Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 190235 Details for
Bug 263032
<media-libs/freetype-2.3.9-r1 Multiple integer overflows (CVE-2009-0946)
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
freetype-2.3.9-CVE-2009-0946.patch
freetype-2.3.9-CVE-2009-0946.patch (text/plain), 4.32 KB, created by
Ryan Hill (RETIRED)
on 2009-05-03 18:24:05 UTC
(
hide
)
Description:
freetype-2.3.9-CVE-2009-0946.patch
Filename:
MIME Type:
Creator:
Ryan Hill (RETIRED)
Created:
2009-05-03 18:24:05 UTC
Size:
4.32 KB
patch
obsolete
>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 >https://bugzilla.redhat.com/show_bug.cgi?id=491384 >https://bugs.gentoo.org/show_bug.cgi?id=263032 > >--- freetype-2.3.9-orig/src/cff/cffload.c >+++ freetype-2.3.9/src/cff/cffload.c >@@ -842,7 +842,20 @@ > goto Exit; > > for ( j = 1; j < num_glyphs; j++ ) >- charset->sids[j] = FT_GET_USHORT(); >+ { >+ FT_UShort sid = FT_GET_USHORT(); >+ >+ >+ /* this constant is given in the CFF specification */ >+ if ( sid < 65000 ) >+ charset->sids[j] = sid; >+ else >+ { >+ FT_ERROR(( "cff_charset_load:" >+ " invalid SID value %d set to zero\n", sid )); >+ charset->sids[j] = 0; >+ } >+ } > > FT_FRAME_EXIT(); > } >@@ -875,6 +888,20 @@ > goto Exit; > } > >+ /* check whether the range contains at least one valid glyph; */ >+ /* the constant is given in the CFF specification */ >+ if ( glyph_sid >= 65000 ) { >+ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); >+ error = CFF_Err_Invalid_File_Format; >+ goto Exit; >+ } >+ >+ /* try to rescue some of the SIDs if `nleft' is too large */ >+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { >+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); >+ nleft = 65000 - 1 - glyph_sid; >+ } >+ > /* Fill in the range of sids -- `nleft + 1' glyphs. */ > for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) > charset->sids[j] = glyph_sid; >--- freetype-2.3.9-orig/src/lzw/ftzopen.c >+++ freetype-2.3.9/src/lzw/ftzopen.c >@@ -332,6 +332,9 @@ > > while ( code >= 256U ) > { >+ if ( !state->prefix ) >+ goto Eof; >+ > FTLZW_STACK_PUSH( state->suffix[code - 256] ); > code = state->prefix[code - 256]; > } >--- freetype-2.3.9-orig/src/sfnt/ttcmap.c >+++ freetype-2.3.9/src/sfnt/ttcmap.c >@@ -1635,7 +1635,7 @@ > FT_INVALID_TOO_SHORT; > > length = TT_NEXT_ULONG( p ); >- if ( table + length > valid->limit || length < 8208 ) >+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) > FT_INVALID_TOO_SHORT; > > is32 = table + 12; >@@ -1863,7 +1863,8 @@ > p = table + 16; > count = TT_NEXT_ULONG( p ); > >- if ( table + length > valid->limit || length < 20 + count * 2 ) >+ if ( length > (FT_ULong)( valid->limit - table ) || >+ length < 20 + count * 2 ) > FT_INVALID_TOO_SHORT; > > /* check glyph indices */ >@@ -2048,7 +2049,8 @@ > p = table + 12; > num_groups = TT_NEXT_ULONG( p ); > >- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) >+ if ( length > (FT_ULong)( valid->limit - table ) || >+ length < 16 + 12 * num_groups ) > FT_INVALID_TOO_SHORT; > > /* check groups, they must be in increasing order */ >@@ -2429,7 +2431,8 @@ > FT_ULong num_selectors = TT_NEXT_ULONG( p ); > > >- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) >+ if ( length > (FT_ULong)( valid->limit - table ) || >+ length < 10 + 11 * num_selectors ) > FT_INVALID_TOO_SHORT; > > /* check selectors, they must be in increasing order */ >@@ -2491,7 +2494,7 @@ > FT_ULong i, lastUni = 0; > > >- if ( ndp + numMappings * 4 > valid->limit ) >+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) > FT_INVALID_TOO_SHORT; > > for ( i = 0; i < numMappings; ++i ) >--- freetype-2.3.9-orig/src/smooth/ftsmooth.c >+++ freetype-2.3.9/src/smooth/ftsmooth.c >@@ -153,7 +153,7 @@ > slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; > } > >- /* allocate new one, depends on pixel format */ >+ /* allocate new one */ > pitch = width; > if ( hmul ) > { >@@ -194,6 +194,13 @@ > > #endif > >+ if ( pitch > 0xFFFF || height > 0xFFFF ) >+ { >+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", >+ width, height )); >+ return Smooth_Err_Raster_Overflow; >+ } >+ > bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; > bitmap->num_grays = 256; > bitmap->width = width;
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 263032
:
185509
| 190235