Репозитории ALT
S: | 2.13.2-alt1 |
5.1: | 2.4.2-alt1 |
4.1: | 2.3.11-alt1.M41.1 |
4.0: | 2.3.6-alt1.M40.1 |
+updates: | 2.3.6-alt1.M40.1 |
Группа :: Система/Библиотеки
Пакет: libfreetype
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: freetype-2.6.9-CVE-2009-0946-part0.patch
Скачать
Скачать
From 0545ec1ca36b27cb928128870a83e5f668980bc5 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 20 Mar 2009 06:49:10 +0100
Subject: [PATCH 1/2] Protect against invalid SID values in CFFs.
Problem reported by Tavis Ormandy <taviso@google.com>.
* src/cff/cffload.c (cff_charset_load): Reject SID values larger
than 64999.
---
src/cff/cffload.c | 29 ++++++++++++++++++++++++++++-
2 files changed, 37 insertions(+), 1 deletions(-)
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 22163fb..24b899d 100644
--- a/src/cff/cffload.c
+++ b/src/cff/cffload.c
@@ -842,7 +842,20 @@
goto Exit;
for ( j = 1; j < num_glyphs; j++ )
- charset->sids[j] = FT_GET_USHORT();
+ {
+ FT_UShort sid = FT_GET_USHORT();
+
+
+ /* this constant is given in the CFF specification */
+ if ( sid < 65000 )
+ charset->sids[j] = sid;
+ else
+ {
+ FT_ERROR(( "cff_charset_load:"
+ " invalid SID value %d set to zero\n", sid ));
+ charset->sids[j] = 0;
+ }
+ }
FT_FRAME_EXIT();
}
@@ -875,6 +888,20 @@
goto Exit;
}
+ /* check whether the range contains at least one valid glyph; */
+ /* the constant is given in the CFF specification */
+ if ( glyph_sid >= 65000 ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
+ error = CFF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
+ /* try to rescue some of the SIDs if `nleft' is too large */
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
+ nleft = 65000 - 1 - glyph_sid;
+ }
+
/* Fill in the range of sids -- `nleft + 1' glyphs. */
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
charset->sids[j] = glyph_sid;
--
1.6.1.3.GIT
From 0a05ba257b6ddd87dacf8d54b626e4b360e0a596 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 20 Mar 2009 07:19:45 +0100
Subject: [PATCH 2/2] Protect against malformed compressed data.
Problem reported by Tavis Ormandy <taviso@google.com>.
* src/lsw/ftzopen.c (ft_lzwstate_io): Test whether `state->prefix' is
zero.
---
src/lzw/ftzopen.c | 3 +++
2 files changed, 12 insertions(+), 0 deletions(-)
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index fc78315..c0483de 100644
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -332,6 +332,9 @@
while ( code >= 256U )
{
+ if ( !state->prefix )
+ goto Eof;
+
FTLZW_STACK_PUSH( state->suffix[code - 256] );
code = state->prefix[code - 256];
}
--
1.6.1.3.GIT