The following heap-based out-of-bounds memory read has been encountered in FreeType, in the handling of the "cmap" (format 4) SFNT table. It has been reproduced with the current version of freetype2 from master git branch, with a 64-bit build of the ftbench utility compiled with AddressSanitizer:

$ ftbench <file>

Attached are three POC files which trigger the condition.

=================================================================
==5451==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x61400000ffe2 at pc 0x865d2a bp 0x7ffffa4c8af0 sp 0x7ffffa4c8ae8
READ of size 1 at 0x61400000ffe2 thread T0
    #0 0x865d29 in tt_cmap4_validate freetype2/src/sfnt/ttcmap.c:862
    #1 0x8ea568 in tt_face_build_cmaps freetype2/src/sfnt/ttcmap.c:3550
    #2 0x8a6713 in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1297
    #3 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #4 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #5 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #6 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #7 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #8 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

0x61400000ffe2 is located 2 bytes to the right of 416-byte region [0x61400000fe40,0x61400000ffe0)
allocated by thread T0 here:
    #0 0x472081 in __interceptor_malloc (ft2demos-2.5.3/bin/ftbench+0x472081)
    #1 0xaf265f in ft_alloc freetype2/src/base/ftsystem.c:74
    #2 0x526b21 in ft_mem_qalloc freetype2/src/base/ftutil.c:76
    #3 0x525591 in FT_Stream_EnterFrame freetype2/src/base/ftstream.c:267
    #4 0x524d51 in FT_Stream_ExtractFrame freetype2/src/base/ftstream.c:200
    #5 0x8accb2 in tt_face_load_cmap freetype2/src/sfnt/ttload.c:928
    #6 0x8a09dc in sfnt_load_face freetype2/src/sfnt/sfobjs.c:1048
    #7 0x55f099 in tt_face_init freetype2/src/truetype/ttobjs.c:563
    #8 0x4cc13e in open_face freetype2/src/base/ftobjs.c:1191
    #9 0x4c794b in FT_Open_Face freetype2/src/base/ftobjs.c:2123
    #10 0x4c5b58 in FT_New_Face freetype2/src/base/ftobjs.c:1254
    #11 0x491533 in get_face ft2demos-2.5.3/src/ftbench.c:705
    #12 0x48d748 in main ft2demos-2.5.3/src/ftbench.c:924

SUMMARY: AddressSanitizer: heap-buffer-overflow freetype2/src/sfnt/ttcmap.c:862 tt_cmap4_validate
Shadow bytes around the buggy address:
  0x0c287fff9fa0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fb0: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fff9fc0: fa fa fa fa fa fa fa fa 00 00 00 00 00 00 00 00
  0x0c287fff9fd0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
  0x0c287fff9fe0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
=>0x0c287fff9ff0: 00 00 00 00 00 00 00 00 00 00 00 00[fa]fa fa fa
  0x0c287fffa000: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa010: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa020: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa030: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
  0x0c287fffa040: fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa fa
Shadow byte legend (one shadow byte represents 8 application bytes):
  Addressable:           00
  Partially addressable: 01 02 03 04 05 06 07
  Heap left redzone:       fa
  Heap right redzone:      fb
  Freed heap region:       fd
  Stack left redzone:      f1
  Stack mid redzone:       f2
  Stack right redzone:     f3
  Stack partial redzone:   f4
  Stack after return:      f5
  Stack use after scope:   f8
  Global redzone:          f9
  Global init order:       f6
  Poisoned by user:        f7
  Contiguous container OOB:fc
  ASan internal:           fe
==5451==ABORTING
 

asan_heap-oob_850e0e_7066_cov_1811926313_ilits.ttf 75.0 KB Download

asan_heap-oob_850e0e_8428_cov_3005715731_mima4x4o.ttf 19.4 KB Download

asan_heap-oob_850e0e_4567_cov_3431804032_combustt.ttf 54.1 KB Download