sfnt/ttload.c in FreeType before 2.5.4 proceeds with offset+length calculations without restricting the values, which allows remote attackers to cause a denial of service (integer overflow and out-of-bounds read) or possibly have unspecified other impact via a crafted SFNT table.
| Product | Vendor | Version |
|---|---|---|
| n/a | n/a | < V18 Update 5 |