Attachment 185509 Details for Bug 263032 – freetype-2.3.8-sec.diff

[patch] freetype-2.3.8-sec.diff

freetype-2.3.8-sec.diff (text/plain), 3.55 KB, created by Robert Buchholz (RETIRED) on 2009-03-19 12:56:52 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Robert Buchholz (RETIRED)

Created: 2009-03-19 12:56:52 UTC

Size: 3.55 KB

patch

obsolete

>diff -ruN freetype-2.3.8.orig/include/freetype/config/ftstdlib.h freetype-2.3.8/include/freetype/config/ftstdlib.h
>--- freetype-2.3.8.orig/include/freetype/config/ftstdlib.h	2009-01-12 20:46:57.000000000 +0100
>+++ freetype-2.3.8/include/freetype/config/ftstdlib.h	2009-03-16 17:07:23.000000000 +0100
>@@ -63,6 +63,7 @@
> #define FT_INT_MAX    INT_MAX
> #define FT_UINT_MAX   UINT_MAX
> #define FT_ULONG_MAX  ULONG_MAX
>+#define FT_USHRT_MAX  USHRT_MAX
> 
> 
>   /**********************************************************************/
>diff -ruN freetype-2.3.8.orig/src/cff/cffload.c freetype-2.3.8/src/cff/cffload.c
>--- freetype-2.3.8.orig/src/cff/cffload.c	2008-07-16 07:42:25.000000000 +0200
>+++ freetype-2.3.8/src/cff/cffload.c	2009-03-16 17:06:55.000000000 +0100
>@@ -744,6 +744,10 @@
>     for ( i = 0; i < num_glyphs; i++ )
>       if ( charset->sids[i] > max_cid )
>         max_cid = charset->sids[i];
>+
>+    if ( max_cid == FT_USHRT_MAX )
>+      goto Exit;
>+
>     max_cid++;
> 
>     if ( FT_NEW_ARRAY( charset->cids, max_cid ) )
>diff -ruN freetype-2.3.8.orig/src/lzw/ftzopen.c freetype-2.3.8/src/lzw/ftzopen.c
>--- freetype-2.3.8.orig/src/lzw/ftzopen.c	2007-05-25 08:36:29.000000000 +0200
>+++ freetype-2.3.8/src/lzw/ftzopen.c	2009-03-16 17:09:03.000000000 +0100
>@@ -332,6 +332,9 @@
> 
>           while ( code >= 256U )
>           {
>+            if ( !state->suffix || !state->prefix )
>+              goto Eof;
>+
>             FTLZW_STACK_PUSH( state->suffix[code - 256] );
>             code = state->prefix[code - 256];
>           }
>diff -ruN freetype-2.3.8.orig/src/sfnt/ttcmap.c freetype-2.3.8/src/sfnt/ttcmap.c
>--- freetype-2.3.8.orig/src/sfnt/ttcmap.c	2008-10-09 09:13:36.000000000 +0200
>+++ freetype-2.3.8/src/sfnt/ttcmap.c	2009-03-16 17:04:10.000000000 +0100
>@@ -1591,7 +1591,7 @@
>       FT_INVALID_TOO_SHORT;
> 
>     length = TT_NEXT_ULONG( p );
>-    if ( table + length > valid->limit || length < 8208 )
>+    if ( length > valid->limit - table || table + length > valid->limit || length < 8208 )
>       FT_INVALID_TOO_SHORT;
> 
>     is32       = table + 12;
>@@ -1819,7 +1819,7 @@
>     p      = table + 16;
>     count  = TT_NEXT_ULONG( p );
> 
>-    if ( table + length > valid->limit || length < 20 + count * 2 )
>+    if ( length > valid->limit - table || table + length > valid->limit || length < 20 + count * 2 )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check glyph indices */
>@@ -2004,7 +2004,7 @@
>     p          = table + 12;
>     num_groups = TT_NEXT_ULONG( p );
> 
>-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
>+    if ( length > valid->limit - table || table + length > valid->limit || length < 16 + 12 * num_groups )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check groups, they must be in increasing order */
>@@ -2385,7 +2385,7 @@
>     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
> 
> 
>-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
>+    if ( length > valid->limit - table || table + length > valid->limit || length < 10 + 11 * num_selectors )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check selectors, they must be in increasing order */
>diff -ruN freetype-2.3.8.orig/src/smooth/ftsmooth.c freetype-2.3.8/src/smooth/ftsmooth.c
>--- freetype-2.3.8.orig/src/smooth/ftsmooth.c	2009-01-12 20:12:35.000000000 +0100
>+++ freetype-2.3.8/src/smooth/ftsmooth.c	2009-03-16 17:05:43.000000000 +0100
>@@ -203,6 +203,9 @@
>     /* translate outline to render it into the bitmap */
>     FT_Outline_Translate( outline, -x_shift, -y_shift );
> 
>+    if ( height && pitch > FT_ULONG_MAX / height )
>+      goto Exit;
>+
>     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
>       goto Exit;
>

Actions: View | Diff

Attachments on bug 263032: 185509 | 190235