Nothings STB TTF File Handler Out-of-Bounds Read Vulnerability in stb_truetype.h

A heap buffer overflow vulnerability, leading to an out-of-bounds read, has been identified in the Nothings STB library, specifically in the TTF file handler component, version 1.26 and prior. The issue arises in the function 'stbtt__buf_get8' within the 'stb_truetype.h' file. This vulnerability can be exploited remotely by manipulating a crafted font file, particularly one with a CFF (Compact Font Format) table that contains invalid offsets. The out-of-bounds read occurs during the font initialization process, when the library parses the CFF data without proper validation of the buffer's cursor position. As a result, the function reads beyond the allocated memory, creating a potential security risk.

Impact

Exploitation of this vulnerability causes a heap buffer overflow, which can lead to memory corruption and possibly allow for arbitrary code execution.

Reproduction

The vulnerability can be reproduced by compiling a C program that uses the STB TrueType library to load a crafted TTF file containing invalid CFF offsets. The program should be compiled with AddressSanitizer enabled, which will detect the out-of-bounds read when the file is processed.