Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow.
| Name | Vendor | Start Version | End Version |
|---|---|---|---|
| Freetype | Freetype | * | 2.3.4 (including) |
| Red Hat Enterprise Linux 2.1 | RedHat | freetype-0:2.0.3-10.el21 | * |
| Red Hat Enterprise Linux 2.1 | RedHat | freetype-0:2.0.3-17.el21 | * |
| Red Hat Enterprise Linux 3 | RedHat | freetype-0:2.1.4-7.el3 | * |
| Red Hat Enterprise Linux 3 | RedHat | freetype-0:2.1.4-12.el3 | * |
| Red Hat Enterprise Linux 4 | RedHat | freetype-0:2.1.9-6.el4 | * |
| Red Hat Enterprise Linux 4 | RedHat | freetype-0:2.1.9-10.el4.7 | * |
| Red Hat Enterprise Linux 5 | RedHat | freetype-0:2.2.1-19.el5 | * |
| Freetype | Ubuntu | dapper | * |
| Freetype | Ubuntu | devel | * |
| Freetype | Ubuntu | edgy | * |
| Freetype | Ubuntu | feisty | * |
| Openoffice.org-l10n | Ubuntu | devel | * |