fontconfig Heap Buffer Overflow Vulnerability in sfnt Capability Handling

A heap buffer overflow vulnerability has been identified in fontconfig versions prior to 2.17.1. The issue arises from an off-by-one error in memory allocation during the handling of sfnt capabilities, specifically within the FcFontCapabilities function in fcfreetype.c. This vulnerability can lead to a one-byte out-of-bounds write, potentially causing a crash or allowing for arbitrary code execution.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to memory corruption. This type of vulnerability often allows for arbitrary code execution or causing a program to crash.

Reproduction

The vulnerability can be reproduced by using fontconfig's fc-cache command with the AddressSanitizer enabled. This will trigger the buffer overflow when fontconfig processes certain TrueType fonts that exploit the vulnerability, such as those available in the Conakry or Dai Banna SIL font collections.

Remediation

Users can upgrade to fontconfig version 2.17.1 or later to address this vulnerability.