In read_paint of ttcolr.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.
{ "vanir_signatures": [ { "digest": { "threshold": 0.9, "line_hashes": [ "306028730103453001949389040698110809210", "139551454863163921199091447580440890743", "146481857632338490229451060853437642193", "52923008947120250382686592499354124373", "103390494577978554655663562106019007429", "311535720356207440618201013295517544080", "263791282487955854066239476330548281248", "154550138651895736634106501555028627147", "126023655564957189324895948395724503363", "47841667429785024774877606583258177440", "157831469805408457417433933344796030494", "128238996367472570062047381139380673765", "110644623379568852099709327847126581659", "105553687388233691960296314805900136071", "50111659023819480512636344661363422627", "170745083070249731896637414250525299775", "271829570882408219265880480877109604417", "131818949153970063885003368394068527294", "313801983922143130188867348647693009890", "313610615790584256513557166397042661607", "208628776772681940669443923441209641379", "244930656989140677336386094008945216271", "12672997220747165287942532257231905775", "78220747209021846639297174279767866836", "39112473556601994622699064173279287430", "272372914479427644101259402595087452638", "334765934514828448194691644195121841919", "92739665075054122881410002459718624740", "336595512376344382895362844154876546483", "108152522950872298177532387053883185371", "16191347676968857858877719674763164388", "75773312977215286259429635251826035787", "188409672356226176053788052145871893533", "91143965747346509511241320602927864971", "272698422234510055857249334519843134540", "93548487298838510260721883110491236706", "159085700099597414715421493584185808081", "286302697220326232021711404906086561976", "219113390765323762551543646848130750715", "286709817848932883390923149620027314800", "251711439383684670559968540234682477315", "146492862162375426727754448507183125894", "3826590563765277584297568531103087788", "21363079221283039628355594746609282564", "35279173998540991358487128469439539082", "124818387315921630012688634714708409857", "309706396900603377093330220940426574748", "4065293868813772577317159028262253465", "51722676836173464740452856352123558567", "111385093176625424726810537903159486445", "42700529971238162577034322091016376653", "26453188124286742715656649985588049099", "44758196280328814276824374934087830486", "128811308591740885678058902910867905206", "219777835619492577551760383867886024167", "112445417634223826472403462108176778983", "235377609065164758842094833296701734689", "248590775977334896468842175376274499402", "121347156128466578282184259951802446038", "239902161045098148916876693761450559412", "36943730272097728288876688975513481448", "120653563891354915867545929761197940610", "196772659357566858624513698937506685528", "84000472345732681592580113441802261646", "113042475703390595762514377063929626949", "40708619659630716894572737856881413665", "62728794434925583579805085429507648300", "231435349030168719952753608234201717757", "100165521904982659079436998922500697565", "69869752435190240569589921259717445370", "274721578920433698004389192039801651657", "250253667760252061623450827911287889505", "141137264133873383923089780289888986928", "138507170756007196890016410753863032880", "65560529895864474444280617841624897041", "230970938259886824516699882421850430277", "179834360902633010314850207246579288008", "38683025683833032981472370768473397668", "330774469270102111921943588653901196954", "83957305151142334745416304181683574066", "134105816972824297494678382552876023852", "313261455380631391363597566642671202672", "213001289923340008701256667973412945343", "63608630149708990954475705771229600003", "152142401467115816188922512903659338026", "64875136997337305080492253441712431503" ] }, "id": "ASB-A-254803162-1028b8bf", "source": "https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/sfnt/ttcolr.c" }, "signature_type": "Line" }, { "digest": { "length": 966.0, "function_hash": "324248395258620335472283662895952390797" }, "id": "ASB-A-254803162-671b0736", "source": "https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/sfnt/ttcolr.c", "function": "tt_face_get_paint_layers" }, "signature_type": "Function" }, { "digest": { "length": 7170.0, "function_hash": "102613444367544991272758447049686408626" }, "id": "ASB-A-254803162-e69c6e1b", "source": "https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/sfnt/ttcolr.c", "function": "read_paint" }, "signature_type": "Function" }, { "digest": { "length": 383.0, "function_hash": "216580915472578561713184683606363861758" }, "id": "ASB-A-254803162-eddf7dc5", "source": "https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab", "deprecated": false, "signature_version": "v1", "target": { "file": "src/sfnt/ttcolr.c", "function": "read_color_line" }, "signature_type": "Function" } ], "fixes": [ "https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab" ], "spl": "2023-03-01", "severity": "High", "types": [ "ID" ] }