Security concerns when loading user-provided fonts: Can they contain malware?

[daeeros]

Hello! I have a question regarding the security of using user-provided fonts in Pillow.

I'm implementing a feature where a font uploaded by a user is loaded as a byte stream and then used in ImageFont.truetype. The loading and usage look like this:

font_22 = None

if creator_profile.quote_font_file_id is not None:
    downloaded_font = await pl.app.backend._get_file(creator_profile.quote_font_file_id)
    if downloaded_font:
        font_22 = ImageFont.truetype(BytesIO(downloaded_font.content), 22)

My question: How safe is it to accept fonts as byte streams and load them through ImageFont.truetype? Is there a risk that malicious fonts could contain viruses or otherwise disrupt the application? Are there any known vulnerabilities with font handling in Pillow or best practices for validating fonts before use?

Thank you very much in advance for any guidance!

[radarhere]

Hi. This is a security problem that we consider when developing Pillow.

One of our GitHub Actions uses OSS-Fuzz to check for security problems that may occur when opening and using random font data.

When a problem in Pillow is found, we endeavour to fix it. You can see and example of a problem that was found and fixed in the past at https://pillow.readthedocs.io/en/stable/releasenotes/8.2.0.html#fix-memory-dos-in-imagefont

As far as what you should be doing as a user, https://pillow.readthedocs.io/en/stable/releasenotes/index.html

Please use the latest version of Pillow. Functionality and security fixes should not be expected to be backported to earlier versions.

If you do not use our pre-built wheels, and instead compile Pillow from source, I would also suggest using the latest version of dependencies - in this case, FreeType.