1 |
dirtyepic 09/05/03 18:37:40 |
2 |
|
3 |
Added: freetype-2.3.9-CVE-2009-0946.patch |
4 |
Log: |
5 |
CVE-2009-0946 (bug #263032). |
6 |
(Portage version: 2.2_rc32/cvs/Linux x86_64) |
7 |
|
8 |
Revision Changes Path |
9 |
1.1 media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch |
10 |
|
11 |
file : http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch?rev=1.1&view=markup |
12 |
plain: http://sources.gentoo.org/viewcvs.py/gentoo-x86/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch?rev=1.1&content-type=text/plain |
13 |
|
14 |
Index: freetype-2.3.9-CVE-2009-0946.patch |
15 |
=================================================================== |
16 |
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 |
17 |
https://bugzilla.redhat.com/show_bug.cgi?id=491384 |
18 |
https://bugs.gentoo.org/show_bug.cgi?id=263032 |
19 |
|
20 |
--- freetype-2.3.9-orig/src/cff/cffload.c |
21 |
+++ freetype-2.3.9/src/cff/cffload.c |
22 |
@@ -842,7 +842,20 @@ |
23 |
goto Exit; |
24 |
|
25 |
for ( j = 1; j < num_glyphs; j++ ) |
26 |
- charset->sids[j] = FT_GET_USHORT(); |
27 |
+ { |
28 |
+ FT_UShort sid = FT_GET_USHORT(); |
29 |
+ |
30 |
+ |
31 |
+ /* this constant is given in the CFF specification */ |
32 |
+ if ( sid < 65000 ) |
33 |
+ charset->sids[j] = sid; |
34 |
+ else |
35 |
+ { |
36 |
+ FT_ERROR(( "cff_charset_load:" |
37 |
+ " invalid SID value %d set to zero\n", sid )); |
38 |
+ charset->sids[j] = 0; |
39 |
+ } |
40 |
+ } |
41 |
|
42 |
FT_FRAME_EXIT(); |
43 |
} |
44 |
@@ -875,6 +888,20 @@ |
45 |
goto Exit; |
46 |
} |
47 |
|
48 |
+ /* check whether the range contains at least one valid glyph; */ |
49 |
+ /* the constant is given in the CFF specification */ |
50 |
+ if ( glyph_sid >= 65000 ) { |
51 |
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); |
52 |
+ error = CFF_Err_Invalid_File_Format; |
53 |
+ goto Exit; |
54 |
+ } |
55 |
+ |
56 |
+ /* try to rescue some of the SIDs if `nleft' is too large */ |
57 |
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { |
58 |
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); |
59 |
+ nleft = 65000 - 1 - glyph_sid; |
60 |
+ } |
61 |
+ |
62 |
/* Fill in the range of sids -- `nleft + 1' glyphs. */ |
63 |
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) |
64 |
charset->sids[j] = glyph_sid; |
65 |
--- freetype-2.3.9-orig/src/lzw/ftzopen.c |
66 |
+++ freetype-2.3.9/src/lzw/ftzopen.c |
67 |
@@ -332,6 +332,9 @@ |
68 |
|
69 |
while ( code >= 256U ) |
70 |
{ |
71 |
+ if ( !state->prefix ) |
72 |
+ goto Eof; |
73 |
+ |
74 |
FTLZW_STACK_PUSH( state->suffix[code - 256] ); |
75 |
code = state->prefix[code - 256]; |
76 |
} |
77 |
--- freetype-2.3.9-orig/src/sfnt/ttcmap.c |
78 |
+++ freetype-2.3.9/src/sfnt/ttcmap.c |
79 |
@@ -1635,7 +1635,7 @@ |
80 |
FT_INVALID_TOO_SHORT; |
81 |
|
82 |
length = TT_NEXT_ULONG( p ); |
83 |
- if ( table + length > valid->limit || length < 8208 ) |
84 |
+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) |
85 |
FT_INVALID_TOO_SHORT; |
86 |
|
87 |
is32 = table + 12; |
88 |
@@ -1863,7 +1863,8 @@ |
89 |
p = table + 16; |
90 |
count = TT_NEXT_ULONG( p ); |
91 |
|
92 |
- if ( table + length > valid->limit || length < 20 + count * 2 ) |
93 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
94 |
+ length < 20 + count * 2 ) |
95 |
FT_INVALID_TOO_SHORT; |
96 |
|
97 |
/* check glyph indices */ |
98 |
@@ -2048,7 +2049,8 @@ |
99 |
p = table + 12; |
100 |
num_groups = TT_NEXT_ULONG( p ); |
101 |
|
102 |
- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) |
103 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
104 |
+ length < 16 + 12 * num_groups ) |
105 |
FT_INVALID_TOO_SHORT; |
106 |
|
107 |
/* check groups, they must be in increasing order */ |
108 |
@@ -2429,7 +2431,8 @@ |
109 |
FT_ULong num_selectors = TT_NEXT_ULONG( p ); |
110 |
|
111 |
|
112 |
- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) |
113 |
+ if ( length > (FT_ULong)( valid->limit - table ) || |
114 |
+ length < 10 + 11 * num_selectors ) |
115 |
FT_INVALID_TOO_SHORT; |
116 |
|
117 |
/* check selectors, they must be in increasing order */ |
118 |
@@ -2491,7 +2494,7 @@ |
119 |
FT_ULong i, lastUni = 0; |
120 |
|
121 |
|
122 |
- if ( ndp + numMappings * 4 > valid->limit ) |
123 |
+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) |
124 |
FT_INVALID_TOO_SHORT; |
125 |
|
126 |
for ( i = 0; i < numMappings; ++i ) |
127 |
--- freetype-2.3.9-orig/src/smooth/ftsmooth.c |
128 |
+++ freetype-2.3.9/src/smooth/ftsmooth.c |
129 |
@@ -153,7 +153,7 @@ |
130 |
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; |
131 |
} |
132 |
|
133 |
- /* allocate new one, depends on pixel format */ |
134 |
+ /* allocate new one */ |
135 |
pitch = width; |
136 |
if ( hmul ) |
137 |
{ |
138 |
@@ -194,6 +194,13 @@ |
139 |
|
140 |
#endif |
141 |
|
142 |
+ if ( pitch > 0xFFFF || height > 0xFFFF ) |
143 |
+ { |
144 |
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", |
145 |
+ width, height )); |
146 |
+ return Smooth_Err_Raster_Overflow; |
147 |
+ } |
148 |
+ |
149 |
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; |
150 |
bitmap->num_grays = 256; |
151 |
bitmap->width = width; |