{"id":"ASB-A-254803162","details":"In read_paint of ttcolr.c, there is a possible out of bounds read due to a heap buffer overflow. This could lead to local information disclosure with no additional execution privileges needed. User interaction is not needed for exploitation.","aliases":["A-254803162","CVE-2023-20958"],"modified":"2026-05-27T15:53:17.428190120Z","published":"2023-03-01T00:00:00Z","references":[{"type":"ADVISORY","url":"https://source.android.com/security/bulletin/2023-03-01"},{"type":"FIX","url":"https://android.googlesource.com/platform/external/freetype/+/e0c9c8b35e2071d0591c151cd7d752bdf783f747"}],"affected":[{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13-next:0"},{"fixed":"13-next:2023-03-01"}]}],"versions":["13-next"],"ecosystem_specific":{"spl":"2023-03-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/freetype/+/f916fca5d1361dc674118bec51eff2b5299c4c79"],"types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-254803162.json"}},{"package":{"name":"platform/external/freetype","ecosystem":"Android"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"13:0"},{"fixed":"13:2023-03-01"}]}],"versions":["13"],"ecosystem_specific":{"vanir_signatures":[{"signature_version":"v1","id":"ASB-A-254803162-1028b8bf","digest":{"line_hashes":["306028730103453001949389040698110809210","139551454863163921199091447580440890743","146481857632338490229451060853437642193","52923008947120250382686592499354124373","103390494577978554655663562106019007429","311535720356207440618201013295517544080","263791282487955854066239476330548281248","154550138651895736634106501555028627147","126023655564957189324895948395724503363","47841667429785024774877606583258177440","157831469805408457417433933344796030494","128238996367472570062047381139380673765","110644623379568852099709327847126581659","105553687388233691960296314805900136071","50111659023819480512636344661363422627","170745083070249731896637414250525299775","271829570882408219265880480877109604417","131818949153970063885003368394068527294","313801983922143130188867348647693009890","313610615790584256513557166397042661607","208628776772681940669443923441209641379","244930656989140677336386094008945216271","12672997220747165287942532257231905775","78220747209021846639297174279767866836","39112473556601994622699064173279287430","272372914479427644101259402595087452638","334765934514828448194691644195121841919","92739665075054122881410002459718624740","336595512376344382895362844154876546483","108152522950872298177532387053883185371","16191347676968857858877719674763164388","75773312977215286259429635251826035787","188409672356226176053788052145871893533","91143965747346509511241320602927864971","272698422234510055857249334519843134540","93548487298838510260721883110491236706","159085700099597414715421493584185808081","286302697220326232021711404906086561976","219113390765323762551543646848130750715","286709817848932883390923149620027314800","251711439383684670559968540234682477315","146492862162375426727754448507183125894","3826590563765277584297568531103087788","21363079221283039628355594746609282564","35279173998540991358487128469439539082","124818387315921630012688634714708409857","309706396900603377093330220940426574748","4065293868813772577317159028262253465","51722676836173464740452856352123558567","111385093176625424726810537903159486445","42700529971238162577034322091016376653","26453188124286742715656649985588049099","44758196280328814276824374934087830486","128811308591740885678058902910867905206","219777835619492577551760383867886024167","112445417634223826472403462108176778983","235377609065164758842094833296701734689","248590775977334896468842175376274499402","121347156128466578282184259951802446038","239902161045098148916876693761450559412","36943730272097728288876688975513481448","120653563891354915867545929761197940610","196772659357566858624513698937506685528","84000472345732681592580113441802261646","113042475703390595762514377063929626949","40708619659630716894572737856881413665","62728794434925583579805085429507648300","231435349030168719952753608234201717757","100165521904982659079436998922500697565","69869752435190240569589921259717445370","274721578920433698004389192039801651657","250253667760252061623450827911287889505","141137264133873383923089780289888986928","138507170756007196890016410753863032880","65560529895864474444280617841624897041","230970938259886824516699882421850430277","179834360902633010314850207246579288008","38683025683833032981472370768473397668","330774469270102111921943588653901196954","83957305151142334745416304181683574066","134105816972824297494678382552876023852","313261455380631391363597566642671202672","213001289923340008701256667973412945343","63608630149708990954475705771229600003","152142401467115816188922512903659338026","64875136997337305080492253441712431503"],"threshold":0.9},"deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab","signature_type":"Line","target":{"file":"src/sfnt/ttcolr.c"}},{"signature_version":"v1","id":"ASB-A-254803162-671b0736","digest":{"function_hash":"324248395258620335472283662895952390797","length":966},"deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab","signature_type":"Function","target":{"file":"src/sfnt/ttcolr.c","function":"tt_face_get_paint_layers"}},{"signature_version":"v1","id":"ASB-A-254803162-e69c6e1b","digest":{"function_hash":"102613444367544991272758447049686408626","length":7170},"deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab","signature_type":"Function","target":{"file":"src/sfnt/ttcolr.c","function":"read_paint"}},{"signature_version":"v1","id":"ASB-A-254803162-eddf7dc5","digest":{"function_hash":"216580915472578561713184683606363861758","length":383},"deprecated":false,"source":"https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab","signature_type":"Function","target":{"file":"src/sfnt/ttcolr.c","function":"read_color_line"}}],"spl":"2023-03-01","severity":"High","fixes":["https://android.googlesource.com/platform/external/freetype/+/b56d29a0a69d9fe7b8e377b3397d1e326761dfab"],"types":["ID"]},"database_specific":{"source":"https://storage.googleapis.com/android-osv/ASB-A-254803162.json"}}],"schema_version":"1.7.5"}