The tt_sbit_decoder_init function in sfnt/ttsbit.c in FreeType before 2.5.4 proceeds with a count-to-size association without restricting the count value, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted embedded bitmap.
Vector
NETWORK
Complexity
MEDIUM
Authentication
NONE
Confidentiality
PARTIAL
Integrity
PARTIAL
Availability
PARTIAL
Redhat Enterprise linux hpc node eus 7.1 (not an official CPE)
Redhat Enterprise linux hpc node 7.0 (not an official CPE)
Redhat Enterprise linux hpc node 6 (not an official CPE)
Redhat Enterprise linux desktop 7.0 (not an official CPE)
Redhat Enterprise linux desktop 6.0 (not an official CPE)
Oracle Solaris 11.2
Oracle Solaris 10.0 (not an official CPE)
Opensuse Opensuse 13.2 (not an official CPE)
Opensuse Opensuse 13.1 (not an official CPE)
Fedora 21
Fedora 20
Debian Linux 7.0
Canonical Ubuntu Linux 15.04
Canonical Ubuntu linux 14.10 (not an official CPE)
Canonical Ubuntu Linux 14.04 LTS (Long-Term Support)
Canonical Ubuntu Linux 12.04 LTS
Canonical Ubuntu Linux 10.04 LTS
Redhat Enterprise linux server 6.0 (not an official CPE)
Redhat Enterprise linux server 7.0 (not an official CPE)
Redhat Enterprise linux server eus 6.6.z (not an official CPE)
Redhat Enterprise linux server eus 7.1 (not an official CPE)
Redhat Enterprise linux workstation 6.0 (not an official CPE)
Redhat Enterprise linux workstation 7.0 (not an official CPE)
Redhat - Enterprise linux hpc node eus
Redhat - Enterprise linux hpc node
Redhat - Enterprise linux desktop
Oracle - Solaris
Opensuse - Opensuse
Fedoraproject - Fedora
Debian - Debian linux
Canonical - Ubuntu linux
Freetype - Freetype
Redhat - Enterprise linux server
Redhat - Enterprise linux server eus
Redhat - Enterprise linux workstation