Raysan5 Raylib Integer Overflow Vulnerability in Font Loading Function

A critical integer overflow vulnerability has been identified in the raysan5 raylib library, specifically in version 909f040 and prior. The issue arises in the `LoadFontData` function within `src/rtext.c`, where the font parser improperly handles font metrics, allowing negative values to be interpreted as large positive integers. This flawed calculation leads to an invalid memory allocation request via `calloc`, which, in a release build, causes a segmentation fault when the `GenImageFontAtlas` function attempts to process the corrupted data. The vulnerability can be exploited locally, and a public proof-of-concept exploit is available.

Impact

Exploitation of this vulnerability causes a segmentation fault, leading to a denial-of-service condition by crashing the application.

Reproduction

The vulnerability can be reproduced by compiling the raylib font test harness with AddressSanitizer enabled, which detects the invalid memory allocation caused by the integer overflow. After running the harness with a crafted input that triggers the vulnerability, the AddressSanitizer report shows a calloc parameter overflow error, indicating that a negative value was improperly handled, leading to a memory allocation error. This issue can also be reproduced in a release build without AddressSanitizer, where the invalid allocation causes a segmentation fault when the application tries to access the corrupted memory.

Remediation

Users are advised to update to the latest version of raylib, where this vulnerability has been fixed. The patch is available in the commit `5a3391fdce046bc5473e52afbd835dd2dc127146`.