The Type-1 CharString processing function (Type1BuildChar) implemented in the t2k font library as part of the Oracle Java Runtime Environment supports the "POP" and "CALLOTHER" instructions in Type-1 fonts. Both of the instructions directly affect the operand stack counter implemented by the CharString VM - POP increments it by 1, and CALLOTHER increments it by a controlled number.

While boundary limits are always correctly enforced upon the stack counter (it must always be 0 <= n < 32), neither of the operators initializes the operand stack memory under the new value of the counter. Since the memory allocator does not pre-initialize the memory area either, it is therefore possible to provoke the Type1BuildChar function to operate on uninitialized heap memory while constructing glyph outlines.

The flaw does not entail memory corruption by itself (and therefore cannot be used for remote code execution); however, it can be potentially used to facilitate the exploitation of another vulnerability (e.g. in order to defeat ASLR), or serve as a memory disclosure primitive if the rendered glyph pixels can be read by the application and propagated back to an attacker.

Due to low severity of the issue, a Proof of Concept is not attached.

This bug is subject to a 90 day disclosure deadline. If 90 days elapse without a broadly available patch, then the bug report will automatically become visible to the public.