Blame SOURCES/freetype-2.4.11-CVE-2014-9673.patch
|
 |
43e195 |
From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
|
|
|
43e195 |
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
|
|
|
43e195 |
Date: Wed, 26 Nov 2014 06:52:23 +0000
|
|
|
43e195 |
Subject: Fix Savannah bug #43539.
|
|
|
43e195 |
|
|
|
43e195 |
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
|
|
|
43e195 |
by a broken POST table in resource-fork.
|
|
|
43e195 |
---
|
|
|
43e195 |
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
|
|
|
43e195 |
index ffbbc32..922216e 100644
|
|
|
43e195 |
--- a/src/base/ftobjs.c
|
|
|
43e195 |
+++ b/src/base/ftobjs.c
|
|
|
43e195 |
@@ -1589,6 +1589,11 @@
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
if ( FT_READ_LONG( rlen ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
+ if ( rlen < 0 )
|
|
|
43e195 |
+ {
|
|
|
43e195 |
+ error = FT_Err_Invalid_Offset;
|
|
|
43e195 |
+ goto Exit2;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
if ( FT_READ_USHORT( flags ) )
|
|
|
43e195 |
goto Exit;
|
|
|
43e195 |
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
|
|
|
43e195 |
@@ -1606,7 +1611,14 @@
|
|
|
43e195 |
rlen = 0;
|
|
|
43e195 |
|
|
|
43e195 |
if ( ( flags >> 8 ) == type )
|
|
|
43e195 |
+ {
|
|
|
43e195 |
+ if ( 0x7FFFFFFFL - rlen < len )
|
|
|
43e195 |
+ {
|
|
|
43e195 |
+ error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
+ goto Exit2;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
len += rlen;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
else
|
|
|
43e195 |
{
|
|
|
43e195 |
if ( pfb_lenpos + 3 > pfb_len + 2 )
|
|
|
43e195 |
@@ -1635,6 +1647,11 @@
|
|
|
43e195 |
}
|
|
|
43e195 |
|
|
|
43e195 |
error = FT_Err_Cannot_Open_Resource;
|
|
|
43e195 |
+ if ( rlen > 0x7FFFFFFFL - pfb_pos )
|
|
|
43e195 |
+ {
|
|
|
43e195 |
+ error = FT_Err_Array_Too_Large;
|
|
|
43e195 |
+ goto Exit2;
|
|
|
43e195 |
+ }
|
|
|
43e195 |
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
|
|
|
43e195 |
goto Exit2;
|
|
|
43e195 |
|
|
|
43e195 |
--
|
|
|
43e195 |
cgit v0.9.0.2
|