Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 185509 Details for
Bug 263032
<media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
freetype-2.3.8-sec.diff
freetype-2.3.8-sec.diff (text/plain), 3.55 KB, created by
Robert Buchholz (RETIRED)
on 2009-03-19 12:56:52 UTC
(
hide
)
Description:
freetype-2.3.8-sec.diff
Filename:
MIME Type:
Creator:
Robert Buchholz (RETIRED)
Created:
2009-03-19 12:56:52 UTC
Size:
3.55 KB
patch
obsolete
>diff -ruN freetype-2.3.8.orig/include/freetype/config/ftstdlib.h freetype-2.3.8/include/freetype/config/ftstdlib.h >--- freetype-2.3.8.orig/include/freetype/config/ftstdlib.h 2009-01-12 20:46:57.000000000 +0100 >+++ freetype-2.3.8/include/freetype/config/ftstdlib.h 2009-03-16 17:07:23.000000000 +0100 >@@ -63,6 +63,7 @@ > #define FT_INT_MAX INT_MAX > #define FT_UINT_MAX UINT_MAX > #define FT_ULONG_MAX ULONG_MAX >+#define FT_USHRT_MAX USHRT_MAX > > > /**********************************************************************/ >diff -ruN freetype-2.3.8.orig/src/cff/cffload.c freetype-2.3.8/src/cff/cffload.c >--- freetype-2.3.8.orig/src/cff/cffload.c 2008-07-16 07:42:25.000000000 +0200 >+++ freetype-2.3.8/src/cff/cffload.c 2009-03-16 17:06:55.000000000 +0100 >@@ -744,6 +744,10 @@ > for ( i = 0; i < num_glyphs; i++ ) > if ( charset->sids[i] > max_cid ) > max_cid = charset->sids[i]; >+ >+ if ( max_cid == FT_USHRT_MAX ) >+ goto Exit; >+ > max_cid++; > > if ( FT_NEW_ARRAY( charset->cids, max_cid ) ) >diff -ruN freetype-2.3.8.orig/src/lzw/ftzopen.c freetype-2.3.8/src/lzw/ftzopen.c >--- freetype-2.3.8.orig/src/lzw/ftzopen.c 2007-05-25 08:36:29.000000000 +0200 >+++ freetype-2.3.8/src/lzw/ftzopen.c 2009-03-16 17:09:03.000000000 +0100 >@@ -332,6 +332,9 @@ > > while ( code >= 256U ) > { >+ if ( !state->suffix || !state->prefix ) >+ goto Eof; >+ > FTLZW_STACK_PUSH( state->suffix[code - 256] ); > code = state->prefix[code - 256]; > } >diff -ruN freetype-2.3.8.orig/src/sfnt/ttcmap.c freetype-2.3.8/src/sfnt/ttcmap.c >--- freetype-2.3.8.orig/src/sfnt/ttcmap.c 2008-10-09 09:13:36.000000000 +0200 >+++ freetype-2.3.8/src/sfnt/ttcmap.c 2009-03-16 17:04:10.000000000 +0100 >@@ -1591,7 +1591,7 @@ > FT_INVALID_TOO_SHORT; > > length = TT_NEXT_ULONG( p ); >- if ( table + length > valid->limit || length < 8208 ) >+ if ( length > valid->limit - table || table + length > valid->limit || length < 8208 ) > FT_INVALID_TOO_SHORT; > > is32 = table + 12; >@@ -1819,7 +1819,7 @@ > p = table + 16; > count = TT_NEXT_ULONG( p ); > >- if ( table + length > valid->limit || length < 20 + count * 2 ) >+ if ( length > valid->limit - table || table + length > valid->limit || length < 20 + count * 2 ) > FT_INVALID_TOO_SHORT; > > /* check glyph indices */ >@@ -2004,7 +2004,7 @@ > p = table + 12; > num_groups = TT_NEXT_ULONG( p ); > >- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) >+ if ( length > valid->limit - table || table + length > valid->limit || length < 16 + 12 * num_groups ) > FT_INVALID_TOO_SHORT; > > /* check groups, they must be in increasing order */ >@@ -2385,7 +2385,7 @@ > FT_ULong num_selectors = TT_NEXT_ULONG( p ); > > >- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) >+ if ( length > valid->limit - table || table + length > valid->limit || length < 10 + 11 * num_selectors ) > FT_INVALID_TOO_SHORT; > > /* check selectors, they must be in increasing order */ >diff -ruN freetype-2.3.8.orig/src/smooth/ftsmooth.c freetype-2.3.8/src/smooth/ftsmooth.c >--- freetype-2.3.8.orig/src/smooth/ftsmooth.c 2009-01-12 20:12:35.000000000 +0100 >+++ freetype-2.3.8/src/smooth/ftsmooth.c 2009-03-16 17:05:43.000000000 +0100 >@@ -203,6 +203,9 @@ > /* translate outline to render it into the bitmap */ > FT_Outline_Translate( outline, -x_shift, -y_shift ); > >+ if ( height && pitch > FT_ULONG_MAX / height ) >+ goto Exit; >+ > if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) > goto Exit; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 263032
:
185509
|
190235