mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2547 Commits
15 Branches
Tree: 1ff04d1b8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1ff04d1b8a'
${ noResults }
tigervnc/contrib/packages/rpm/el5/SOURCES/freetype-2.3.11-CVE-2011-34...

freetype-2.3.11-CVE-2011-3439.patch 2.5KB
Raw Blame History

12345678910111213141516171819202122232425262728293031323334353637383940414243444546474849505152535455565758596061626364656667686970717273747576 
  1. --- freetype-2.3.11/src/cid/cidload.c	2009-07-03 15:28:24.000000000 +0200

  2. +++ freetype-2.3.11/src/cid/cidload.c	2011-11-15 12:58:41.000000000 +0100

  3. @@ -4,7 +4,7 @@

  4.  /*                                                                         */

  5.  /*    CID-keyed Type1 font loader (body).                                  */

  6.  /*                                                                         */

  7. -/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by             */

  8. +/*  Copyright 1996-2006, 2009, 2011 by                                     */

  9.  /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */

  10.  /*                                                                         */

  11.  /*  This file is part of the FreeType project, and may only be used,       */

  12. @@ -110,7 +110,7 @@

  13.          CID_FaceDict  dict;

  14.  

  15.  

  16. -        if ( parser->num_dict < 0 )

  17. +        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )

  18.          {

  19.            FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",

  20.                       keyword->ident ));

  21. @@ -158,7 +158,7 @@

  22.      FT_Fixed      temp_scale;

  23.  

  24.  

  25. -    if ( parser->num_dict >= 0 )

  26. +    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )

  27.      {

  28.        dict   = face->cid.font_dicts + parser->num_dict;

  29.        matrix = &dict->font_matrix;

  30. @@ -249,7 +249,7 @@

  31.      CID_FaceDict  dict;

  32.  

  33.  

  34. -    if ( parser->num_dict >= 0 )

  35. +    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )

  36.      {

  37.        dict = face->cid.font_dicts + parser->num_dict;

  38.  

  39. @@ -413,12 +413,25 @@

  40.        FT_Byte*      p;

  41.  

  42.  

  43. +      /* Check for possible overflow. */

  44. +      if ( num_subrs == FT_UINT_MAX )

  45. +      {

  46. +        error = CID_Err_Syntax_Error;

  47. +        goto Fail;

  48. +      }

  49. +

  50.        /* reallocate offsets array if needed */

  51.        if ( num_subrs + 1 > max_offsets )

  52.        {

  53.          FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );

  54.  

  55.  

  56. +        if ( new_max <= max_offsets )

  57. +        {

  58. +          error = CID_Err_Syntax_Error;

  59. +          goto Fail;

  60. +        }

  61. +

  62.          if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )

  63.            goto Fail;

  64.  

  65. @@ -436,6 +449,11 @@

  66.  

  67.        FT_FRAME_EXIT();

  68.  

  69. +      /* offsets must be ordered */

  70. +      for ( count = 1; count <= num_subrs; count++ )

  71. +        if ( offsets[count - 1] > offsets[count] )

  72. +          goto Fail;

  73. +

  74.        /* now, compute the size of subrs charstrings, */

  75.        /* allocate, and read them                     */

  76.        data_len = offsets[num_subrs] - offsets[0];