rpms / freetype

Clone
Source Code
GIT

Blame SOURCES/freetype-2.4.11-CVE-2014-9674a.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   15122352b96ca9a9cfe866df97ed27a932466469
  2.   SOURCES
  3.   freetype-2.4.11-CVE-2014-9674a.patch
Blob History Raw
43e195 
From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
43e195 
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
43e195 
Date: Wed, 26 Nov 2014 06:43:29 +0000
43e195 
Subject: Fix Savannah bug #43538.
43e195
43e195 
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
43e195 
by a broken POST table in resource-fork.
43e195 
---
43e195 
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
43e195 
index 4d60e88..ffbbc32 100644
43e195 
--- a/src/base/ftobjs.c
43e195 
+++ b/src/base/ftobjs.c
43e195 
@@ -1565,10 +1565,23 @@
43e195 
         goto Exit;
43e195 
       if ( FT_READ_LONG( temp ) )
43e195 
         goto Exit;
43e195 
+      if ( 0 > temp )
43e195 
+        error = FT_Err_Invalid_Offset;
43e195 
+      else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
43e195 
+        error = FT_Err_Array_Too_Large;
43e195 
+
43e195 
+      if ( error )
43e195 
+        goto Exit;
43e195 
+
43e195 
       pfb_len += temp + 6;
43e195 
     }
43e195
43e195 
-    if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
43e195 
+    if ( 0x7FFFFFFFL - 2 < pfb_len )
43e195 
+      error = FT_Err_Array_Too_Large;
43e195 
+    else
43e195 
+      error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
43e195 
+
43e195 
+    if ( error )
43e195 
       goto Exit;
43e195
43e195 
     pfb_data[0] = 0x80;
43e195 
--
43e195 
cgit v0.9.0.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation