| 1 |
dirtyepic 09/05/03 18:37:40 |
| 2 |
|
| 3 |
Added: freetype-2.3.9-CVE-2009-0946.patch |
| 4 |
Log: |
| 5 |
CVE-2009-0946 (bug #263032). |
| 6 |
(Portage version: 2.2_rc32/cvs/Linux x86_64) |
| 7 |
|
| 8 |
Revision Changes Path |
| 9 |
1.1 media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch |
| 10 |
|
| 11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch?rev=1.1&view=markup |
| 12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch?rev=1.1&content-type=text/plain |
| 13 |
|
| 14 |
Index: freetype-2.3.9-CVE-2009-0946.patch |
| 15 |
=================================================================== |
| 16 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 |
| 17 |
https://bugzilla.redhat.com/show_bug.cgi?id=491384 |
| 18 |
https://bugs.gentoo.org/show_bug.cgi?id=263032 |
| 19 |
|
| 20 |
--- freetype-2.3.9-orig/src/cff/cffload.c |
| 21 |
+++ freetype-2.3.9/src/cff/cffload.c |
| 22 |
@@ -842,7 +842,20 @@ |
| 23 |
goto Exit; |
| 24 |
|
| 25 |
for ( j = 1; j < num_glyphs; j++ ) |
| 26 |
- charset->sids[j] = FT_GET_USHORT(); |
| 27 |
+ { |
| 28 |
+ FT_UShort sid = FT_GET_USHORT(); |
| 29 |
+ |
| 30 |
+ |
| 31 |
+ /* this constant is given in the CFF specification */ |
| 32 |
+ if ( sid < 65000 ) |
| 33 |
+ charset->sids[j] = sid; |
| 34 |
+ else |
| 35 |
+ { |
| 36 |
+ FT_ERROR(( "cff_charset_load:" |
| 37 |
+ " invalid SID value %d set to zero\n", sid )); |
| 38 |
+ charset->sids[j] = 0; |
| 39 |
+ } |
| 40 |
+ } |
| 41 |
|
| 42 |
FT_FRAME_EXIT(); |
| 43 |
} |
| 44 |
@@ -875,6 +888,20 @@ |
| 45 |
goto Exit; |
| 46 |
} |
| 47 |
|
| 48 |
+ /* check whether the range contains at least one valid glyph; */ |
| 49 |
+ /* the constant is given in the CFF specification */ |
| 50 |
+ if ( glyph_sid >= 65000 ) { |
| 51 |
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); |
| 52 |
+ error = CFF_Err_Invalid_File_Format; |
| 53 |
+ goto Exit; |
| 54 |
+ } |
| 55 |
+ |
| 56 |
+ /* try to rescue some of the SIDs if `nleft' is too large */ |
| 57 |
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { |
| 58 |
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); |
| 59 |
+ nleft = 65000 - 1 - glyph_sid; |
| 60 |
+ } |
| 61 |
+ |
| 62 |
/* Fill in the range of sids -- `nleft + 1' glyphs. */ |
| 63 |
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) |
| 64 |
charset->sids[j] = glyph_sid; |
| 65 |
--- freetype-2.3.9-orig/src/lzw/ftzopen.c |
| 66 |
+++ freetype-2.3.9/src/lzw/ftzopen.c |
| 67 |
@@ -332,6 +332,9 @@ |
| 68 |
|
| 69 |
while ( code >= 256U ) |
| 70 |
{ |
| 71 |
+ if ( !state->prefix ) |
| 72 |
+ goto Eof; |
| 73 |
+ |
| 74 |
FTLZW_STACK_PUSH( state->suffix[code - 256] ); |
| 75 |
code = state->prefix[code - 256]; |
| 76 |
} |
| 77 |
--- freetype-2.3.9-orig/src/sfnt/ttcmap.c |
| 78 |
+++ freetype-2.3.9/src/sfnt/ttcmap.c |
| 79 |
@@ -1635,7 +1635,7 @@ |
| 80 |
FT_INVALID_TOO_SHORT; |
| 81 |
|
| 82 |
length = TT_NEXT_ULONG( p ); |
| 83 |
- if ( table + length > valid->limit || length < 8208 ) |
| 84 |
+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) |
| 85 |
FT_INVALID_TOO_SHORT; |
| 86 |
|
| 87 |
is32 = table + 12; |
| 88 |
@@ -1863,7 +1863,8 @@ |
| 89 |
p = table + 16; |
| 90 |
count = TT_NEXT_ULONG( p ); |
| 91 |
|
| 92 |
- if ( table + length > valid->limit || length < 20 + count * 2 ) |
| 93 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
| 94 |
+ length < 20 + count * 2 ) |
| 95 |
FT_INVALID_TOO_SHORT; |
| 96 |
|
| 97 |
/* check glyph indices */ |
| 98 |
@@ -2048,7 +2049,8 @@ |
| 99 |
p = table + 12; |
| 100 |
num_groups = TT_NEXT_ULONG( p ); |
| 101 |
|
| 102 |
- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) |
| 103 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
| 104 |
+ length < 16 + 12 * num_groups ) |
| 105 |
FT_INVALID_TOO_SHORT; |
| 106 |
|
| 107 |
/* check groups, they must be in increasing order */ |
| 108 |
@@ -2429,7 +2431,8 @@ |
| 109 |
FT_ULong num_selectors = TT_NEXT_ULONG( p ); |
| 110 |
|
| 111 |
|
| 112 |
- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) |
| 113 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
| 114 |
+ length < 10 + 11 * num_selectors ) |
| 115 |
FT_INVALID_TOO_SHORT; |
| 116 |
|
| 117 |
/* check selectors, they must be in increasing order */ |
| 118 |
@@ -2491,7 +2494,7 @@ |
| 119 |
FT_ULong i, lastUni = 0; |
| 120 |
|
| 121 |
|
| 122 |
- if ( ndp + numMappings * 4 > valid->limit ) |
| 123 |
+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) |
| 124 |
FT_INVALID_TOO_SHORT; |
| 125 |
|
| 126 |
for ( i = 0; i < numMappings; ++i ) |
| 127 |
--- freetype-2.3.9-orig/src/smooth/ftsmooth.c |
| 128 |
+++ freetype-2.3.9/src/smooth/ftsmooth.c |
| 129 |
@@ -153,7 +153,7 @@ |
| 130 |
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; |
| 131 |
} |
| 132 |
|
| 133 |
- /* allocate new one, depends on pixel format */ |
| 134 |
+ /* allocate new one */ |
| 135 |
pitch = width; |
| 136 |
if ( hmul ) |
| 137 |
{ |
| 138 |
@@ -194,6 +194,13 @@ |
| 139 |
|
| 140 |
#endif |
| 141 |
|
| 142 |
+ if ( pitch > 0xFFFF || height > 0xFFFF ) |
| 143 |
+ { |
| 144 |
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", |
| 145 |
+ width, height )); |
| 146 |
+ return Smooth_Err_Raster_Overflow; |
| 147 |
+ } |
| 148 |
+ |
| 149 |
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; |
| 150 |
bitmap->num_grays = 256; |
| 151 |
bitmap->width = width; |
Archives