Nothings Stb stb_truetype.h Out-of-Bounds Read Vulnerability

A heap buffer overflow vulnerability, classified as an out-of-bounds read, has been identified in Nothings Stb versions through 1.26. The issue arises in the function 'stbtt_InitFont_internal' within the 'stb_truetype.h' library, specifically when the TTF file handler processes font data. The vulnerability is triggered by the 'ttUSHORT()' function, which reads two bytes from the font data without proper validation of the offset, leading to an out-of-bounds read. This issue can be exploited remotely, and a public exploit is available.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, leading to an out-of-bounds read. This type of memory corruption can often be exploited to execute arbitrary code or cause a denial-of-service condition.

Reproduction

The vulnerability can be reproduced by compiling a program with AddressSanitizer enabled, which will detect the out-of-bounds read. The compiled program can then be run with a crafted TrueType font file that triggers the vulnerability. The public exploit available on Gist can be used to demonstrate the vulnerability.