freetype is vulnerable to arbitrary code execution. An out-of-bounds write resulting in a heap-based buffer overflow in the TT_Get_MM_Var
function in truetype/ttgxvar.c
and sfnt_init_face
function in sfnt/sfobjs.c
allows an attacker to execute arbitrary code on the host OS.