Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 89113 Details for
Bug 124828
media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2006-1861_integer-overflows.diff
CVE-2006-1861_integer-overflows.diff (text/plain), 4.25 KB, created by
Donnie Berkholz (RETIRED)
on 2006-06-13 21:08:41 UTC
(
hide
)
Description:
CVE-2006-1861_integer-overflows.diff
Filename:
MIME Type:
Creator:
Donnie Berkholz (RETIRED)
Created:
2006-06-13 21:08:41 UTC
Size:
4.25 KB
patch
obsolete
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h >--- freetype-2.1.7.orig/include/freetype/fterrdef.h 2002-05-21 16:13:00.000000000 +0200 >+++ freetype-2.1.7/include/freetype/fterrdef.h 2006-05-28 11:51:12.000000000 +0200 >@@ -224,6 +224,8 @@ > "`ENCODING' field missing" ) > FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ > "`BBX' field missing" ) >+ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ >+ "`BBX' too big" ) > > > /* END */ >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/bdf/bdflib.c freetype-2.1.7/src/bdf/bdflib.c >--- freetype-2.1.7.orig/src/bdf/bdflib.c 2006-05-28 10:55:02.000000000 +0200 >+++ freetype-2.1.7/src/bdf/bdflib.c 2006-05-28 12:04:52.000000000 +0200 >@@ -1098,6 +1098,7 @@ > #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" > #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" > #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" >+#define ERRMSG4 "[line %ld] BBX too big.\n" > > > static FT_Error >@@ -1578,6 +1579,14 @@ > goto Exit; > } > >+ /* Check that the encoding is in the range [0,65536] because */ >+ /* otherwise p->have (a bitmap with static size) overflows. */ >+ if ( p->glyph_enc >= sizeof(p->have)*8 ) >+ { >+ error = BDF_Err_Invalid_File_Format; >+ goto Exit; >+ } >+ > /* Check to see whether this encoding has already been encountered. */ > /* If it has then change it to unencoded so it gets added if */ > /* indicated. */ >@@ -1829,6 +1838,8 @@ > /* And finally, gather up the bitmap. */ > if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) > { >+ unsigned long bitmap_size; >+ > if ( !( p->flags & _BDF_BBX ) ) > { > /* Missing BBX field. */ >@@ -1839,7 +1850,16 @@ > > /* Allocate enough space for the bitmap. */ > glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; >- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); >+ >+ bitmap_size = glyph->bpr * glyph->bbx.height; >+ if ( bitmap_size > 0xFFFFU ) >+ { >+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); >+ error = BDF_Err_Bbx_Too_Big; >+ goto Exit; >+ } >+ else >+ glyph->bytes = (unsigned short)bitmap_size; > > if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) > goto Exit; >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/cff/cffgload.c freetype-2.1.7/src/cff/cffgload.c >--- freetype-2.1.7.orig/src/cff/cffgload.c 2003-08-06 19:27:14.000000000 +0200 >+++ freetype-2.1.7/src/cff/cffgload.c 2006-05-28 11:51:12.000000000 +0200 >@@ -2278,7 +2278,7 @@ > FT_LOCAL_DEF( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ) > { > FT_Error error; >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/cff/cffgload.h freetype-2.1.7/src/cff/cffgload.h >--- freetype-2.1.7.orig/src/cff/cffgload.h 2003-06-03 13:51:42.000000000 +0200 >+++ freetype-2.1.7/src/cff/cffgload.h 2006-05-28 11:51:12.000000000 +0200 >@@ -200,7 +200,7 @@ FT_BEGIN_HEADER > FT_LOCAL( FT_Error ) > cff_slot_load( CFF_GlyphSlot glyph, > CFF_Size size, >- FT_Int glyph_index, >+ FT_UInt glyph_index, > FT_Int32 load_flags ); > > >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/sfnt/ttcmap0.c freetype-2.1.7/src/sfnt/ttcmap0.c >--- freetype-2.1.7.orig/src/sfnt/ttcmap.c 2003-06-22 17:33:53.000000000 +0200 >+++ freetype-2.1.7/src/sfnt/ttcmap.c 2006-05-28 18:10:20.000000000 +0200 >@@ -2144,9 +2144,7 @@ > charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ > offset = TT_NEXT_ULONG( p ); > >- if ( offset && >- table + offset + 2 < limit && >- table + offset >= table ) >+ if ( offset && offset <= face->cmap_size - 2 ) > { > FT_Byte* cmap = table + offset; > volatile FT_UInt format = TT_PEEK_USHORT( cmap ); >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124828
:
86118
|
86119
|
86120
|
86121
|
86122
|
86123
|
86201
|
89111
|
89112
| 89113 |
89114
|
89115