Attachment 89114 Details for Bug 124828 – CVE-2006-2493_integer-overflows.diff

[patch] CVE-2006-2493_integer-overflows.diff

CVE-2006-2493_integer-overflows.diff (text/plain), 4.21 KB, created by Donnie Berkholz (RETIRED) on 2006-06-13 21:09:13 UTC

(hide)

Description:

Filename:

MIME Type:

Creator: Donnie Berkholz (RETIRED)

Created: 2006-06-13 21:09:13 UTC

Size: 4.21 KB

patch

obsolete

>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h
>--- freetype-2.1.7.orig/include/freetype/fterrdef.h	2006-05-28 11:51:12.000000000 +0200
>+++ freetype-2.1.7/include/freetype/fterrdef.h	2006-05-28 12:15:30.000000000 +0200
>@@ -52,6 +52,8 @@
>                 "broken table" )
>   FT_ERRORDEF_( Invalid_Offset,                              0x09, \
>                 "broken offset within table" )
>+  FT_ERRORDEF_( Array_Too_Large,                             0x0A, \
>+                "array allocation size too large" )
> 
>   /* glyph/character errors */
> 
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftmac.c freetype-2.1.7/src/base/ftmac.c
>--- freetype-2.1.7.orig/src/base/ftmac.c	2003-06-07 07:13:21.000000000 +0200
>+++ freetype-2.1.7/src/base/ftmac.c	2006-05-28 12:15:31.000000000 +0200
>@@ -359,6 +359,7 @@
>     short          res_ref, res_id;
>     unsigned char  *buffer, *p, *size_p = NULL;
>     FT_ULong       total_size = 0;
>+    FT_ULong       old_total_size = 0;
>     FT_ULong       post_size, pfb_chunk_size;
>     Handle         post_data;
>     char           code, last_code;
>@@ -392,6 +393,15 @@
> 
>       total_size += GetHandleSize( post_data ) - 2;
>       last_code = code;
>+
>+      /* detect integer overflows */
>+      if ( total_size < old_total_size )
>+      {
>+        error = FT_Err_Array_Too_Large;
>+        goto Error;
>+      }
>+
>+      old_total_size = total_size;
>     }
> 
>     if ( FT_ALLOC( buffer, (FT_Long)total_size ) )
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftstream.c freetype-2.1.7/src/base/ftstream.c
>--- freetype-2.1.7.orig/src/base/ftstream.c	2002-03-30 14:16:35.000000000 +0100
>+++ freetype-2.1.7/src/base/ftstream.c	2006-05-28 15:15:25.000000000 +0200
>@@ -187,7 +187,12 @@
>       FT_Memory  memory = stream->memory;
> 
> 
>+#ifdef FT_DEBUG_MEMORY
>+      ft_mem_free( memory, *pbytes );
>+      *pbytes = NULL;
>+#else
>       FT_FREE( *pbytes );
>+#endif
>     }
>     *pbytes = 0;
>   }
>@@ -273,7 +278,12 @@
>       FT_Memory  memory = stream->memory;
> 
> 
>+#ifdef FT_DEBUG_MEMORY
>+      ft_mem_free( memory, stream->base );
>+      stream->base = NULL;
>+#else
>       FT_FREE( stream->base );
>+#endif
>     }
>     stream->cursor = 0;
>     stream->limit  = 0;
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/raster/ftrend1.c freetype-2.1.7/src/raster/ftrend1.c
>--- freetype-2.1.7.orig/src/raster/ftrend1.c	2003-06-18 08:59:56.000000000 +0200
>+++ freetype-2.1.7/src/raster/ftrend1.c	2006-05-28 15:50:05.000000000 +0200
>@@ -21,6 +21,7 @@
> #include FT_OUTLINE_H
> #include "ftrend1.h"
> #include "ftraster.h"
>+#include <limits.h>
> 
> #include "rasterrs.h"
> 
>@@ -175,6 +176,9 @@
>     bitmap->rows  = height;
>     bitmap->pitch = pitch;
> 
>+    if ((FT_ULong)pitch > LONG_MAX/height)
>+      goto Exit;
>+
>     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
>       goto Exit;
> 
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/sfnt/ttpost.c freetype-2.1.7/src/sfnt/ttpost.c
>--- freetype-2.1.7.orig/src/sfnt/ttpost.c	2003-10-29 22:43:51.000000000 +0100
>+++ freetype-2.1.7/src/sfnt/ttpost.c	2006-05-28 15:48:22.000000000 +0200
>@@ -292,7 +292,7 @@
>       goto Exit;
>     }
> 
>-    if ( FT_ALLOC( offset_table, num_glyphs )       ||
>+    if ( FT_NEW_ARRAY( offset_table, num_glyphs )   ||
>          FT_STREAM_READ( offset_table, num_glyphs ) )
>       goto Fail;
> 
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/winfonts/winfnt.c freetype-2.1.7/src/winfonts/winfnt.c
>--- freetype-2.1.7.orig/src/winfonts/winfnt.c	2003-10-23 06:54:14.000000000 +0200
>+++ freetype-2.1.7/src/winfonts/winfnt.c	2006-05-28 15:50:15.000000000 +0200
>@@ -27,6 +27,8 @@
> #include FT_SERVICE_WINFNT_H
> #include FT_SERVICE_XFREE86_NAME_H
> 
>+#include <limits.h>
>+
>   /*************************************************************************/
>   /*                                                                       */
>   /* The macro FT_COMPONENT is used in trace mode.  It is an implicit      */
>@@ -614,6 +616,9 @@
> 
>       /* note: since glyphs are stored in columns and not in rows we */
>       /*       can't use ft_glyphslot_set_bitmap                     */
>+      if (pitch > LONG_MAX/bitmap->rows)
>+	goto Exit;
>+
>       if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) )
>         goto Exit;
>

Actions: View | Diff

Attachments on bug 124828: 86118 | 86119 | 86120 | 86121 | 86122 | 86123 | 86201 | 89111 | 89112 | 89113 | 89114 | 89115