Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 86121 Details for
Bug 124828
media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
issue_4.patch
issue_4.patch (text/plain), 4.38 KB, created by
Sune Kloppenborg Jeppesen (RETIRED)
on 2006-05-03 23:20:45 UTC
(
hide
)
Description:
issue_4.patch
Filename:
MIME Type:
Creator:
Sune Kloppenborg Jeppesen (RETIRED)
Created:
2006-05-03 23:20:45 UTC
Size:
4.38 KB
patch
obsolete
>diff --git a/ChangeLog b/ChangeLog >index 5edd9ac..480a6a6 100644 >--- a/ChangeLog >+++ b/ChangeLog >@@ -1,4 +1,15 @@ >-2006-03-21 David Turner <david@freetype.org> >+2006-03-21 Werner Lemberg <wl@gnu.org> >+ >+ * src/cff/cfftypes.h (CFF_CharsetRec): Add `max_cid' member. >+ >+ * src/cff/cffload.c (cff_charset_load): Set `charset->max_cid'. >+ >+ * src/cff/cffgload.c (cff_slot_load): Change type of third parameter >+ to `FT_UInt'. >+ Check range of `glyph_index'. >+ * src/cff/cffgload.h: Updated. >+ >+2006-03-21 David Turner <david@freetype.org> > > * src/autofit/aflatin.c (af_latin_metrics_scale): Fix small bug > that crashes the auto-hinter (introduced by previous patch). >diff --git a/src/cff/cffgload.c b/src/cff/cffgload.c >index f7f0c9a..673a814 100644 >--- a/src/cff/cffgload.c >+++ b/src/cff/cffgload.c >@@ -2272,7 +2272,7 @@ > FT_LOCAL_DEF( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ) > { > FT_Error error; >@@ -2318,7 +2318,7 @@ > > error = sfnt->load_sbit_image( face, > size->strike_index, >- (FT_UInt)glyph_index, >+ glyph_index, > (FT_Int)load_flags, > stream, > &glyph->root.bitmap, >@@ -2381,7 +2381,12 @@ > /* subsetted font, glyph_indices and CIDs are identical, though */ > if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && > cff->charset.cids ) >- glyph_index = cff->charset.cids[glyph_index]; >+ { >+ if ( glyph_index < cff->charset.max_cid ) >+ glyph_index = cff->charset.cids[glyph_index]; >+ else >+ glyph_index = 0; >+ } > > cff_decoder_init( &decoder, face, size, glyph, hinting, > FT_LOAD_TARGET_MODE( load_flags ) ); >diff --git a/src/cff/cffgload.h b/src/cff/cffgload.h >index 89ae049..01c6bcb 100644 >--- a/src/cff/cffgload.h >+++ b/src/cff/cffgload.h >@@ -4,7 +4,7 @@ > /* */ > /* OpenType Glyph Loader (specification). */ > /* */ >-/* Copyright 1996-2001, 2002, 2003, 2004 by */ >+/* Copyright 1996-2001, 2002, 2003, 2004, 2006 by */ > /* David Turner, Robert Wilhelm, and Werner Lemberg. */ > /* */ > /* This file is part of the FreeType project, and may only be used, */ >@@ -196,7 +196,7 @@ FT_BEGIN_HEADER > FT_LOCAL( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ); > > >diff --git a/src/cff/cffload.c b/src/cff/cffload.c >index 666ccfe..a7b7d70 100644 >--- a/src/cff/cffload.c >+++ b/src/cff/cffload.c >@@ -1688,6 +1688,8 @@ > > for ( i = 0; i < num_glyphs; i++ ) > charset->cids[charset->sids[i]] = (FT_UShort)i; >+ >+ charset->max_cid = max_cid; > } > > Exit: >diff --git a/src/cff/cfftypes.h b/src/cff/cfftypes.h >index 9ddc663..364b7cb 100644 >--- a/src/cff/cfftypes.h >+++ b/src/cff/cfftypes.h >@@ -5,7 +5,7 @@ > /* Basic OpenType/CFF type definitions and interface (specification */ > /* only). */ > /* */ >-/* Copyright 1996-2001, 2002, 2003 by */ >+/* Copyright 1996-2001, 2002, 2003, 2006 by */ > /* David Turner, Robert Wilhelm, and Werner Lemberg. */ > /* */ > /* This file is part of the FreeType project, and may only be used, */ >@@ -84,6 +84,7 @@ FT_BEGIN_HEADER > FT_UShort* sids; > FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ > /* for CID-keyed fonts */ >+ FT_UInt max_cid; > } CFF_CharsetRec, *CFF_Charset; > >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124828
:
86118
|
86119
|
86120
|
86121
|
86122
|
86123
|
86201
|
89111
|
89112
|
89113
|
89114
|
89115