Репозитории ALT
S: | 2.13.2-alt1 |
5.1: | 2.4.2-alt1 |
4.1: | 2.3.11-alt1.M41.1 |
4.0: | 2.3.6-alt1.M40.1 |
+updates: | 2.3.6-alt1.M40.1 |
Группа :: Система/Библиотеки
Пакет: libfreetype
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: freetype-2.6.9-CVE-2009-0946-part1.patch
Скачать
Скачать
From a18788b14db60ae3673f932249cd02d33a227c4e Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 20 Mar 2009 08:03:58 +0100
Subject: [PATCH 1/2] Fix validation for various cmap table formats.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
tt_cmap12_validate): Check `length' correctly.
(tt_cmap_14_validate): Check `length' and `numMappings' correctly.
---
src/sfnt/ttcmap.c | 13 ++++++++-----
2 files changed, 17 insertions(+), 5 deletions(-)
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 6830391..1bd2ce7 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1635,7 +1635,7 @@
FT_INVALID_TOO_SHORT;
length = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 8208 )
+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
FT_INVALID_TOO_SHORT;
is32 = table + 12;
@@ -1863,7 +1863,8 @@
p = table + 16;
count = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 20 + count * 2 )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 20 + count * 2 )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2048,7 +2049,8 @@
p = table + 12;
num_groups = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 16 + 12 * num_groups )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 16 + 12 * num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2429,7 +2431,8 @@
FT_ULong num_selectors = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 10 + 11 * num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2491,7 +2494,7 @@
FT_ULong i, lastUni = 0;
- if ( ndp + numMappings * 4 > valid->limit )
+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
--
1.6.1.3.GIT
From 79972af4f0485a11dcb19551356c45245749fc5b Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 20 Mar 2009 08:21:37 +0100
Subject: [PATCH 2/2] Protect against too large glyphs.
Problem reported by Tavis Ormandy <taviso@google.com>.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Don't allow
`width' or `pitch' to be larger than 0xFFFF.
---
src/smooth/ftsmooth.c | 9 ++++++++-
2 files changed, 17 insertions(+), 3 deletions(-)
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index a6db504..cacc490 100644
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
}
- /* allocate new one, depends on pixel format */
+ /* allocate new one */
pitch = width;
if ( hmul )
{
@@ -194,6 +194,13 @@
#endif
+ if ( pitch > 0xFFFF || height > 0xFFFF )
+ {
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ width, height ));
+ return Smooth_Err_Raster_Overflow;
+ }
+
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
bitmap->num_grays = 256;
bitmap->width = width;
--
1.6.1.3.GIT