rpms / freetype

Clone
Source Code
GIT

Blame SOURCES/freetype-2.4.11-CVE-2014-9671.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   4f3e6be4b5470354105aa9e6f44d141415cfc9f5
  2.   SOURCES
  3.   freetype-2.4.11-CVE-2014-9671.patch
Blob History Raw
43e195 
From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
43e195 
From: Werner Lemberg <wl@gnu.org>
43e195 
Date: Thu, 06 Nov 2014 21:32:46 +0000
43e195 
Subject: Fix Savannah bug #43547.
43e195
43e195 
* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
43e195 
values.
43e195 
---
43e195 
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
43e195 
index f63377b..8db31bd 100644
43e195 
--- a/src/pcf/pcfread.c
43e195 
+++ b/src/pcf/pcfread.c
43e195 
@@ -151,6 +151,21 @@ THE SOFTWARE.
43e195 
         break;
43e195 
     }
43e195
43e195 
+    /* we now check whether the `size' and `offset' values are reasonable: */
43e195 
+    /* `offset' + `size' must not exceed the stream size                   */
43e195 
+    tables = face->toc.tables;
43e195 
+    for ( n = 0; n < toc->count; n++ )
43e195 
+    {
43e195 
+      /* we need two checks to avoid overflow */
43e195 
+      if ( ( tables->size   > stream->size                ) ||
43e195 
+           ( tables->offset > stream->size - tables->size ) )
43e195 
+      {
43e195 
+        error = PCF_Err_Invalid_Table;
43e195 
+        goto Exit;
43e195 
+      }
43e195 
+      tables++;
43e195 
+    }
43e195 
+
43e195 
 #ifdef FT_DEBUG_LEVEL_TRACE
43e195
43e195 
     {
43e195 
--
43e195 
cgit v0.9.0.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation