Home Forums Stb_truetype library heap buffer overflows (many CVEs, no CVEs yet)

This topic contains 0 replies, has 1 voice, and was last updated by  marcinguy 1 month, 2 weeks ago.

  • Author
  • #419429


    A 16k stars project, used in, I can imagine game engines, UI, Android/iOS/embedded. Used in another 30k stars project and 11k from even Google (also possibly not fixed). OpenCV 55k stars seems to be also affected (new branch only). Attack vector through malicious font. Buy me a beer if you will get bounty on it and also initial fuzzing person [https://github.com/nothings/stb/issues/618](https://github.com/nothings/stb/issues/618)

    Per Developer library was not intended to work with untrusted data. 

    Be careful when using it, consider a replacement. This is a PSA. 


    P.S Full thread here: [https://twitter.com/marcinguy/status/1421740689516339200?s=19](https://twitter.com/marcinguy/status/1421740689516339200?s=19)

You must be logged in to reply to this topic.