Attachment 190235 Details for Bug 263032 – freetype-2.3.9-CVE-2009-0946.patch

[patch] freetype-2.3.9-CVE-2009-0946.patch

freetype-2.3.9-CVE-2009-0946.patch (text/plain), 4.32 KB, created by Ryan Hill (RETIRED) on 2009-05-03 18:24:05 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Ryan Hill (RETIRED)

Created: 2009-05-03 18:24:05 UTC

Size: 4.32 KB

patch

obsolete

>http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
>https://bugzilla.redhat.com/show_bug.cgi?id=491384
>https://bugs.gentoo.org/show_bug.cgi?id=263032
>
>--- freetype-2.3.9-orig/src/cff/cffload.c
>+++ freetype-2.3.9/src/cff/cffload.c
>@@ -842,7 +842,20 @@
>             goto Exit;
> 
>           for ( j = 1; j < num_glyphs; j++ )
>-            charset->sids[j] = FT_GET_USHORT();
>+          {
>+            FT_UShort sid = FT_GET_USHORT();
>+
>+
>+            /* this constant is given in the CFF specification */
>+            if ( sid < 65000 )
>+              charset->sids[j] = sid;
>+            else
>+            {
>+              FT_ERROR(( "cff_charset_load:"
>+                         " invalid SID value %d set to zero\n", sid ));
>+              charset->sids[j] = 0;
>+            }
>+          }
> 
>           FT_FRAME_EXIT();
>         }
>@@ -875,6 +888,20 @@
>                 goto Exit;
>             }
> 
>+            /* check whether the range contains at least one valid glyph; */
>+            /* the constant is given in the CFF specification             */
>+            if ( glyph_sid >= 65000 ) {
>+              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
>+              error = CFF_Err_Invalid_File_Format;
>+              goto Exit;
>+            }
>+
>+            /* try to rescue some of the SIDs if `nleft' is too large */
>+            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
>+              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
>+              nleft = 65000 - 1 - glyph_sid;
>+            }
>+
>             /* Fill in the range of sids -- `nleft + 1' glyphs. */
>             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
>               charset->sids[j] = glyph_sid;
>--- freetype-2.3.9-orig/src/lzw/ftzopen.c
>+++ freetype-2.3.9/src/lzw/ftzopen.c
>@@ -332,6 +332,9 @@
> 
>           while ( code >= 256U )
>           {
>+            if ( !state->prefix )
>+              goto Eof;
>+
>             FTLZW_STACK_PUSH( state->suffix[code - 256] );
>             code = state->prefix[code - 256];
>           }
>--- freetype-2.3.9-orig/src/sfnt/ttcmap.c
>+++ freetype-2.3.9/src/sfnt/ttcmap.c
>@@ -1635,7 +1635,7 @@
>       FT_INVALID_TOO_SHORT;
> 
>     length = TT_NEXT_ULONG( p );
>-    if ( table + length > valid->limit || length < 8208 )
>+    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
>       FT_INVALID_TOO_SHORT;
> 
>     is32       = table + 12;
>@@ -1863,7 +1863,8 @@
>     p      = table + 16;
>     count  = TT_NEXT_ULONG( p );
> 
>-    if ( table + length > valid->limit || length < 20 + count * 2 )
>+    if ( length > (FT_ULong)( valid->limit - table ) ||
>+         length < 20 + count * 2                     )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check glyph indices */
>@@ -2048,7 +2049,8 @@
>     p          = table + 12;
>     num_groups = TT_NEXT_ULONG( p );
> 
>-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
>+    if ( length > (FT_ULong)( valid->limit - table ) ||
>+         length < 16 + 12 * num_groups               )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check groups, they must be in increasing order */
>@@ -2429,7 +2431,8 @@
>     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
> 
> 
>-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
>+    if ( length > (FT_ULong)( valid->limit - table ) ||
>+         length < 10 + 11 * num_selectors            )
>       FT_INVALID_TOO_SHORT;
> 
>     /* check selectors, they must be in increasing order */
>@@ -2491,7 +2494,7 @@
>           FT_ULong  i, lastUni = 0;
> 
> 
>-          if ( ndp + numMappings * 4 > valid->limit )
>+          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
>             FT_INVALID_TOO_SHORT;
> 
>           for ( i = 0; i < numMappings; ++i )
>--- freetype-2.3.9-orig/src/smooth/ftsmooth.c
>+++ freetype-2.3.9/src/smooth/ftsmooth.c
>@@ -153,7 +153,7 @@
>       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
>     }
> 
>-    /* allocate new one, depends on pixel format */
>+    /* allocate new one */
>     pitch = width;
>     if ( hmul )
>     {
>@@ -194,6 +194,13 @@
> 
> #endif
> 
>+    if ( pitch > 0xFFFF || height > 0xFFFF )
>+    {
>+      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
>+                 width, height ));
>+      return Smooth_Err_Raster_Overflow;
>+    }
>+
>     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
>     bitmap->num_grays  = 256;
>     bitmap->width      = width;

Actions: View | Diff

Attachments on bug 263032: 185509 | 190235