rpms / freetype

Clone
Source Code
GIT

Blame SOURCES/freetype-2.4.11-CVE-2014-9674b.patch

c4 c5 c5-plus c6 c6-plus c7 c7-aarch64 c7-alt c7-beta c7-ppc64le c8 c8-beta c8s c9 c9-beta
  1.   4f3e6be4b5470354105aa9e6f44d141415cfc9f5
  2.   SOURCES
  3.   freetype-2.4.11-CVE-2014-9674b.patch
Blob History Raw
43e195 
From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001
43e195 
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
43e195 
Date: Wed, 26 Nov 2014 15:20:48 +0000
43e195 
Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional
43e195
43e195 
overflow check in the summation of POST fragment lengths,
43e195 
suggested by Mateusz Jurczyk <mjurczyk@google.com>.
43e195 
---
43e195 
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
43e195 
index 4321126..b28216a 100644
43e195 
--- a/src/base/ftobjs.c
43e195 
+++ b/src/base/ftobjs.c
43e195 
@@ -1566,8 +1566,10 @@
43e195 
       if ( FT_READ_ULONG( temp ) )
43e195 
         goto Exit;
43e195 
       FT_TRACE4(( "                 POST fragment #%d: length=0x%08x\n", i, temp));
43e195 
-      if ( 0x7FFFFFFFUL < temp )
43e195 
+      if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
43e195 
       {
43e195 
+        FT_TRACE2(( "             too long fragment length makes"
43e195 
+                    " pfb_len confused: temp=0x%08x\n", temp ));
43e195 
         error = FT_Err_Invalid_Offset;
43e195 
         goto Exit;
43e195 
       }
43e195 
--
43e195 
cgit v0.9.0.2

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation