| 标题 | nothings stb (stb_truetype.h) ≤ 1.26 Out-of-Bounds Read |
|---|
| 描述 | A heap buffer overflow (out-of-bounds read) vulnerability exists in `stbtt_InitFont_internal()` in stb_truetype.h v1.26 and earlier. The function `ttUSHORT()` at line 1286 reads 2 bytes from the font data buffer without validating that the offset is within the buffer bounds. When processing a crafted TrueType/OpenType font file with malformed table directory entries, the read exceeds the allocated buffer boundary.
The vulnerability is triggered during font initialization when parsing the cmap table entries. Any application that calls `stbtt_InitFont()` on untrusted font data is affected.
ASAN output:
```
ERROR: AddressSanitizer: heap-buffer-overflow on address 0x612000000144
READ of size 1 at 0x612000000144
#0 ttUSHORT stb_truetype.h:1286
#1 stbtt_InitFont_internal stb_truetype.h:1472
#2 stbtt_InitFont stb_truetype.h:4956
0x612000000144 is located 0 bytes to the right of 260-byte region
``` |
|---|
| 来源 | ⚠️ https://gist.github.com/d0razi/cb31a92f3205a4373f19b7da25946848 |
|---|
| 用户 | d0razi (UID 96474) |
|---|
| 提交 | 2026-03-16 01時11分 (26 日前) |
|---|
| 管理 | 2026-04-01 14時40分 (17 days later) |
|---|
| 状态 | 已接受 |
|---|
| VulDB条目 | 354646 [Nothings stb 直到 1.26 TTF File stb_truetype.h stbtt_InitFont_internal 信息公开] |
|---|
| 积分 | 20 |
|---|