In article <EEl%g.18298$pq4.1055@tornado.ohiordc.rr.com>,
Leythos <void@nowhere.lan> wrote:
> The question still stands, I wonder what the OP was really trying to do
> that they were concerned about a font containing malware.

Well, a font does contain hinting, in the form of a program for the True
Type hinting virtual machine. Basically, a True Type font contains a
mathematical description of the outlines of the glyphs, and then code,
in the form of assembly language for that virtual machine, to tweak the
glyphs for the particular sizes needed.

I haven't looked, in detail, at what is allowed in the language for that
virtual machine, but it is at least conceivable that a buggy
implementation of the virtual machine could allow the hints to cause a
buffer overflow and arbitrary code execution, and so could actually be
used as a vector for malware.

From overviews of what hinting code can do, though, it looks like it
would be pretty easy to design the virtual machine to be completely
safe. On the other hand, I could easily see a developer worrying about
speed, and taking some shortcuts that would leave some holes (although I
think with glyph caching, there would be no noticeable impact on actual
system performance if the hinting virtual machine was slow).

I've never heard of any kind of malware using this mechanism, and I
don't recall seeing any security updates on any OS to address holes in
True Type font handling, so my guess is there isn't much to worry about
here. (On the other hand, this would be a pretty damned obscure way to
attack--it is possible no malware authors have investigated it).

--
--Tim Smith