| Moderação | 01/04/2026 14h40 (17 days later) |
|---|
| Estado | Aceite |
|---|
| Entrada VulDB | 354646 [Nothings stb até 1.26 TTF File stb_truetype.h stbtt_InitFont_internal Divulgação de Informação] |
|---|
| Pontos | 20 |
|---|