Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 86119 Details for
Bug 124828
media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
issue_2.patch
issue_2.patch (text/plain), 2.70 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-05-03 23:19:20 UTC
(
hide
)
Description:
issue_2.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-05-03 23:19:20 UTC
Size:
2.70 KB
patch
obsolete
>diff --git a/ChangeLog b/ChangeLog >index 553dbe9..1b81fe0 100644 >--- a/ChangeLog >+++ b/ChangeLog >@@ -1,3 +1,11 @@ >+2006-03-26 Werner Lemberg <wl@gnu.org> >+ >+ * src/bdf/bdflib.c (ERRMSG4): New macro. >+ (_bdf_parse_glyphs): Handle invalid BBX values. >+ >+ * include/freetype/fterrdef.h (FT_Err_Bbx_Too_Big): New error >+ macro. >+ > 2006-03-23 Werner Lemberg <wl@gnu.org> > > * docs/CHANGES: Updated. >diff --git a/include/freetype/fterrdef.h b/include/freetype/fterrdef.h >index 2f73c08..42115d2 100644 >--- a/include/freetype/fterrdef.h >+++ b/include/freetype/fterrdef.h >@@ -4,7 +4,7 @@ > /* */ > /* FreeType error codes (specification). */ > /* */ >-/* Copyright 2002, 2004 by */ >+/* Copyright 2002, 2004, 2006 by */ > /* David Turner, Robert Wilhelm, and Werner Lemberg. */ > /* */ > /* This file is part of the FreeType project, and may only be used, */ >@@ -226,6 +226,8 @@ > "`ENCODING' field missing" ) > FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ > "`BBX' field missing" ) >+ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ >+ "`BBX' too big" ) > > > /* END */ >diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c >index d13df47..3c928e5 100644 >--- a/src/bdf/bdflib.c >+++ b/src/bdf/bdflib.c >@@ -1092,6 +1092,7 @@ > #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" > #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" > #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" >+#define ERRMSG4 "[line %ld] BBX too big.\n" > > > static FT_Error >@@ -1814,6 +1815,9 @@ > /* And finally, gather up the bitmap. */ > if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) > { >+ unsigned long bitmap_size; >+ >+ > if ( !( p->flags & _BDF_BBX ) ) > { > /* Missing BBX field. */ >@@ -1824,7 +1828,16 @@ > > /* Allocate enough space for the bitmap. */ > glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; >- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); >+ >+ bitmap_size = glyph->bpr * glyph->bbx.height; >+ if ( bitmap_size > 0xFFFFU ) >+ { >+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); >+ error = BDF_Err_Bbx_Too_Big; >+ goto Exit; >+ } >+ else >+ glyph->bytes = (unsigned short)bitmap_size; > > if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) > goto Exit;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=86119">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124828
:
86118
|
86119
|
86120
|
86121
|
86122
|
86123
|
86201
|
89111
|
89112
|
89113
|
89114
|
89115
