I think perhaps the best way forward here would be for Canonical to assign a CVE for this issue if it looks like a real vulnerability and then we can proceed with a fix. I will enquire internally.
-- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to freetype in Ubuntu. https://bugs.launchpad.net/bugs/2059852 Title: Invalid free called during libfreetype FT_Done_Glyph Status in freetype package in Ubuntu: New Status in freetype source package in Jammy: New Bug description: A fuzzed font file triggers an invalid free operation. Current upstream 2.13 was not observed crashing with input. ==1793660== Memcheck, a memory error detector ==1793660== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al. ==1793660== Using Valgrind-3.18.1 and LibVEX; rerun with -h for copyright info ==1793660== Command: ftgrid 12 ftgrid_invalid_free_shown_by_valgrind.ttf ==1793660== ==1793660== Argument 'size' of function malloc has a fishy (possibly negative) value: -205496320 ==1793660== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:412) ==1793660== by 0x10F09A: UnknownInlinedFun (ftgrid.c:580) ==1793660== by 0x10F09A: main (ftgrid.c:1818) ==1793660== ==1793660== Invalid free() / delete / delete¡¿ / realloc() ==1793660== at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1793660== by 0x48C2EC3: UnknownInlinedFun (ftutil.c:173) ==1793660== by 0x48C2EC3: FT_Bitmap_Done (ftbitmap.c:1169) ==1793660== by 0x48C5947: FT_Done_Glyph (ftglyph.c:650) ==1793660== by 0x10F1A0: UnknownInlinedFun (ftgrid.c:589) ==1793660== by 0x10F1A0: main (ftgrid.c:1818) ==1793660== Address 0x5292040 is 0 bytes inside a block of size 58,519,576 free'd ==1793660== at 0x484B27F: free (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1793660== by 0x10F18A: UnknownInlinedFun (ftgrid.c:586) ==1793660== by 0x10F18A: main (ftgrid.c:1818) ==1793660== Block was alloc'd at ==1793660== at 0x4848899: malloc (in /usr/libexec/valgrind/vgpreload_memcheck-amd64-linux.so) ==1793660== by 0x48BDB08: ft_mem_qrealloc (ftutil.c:145) ==1793660== by 0x48BF04D: ft_mem_realloc (ftutil.c:101) ==1793660== by 0x491815B: ft_smooth_render.lto_priv.0 (ftsmooth.c:475) ==1793660== by 0x48BD24C: FT_Render_Glyph_Internal (ftobjs.c:4721) ==1793660== by 0x48C8A2F: FT_Glyph_To_Bitmap (ftglyph.c:596) ==1793660== by 0x11A67E: FTDemo_Glyph_To_Bitmap (ftcommon.c:1365) ==1793660== by 0x10DCC1: UnknownInlinedFun (ftgrid.c:575) ==1793660== by 0x10DCC1: main (ftgrid.c:1818) ==1793660== Program received signal SIGSEGV, Segmentation fault. 0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368 3368 ./malloc/malloc.c: No such file or directory. (gdb) bt £0 0x00007ffff7be13fe in __GI___libc_free (mem=0x7ffff4087010) at ./malloc/malloc.c:3368 £1 0x00007ffff7ebeec4 in ft_mem_free (P=<optimized out>, memory=<optimized out>) at ./src/base/ftutil.c:173 £2 FT_Bitmap_Done (library=<optimized out>, bitmap=0x5555555a25e0) at ./src/base/ftbitmap.c:1169 £3 0x00007ffff7ec1948 in FT_Done_Glyph (glyph=0x5555555a25b0) at ./src/base/ftglyph.c:650 £4 0x000055555555b1a1 in grid_status_draw_outline (st=0x5555555703e0 <status>, display=<optimized out>, handle=<optimized out>) at ./ft2demos/src/ftgrid.c:589 £5 main (argc=<optimized out>, argv=<optimized out>) at ./ft2demos/src/ftgrid.c:1818 $ apt-cache policy libfreetype6 libfreetype6: Installed: 2.11.1+dfsg-1ubuntu0.2 Candidate: 2.11.1+dfsg-1ubuntu0.2 Version table: *** 2.11.1+dfsg-1ubuntu0.2 500 500 http://archive.ubuntu.com/ubuntu jammy-updates/main amd64 Packages 500 http://security.ubuntu.com/ubuntu jammy-security/main amd64 Packages 100 /var/lib/dpkg/status 2.11.1+dfsg-1build1 500 500 http://archive.ubuntu.com/ubuntu jammy/main amd64 Packages Description: Ubuntu 22.04.3 LTS Release: 22.04 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/freetype/+bug/2059852/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp
