Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 89114 Details for
Bug 124828
media-libs/freetype: integer overflows (CVE-2006-{0747|1861|2493|2661})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
CVE-2006-2493_integer-overflows.diff
CVE-2006-2493_integer-overflows.diff (text/plain), 4.21 KB, created by
Donnie Berkholz (RETIRED)
on 2006-06-13 21:09:13 UTC
(
hide
)
Description:
CVE-2006-2493_integer-overflows.diff
Filename:
MIME Type:
Creator:
Donnie Berkholz (RETIRED)
Created:
2006-06-13 21:09:13 UTC
Size:
4.21 KB
patch
obsolete
>diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h >--- freetype-2.1.7.orig/include/freetype/fterrdef.h 2006-05-28 11:51:12.000000000 +0200 >+++ freetype-2.1.7/include/freetype/fterrdef.h 2006-05-28 12:15:30.000000000 +0200 >@@ -52,6 +52,8 @@ > "broken table" ) > FT_ERRORDEF_( Invalid_Offset, 0x09, \ > "broken offset within table" ) >+ FT_ERRORDEF_( Array_Too_Large, 0x0A, \ >+ "array allocation size too large" ) > > /* glyph/character errors */ > >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftmac.c freetype-2.1.7/src/base/ftmac.c >--- freetype-2.1.7.orig/src/base/ftmac.c 2003-06-07 07:13:21.000000000 +0200 >+++ freetype-2.1.7/src/base/ftmac.c 2006-05-28 12:15:31.000000000 +0200 >@@ -359,6 +359,7 @@ > short res_ref, res_id; > unsigned char *buffer, *p, *size_p = NULL; > FT_ULong total_size = 0; >+ FT_ULong old_total_size = 0; > FT_ULong post_size, pfb_chunk_size; > Handle post_data; > char code, last_code; >@@ -392,6 +393,15 @@ > > total_size += GetHandleSize( post_data ) - 2; > last_code = code; >+ >+ /* detect integer overflows */ >+ if ( total_size < old_total_size ) >+ { >+ error = FT_Err_Array_Too_Large; >+ goto Error; >+ } >+ >+ old_total_size = total_size; > } > > if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/base/ftstream.c freetype-2.1.7/src/base/ftstream.c >--- freetype-2.1.7.orig/src/base/ftstream.c 2002-03-30 14:16:35.000000000 +0100 >+++ freetype-2.1.7/src/base/ftstream.c 2006-05-28 15:15:25.000000000 +0200 >@@ -187,7 +187,12 @@ > FT_Memory memory = stream->memory; > > >+#ifdef FT_DEBUG_MEMORY >+ ft_mem_free( memory, *pbytes ); >+ *pbytes = NULL; >+#else > FT_FREE( *pbytes ); >+#endif > } > *pbytes = 0; > } >@@ -273,7 +278,12 @@ > FT_Memory memory = stream->memory; > > >+#ifdef FT_DEBUG_MEMORY >+ ft_mem_free( memory, stream->base ); >+ stream->base = NULL; >+#else > FT_FREE( stream->base ); >+#endif > } > stream->cursor = 0; > stream->limit = 0; >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/raster/ftrend1.c freetype-2.1.7/src/raster/ftrend1.c >--- freetype-2.1.7.orig/src/raster/ftrend1.c 2003-06-18 08:59:56.000000000 +0200 >+++ freetype-2.1.7/src/raster/ftrend1.c 2006-05-28 15:50:05.000000000 +0200 >@@ -21,6 +21,7 @@ > #include FT_OUTLINE_H > #include "ftrend1.h" > #include "ftraster.h" >+#include <limits.h> > > #include "rasterrs.h" > >@@ -175,6 +176,9 @@ > bitmap->rows = height; > bitmap->pitch = pitch; > >+ if ((FT_ULong)pitch > LONG_MAX/height) >+ goto Exit; >+ > if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) ) > goto Exit; > >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/sfnt/ttpost.c freetype-2.1.7/src/sfnt/ttpost.c >--- freetype-2.1.7.orig/src/sfnt/ttpost.c 2003-10-29 22:43:51.000000000 +0100 >+++ freetype-2.1.7/src/sfnt/ttpost.c 2006-05-28 15:48:22.000000000 +0200 >@@ -292,7 +292,7 @@ > goto Exit; > } > >- if ( FT_ALLOC( offset_table, num_glyphs ) || >+ if ( FT_NEW_ARRAY( offset_table, num_glyphs ) || > FT_STREAM_READ( offset_table, num_glyphs ) ) > goto Fail; > >diff -u -p -Nr --exclude CVS freetype-2.1.7.orig/src/winfonts/winfnt.c freetype-2.1.7/src/winfonts/winfnt.c >--- freetype-2.1.7.orig/src/winfonts/winfnt.c 2003-10-23 06:54:14.000000000 +0200 >+++ freetype-2.1.7/src/winfonts/winfnt.c 2006-05-28 15:50:15.000000000 +0200 >@@ -27,6 +27,8 @@ > #include FT_SERVICE_WINFNT_H > #include FT_SERVICE_XFREE86_NAME_H > >+#include <limits.h> >+ > /*************************************************************************/ > /* */ > /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ >@@ -614,6 +616,9 @@ > > /* note: since glyphs are stored in columns and not in rows we */ > /* can't use ft_glyphslot_set_bitmap */ >+ if (pitch > LONG_MAX/bitmap->rows) >+ goto Exit; >+ > if ( FT_ALLOC( bitmap->buffer, pitch * bitmap->rows ) ) > goto Exit; >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 124828
:
86118
|
86119
|
86120
|
86121
|
86122
|
86123
|
86201
|
89111
|
89112
|
89113
| 89114 |
89115