In the freetype/src/sfnt/ttload.c file responsible for handling SFNT tables, there are potential integer overflow conditions in the following code snippets:

209:      /* we ignore invalid tables */
210:      if ( table.Offset + table.Length > stream->size )
211:      {
212:        FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
213:        continue;
214:      }
215:      else
216:        valid_entries++;

and

397:     /* ignore invalid tables */
398:      if ( entry->Offset + entry->Length > stream->size )
399:        continue;
400:      else
401:      {
402:        FT_TRACE2(( "  %c%c%c%c  %08lx  %08lx  %08lx\n",
403:                    (FT_Char)( entry->Tag >> 24 ),
404:                    (FT_Char)( entry->Tag >> 16 ),
405:                    (FT_Char)( entry->Tag >> 8  ),
406:                    (FT_Char)( entry->Tag       ),
407:                    entry->Offset,
408:                    entry->Length,
409:                    entry->CheckSum ));
410:        entry++;
411:      }

Since both "Offset" and "Length" fields are fully controlled 32-bit unsigned integers, their sum can overflow the integer ranges on 32-bit builds of FreeType, effectively bypassing the sanity above checks.

The full consequence of not correctly filtering out such malformed tables is not fully understood; we assume, however, that the worst that could happen as a result of this issue is an out-of-bounds read from the table of an allegedly enormous size (while in reality much smaller). We believe installing proper bounds checking should be a good defense-in-depth measure to prevent further bugs related to such bogus table headers.