pango -- integer overflow

2009-02-22T00:00:00
ID 4B172278-3F46-11DE-BECB-001CC0377035
Type freebsd
Reporter FreeBSD
Modified 2009-10-01T00:00:00

Description

oCERT reports:

Pango suffers from a multiplicative integer overflow which may lead to a potentially exploitable, heap overflow depending on the calling conditions. For example, this vulnerability is remotely reachable in Firefox by creating an overly large document.location value but only results in a process-terminating, allocation error (denial of service). The affected function is pango_glyph_string_set_size. An overflow check when doubling the size neglects the overflow possible on the subsequent allocation.