549 - Avast: integer overflow verifying numFonts in TTC Header - project-zero

Starred by 1 user

Status:	Fixed
Owner:	taviso@google.com
Closed:	Dec 2015
Cc:	project-...@google.com
Vendor-Avast Deadline-90 Finder-taviso Severity-high CCProjectZeroMembers Product-Avast Reported-2015-Oct-01

Avast: integer overflow verifying numFonts in TTC Header

Project Member Reported by taviso@google.com, Oct 1 2015

Back to list

If the numFonts field in the TTC header is greater than (SIZE_MAX+1) / 4, an integer overflow occurs in filevirus_ttf() when calling CSafeGenFile::SafeLockBuffer.

The TTC file format is described here https://www.microsoft.com/typography/otspec/otff.htm

The attached testcase has password "infected".

This bug is subject to a 90 day disclosure deadline. If 90 days elapse
without a broadly available patch, then the bug report will automatically
become visible to the public.

a0eee768acb56254727d3171e5789cb5.zip
1.7 MB Download

Project Member Comment 1 by taviso@google.com, Dec 9 2015

Labels: -Restrict-View-Commit
Status: Fixed

This issue appears to be resolved.

► Sign in to add a comment