FreeType commit 1e2eb65048f75c64b68708efed6ce904c31f3b2f was discovered to contain a heap buffer overflow via the function sfnt_init_face.
Max CVSS
9.8
EPSS Score
0.88%
Published
2022-04-22
Updated
2024-02-29
CVE-2020-15999
Known exploited
Heap buffer overflow in Freetype in Google Chrome prior to 86.0.4240.111 allowed a remote attacker to potentially exploit heap corruption via a crafted HTML page.
Max CVSS
6.5
EPSS Score
2.55%
Published
2020-11-03
Updated
2024-02-15
CISA KEV Added
2021-11-03
FreeType 2 before 2017-03-26 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c.
Max CVSS
9.8
EPSS Score
0.95%
Published
2017-04-27
Updated
2021-01-26
FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c.
Max CVSS
9.8
EPSS Score
1.18%
Published
2017-04-24
Updated
2021-01-26
FreeType 2 before 2017-02-02 has an out-of-bounds write caused by a heap-based buffer overflow related to the tt_size_reset function in truetype/ttobjs.c.
Max CVSS
9.8
EPSS Score
0.91%
Published
2017-04-14
Updated
2021-01-26
FreeType 2 before 2017-03-08 has an out-of-bounds write caused by a heap-based buffer overflow related to the TT_Get_MM_Var function in truetype/ttgxvar.c and the sfnt_init_face function in sfnt/sfobjs.c.
Max CVSS
9.8
EPSS Score
0.91%
Published
2017-04-14
Updated
2021-01-26
FreeType 2 before 2016-12-16 has an out-of-bounds write caused by a heap-based buffer overflow related to the cff_parser_run function in cff/cffparse.c.
Max CVSS
9.8
EPSS Score
0.93%
Published
2017-04-14
Updated
2021-03-26
The Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 proceeds with adding to length values without validating the original values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
Max CVSS
7.5
EPSS Score
2.53%
Published
2015-02-08
Updated
2018-10-30
Integer signedness error in the Mac_Read_POST_Resource function in base/ftobjs.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted Mac font.
Max CVSS
6.8
EPSS Score
2.90%
Published
2015-02-08
Updated
2018-10-30
Array index error in the parse_fond function in base/ftmac.c in FreeType before 2.5.4 allows remote attackers to cause a denial of service (out-of-bounds read) or obtain sensitive information from process memory via a crafted FOND resource in a Mac font file.
Max CVSS
5.8
EPSS Score
2.97%
Published
2015-02-08
Updated
2018-10-30
Multiple integer signedness errors in the pcf_get_encodings function in pcf/pcfread.c in FreeType before 2.5.4 allow remote attackers to cause a denial of service (integer overflow, NULL pointer dereference, and application crash) via a crafted PCF file that specifies negative values for the first column and first row.
Max CVSS
4.3
EPSS Score
2.20%
Published
2015-02-08
Updated
2018-10-30
The woff_open_font function in sfnt/sfobjs.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting length values, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact via a crafted Web Open Font Format (WOFF) file.
Max CVSS
7.5
EPSS Score
3.69%
Published
2015-02-08
Updated
2018-10-30
sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.
Max CVSS
6.8
EPSS Score
2.45%
Published
2015-02-08
Updated
2018-10-30
The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
Max CVSS
6.8
EPSS Score
1.89%
Published
2015-02-08
Updated
2018-10-30
The Load_SBit_Png function in sfnt/pngshim.c in FreeType before 2.5.4 does not restrict the rows and pitch values of PNG data, which allows remote attackers to cause a denial of service (integer overflow and heap-based buffer overflow) or possibly have unspecified other impact by embedding a PNG file in a .ttf font file.
Max CVSS
7.5
EPSS Score
3.86%
Published
2015-02-08
Updated
2018-10-30
FreeType before 2.5.4 does not check for the end of the data during certain parsing actions, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted Type42 font, related to type42/t42parse.c and type1/t1load.c.
Max CVSS
6.8
EPSS Score
1.33%
Published
2015-02-08
Updated
2018-10-30
The tt_cmap4_validate function in sfnt/ttcmap.c in FreeType before 2.5.4 validates a certain length field before that field's value is completely calculated, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted cmap SFNT table.
Max CVSS
7.5
EPSS Score
2.64%
Published
2015-02-08
Updated
2018-10-30
cff/cf2ft.c in FreeType before 2.5.4 does not validate the return values of point-allocation functions, which allows remote attackers to cause a denial of service (heap-based buffer overflow) or possibly have unspecified other impact via a crafted OTF font.
Max CVSS
7.5
EPSS Score
5.10%
Published
2015-02-08
Updated
2018-10-30
cff/cf2intrp.c in the CFF CharString interpreter in FreeType before 2.5.4 proceeds with additional hints after the hint mask has been computed, which allows remote attackers to execute arbitrary code or cause a denial of service (stack-based buffer overflow) via a crafted OpenType font. NOTE: this vulnerability exists because of an incomplete fix for CVE-2014-2240.
Max CVSS
7.5
EPSS Score
3.79%
Published
2015-02-08
Updated
2018-10-30
The tt_sbit_decoder_load_image function in sfnt/ttsbit.c in FreeType before 2.5.4 does not properly check for an integer overflow, which allows remote attackers to cause a denial of service (out-of-bounds read) or possibly have unspecified other impact via a crafted OpenType font.
Max CVSS
7.5
EPSS Score
3.95%
Published
2015-02-08
Updated
2018-10-30
Stack-based buffer overflow in the cf2_hintmap_build function in cff/cf2hints.c in FreeType before 2.5.3 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a large number of stem hints in a font file.
Max CVSS
7.5
EPSS Score
13.91%
Published
2014-03-12
Updated
2021-01-26
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (out-of-bounds write and crash) via vectors related to BDF fonts and an ENCODING field with a negative value.
Max CVSS
4.3
EPSS Score
1.10%
Published
2013-01-24
Updated
2021-01-26
The _bdf_parse_glyphs function in FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (crash) and possibly execute arbitrary code via vectors related to BDF fonts and an incorrect calculation that triggers an out-of-bounds read.
Max CVSS
4.3
EPSS Score
1.49%
Published
2013-01-24
Updated
2021-01-26
FreeType before 2.4.11 allows context-dependent attackers to cause a denial of service (NULL pointer dereference and crash) via vectors related to BDF fonts and the improper handling of an "allocation error" in the bdf_free_font function.
Max CVSS
4.3
EPSS Score
1.79%
Published
2013-01-24
Updated
2021-01-26
FreeType before 2.4.9, as used in Mozilla Firefox Mobile before 10.0.4 and other products, allows remote attackers to cause a denial of service (invalid heap write operation and memory corruption) or possibly execute arbitrary code via a crafted TrueType font.
Max CVSS
9.3
EPSS Score
5.24%
Published
2012-04-25
Updated
2023-02-13