Thank you for opening your first PR into Matplotlib!

If you have not heard from us in a week or so, please leave a new comment below and that should bring it to our attention. Most of our reviewers are volunteers and sometimes things fall through the cracks. We also ask that you please finish addressing any review comments on this PR and wait for it to be merged (or closed) before opening a new one, as it can be a valuable learning experience to go through the review process.

You can also join us on discourse chat for real-time discussion.

For details on testing, writing docs, and our review process, please see the developer guide.
Please let us know if (and how) you use AI, it will help us give you better feedback on your PR.

We strive to be a welcoming and open project. Please follow our Code of Conduct.

I used AI tools (Claude and ChatGPT) to help with code navigation, repository research, and understanding the relevant code paths. The investigation, validation, testing, and final code changes were performed and verified manually by me. I understand the change and can answer questions about the implementation and reasoning behind it.

Hi @uwezkhan, thanks for looking into this. I'm curious, did you trigger this issue and #31860 through normal code paths, or was this discovered through static analysis?

Neither triggered through a normal code path, no. I was reading the file-object path in ft2font_wrapper.cpp by hand and noticed the callback memcpy'd len(file.read(count)) bytes into a buffer FreeType had sized for count, so the bound depended entirely on the file object behaving. I then confirmed it under ASAN with a file object whose read() returns more than requested: before the fix that's a heap write past the end of FreeType's buffer, after it the read is rejected and FT2Font raises. You can't hit it from the filename path or any well-behaved stream; it takes a file-like object that over-returns (say, a wrapper that transparently decompresses), which is also why the fix treats it as a broken object rather than trying to use the extra bytes.

#31860 isn't mine, so I can't speak to how that one was found.

Thanks! And my mistake, the user icons looked the same at a quick glance.