mirrors
/
tigervnc
mirror of https://github.com/TigerVNC/tigervnc.git
Watch 1
Star 0
Fork 0
Code Issues 0 Releases 37 Wiki Activity
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
2547 Commits
15 Branches
Tree: 1ff04d1b8a
Branches Tags
${ item.name }
Create branch ${ searchTerm }
from '1ff04d1b8a'
${ noResults }
tigervnc/contrib/packages/rpm/el5/SOURCES/freetype-2.3.11-CVE-2012-11...

freetype-2.3.11-CVE-2012-1132.patch 4.6KB
Raw Blame History

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130 
  1. --- freetype-2.3.11/src/psaux/psobjs.c	2009-07-31 18:45:18.000000000 +0200

  2. +++ freetype-2.3.11/src/psaux/psobjs.c	2012-04-03 13:14:05.000000000 +0200

  3. @@ -4,7 +4,7 @@

  4.  /*                                                                         */

  5.  /*    Auxiliary functions for PostScript fonts (body).                     */

  6.  /*                                                                         */

  7. -/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */

  8. +/*  Copyright 1996-2012 by                                                 */

  9.  /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */

  10.  /*                                                                         */

  11.  /*  This file is part of the FreeType project, and may only be used,       */

  12. @@ -589,7 +589,7 @@

  13.      }

  14.  

  15.    Exit:

  16. -    if ( cur == parser->cursor )

  17. +    if ( cur < limit && cur == parser->cursor )

  18.      {

  19.        FT_ERROR(( "ps_parser_skip_PS_token:"

  20.                   " current token is `%c' which is self-delimiting\n"

  21. --- freetype-2.3.11/src/type1/t1load.c	2009-09-01 08:07:32.000000000 +0200

  22. +++ freetype-2.3.11/src/type1/t1load.c	2012-04-03 13:14:30.000000000 +0200

  23. @@ -71,6 +71,13 @@

  24.  #include "t1errors.h"

  25.  

  26.  

  27. +#ifdef FT_CONFIG_OPTION_INCREMENTAL

  28. +#define IS_INCREMENTAL  ( face->root.internal->incremental_interface != 0 )

  29. +#else

  30. +#define IS_INCREMENTAL  0

  31. +#endif

  32. +

  33. +

  34.    /*************************************************************************/

  35.    /*                                                                       */

  36.    /* The macro FT_COMPONENT is used in trace mode.  It is an implicit      */

  37. @@ -1027,7 +1034,8 @@

  38.    static int

  39.    read_binary_data( T1_Parser  parser,

  40.                      FT_Long*   size,

  41. -                    FT_Byte**  base )

  42. +                    FT_Byte**  base,

  43. +                    FT_Bool    incremental )

  44.    {

  45.      FT_Byte*  cur;

  46.      FT_Byte*  limit = parser->root.limit;

  47. @@ -1057,8 +1065,12 @@

  48.        return !parser->root.error;

  49.      }

  50.  

  51. -    FT_ERROR(( "read_binary_data: invalid size field\n" ));

  52. -    parser->root.error = T1_Err_Invalid_File_Format;

  53. +    if( !incremental )

  54. +    {

  55. +      FT_ERROR(( "read_binary_data: invalid size field\n" ));

  56. +      parser->root.error = T1_Err_Invalid_File_Format;

  57. +    }

  58. +

  59.      return 0;

  60.    }

  61.  

  62. @@ -1379,15 +1391,17 @@

  63.        FT_Byte*  base;

  64.  

  65.  

  66. -      /* If the next token isn't `dup' we are done. */

  67. -      if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )

  68. +      /* If we are out of data, or if the next token isn't `dup', */

  69. +      /* we are done.                                             */

  70. +      if ( parser->root.cursor + 4 >= parser->root.limit          ||

  71. +          ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )

  72.          break;

  73.  

  74.        T1_Skip_PS_Token( parser );       /* `dup' */

  75.  

  76.        idx = T1_ToInt( parser );

  77.  

  78. -      if ( !read_binary_data( parser, &size, &base ) )

  79. +      if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )

  80.          return;

  81.  

  82.        /* The binary string is followed by one token, e.g. `NP' */

  83. @@ -1399,7 +1413,8 @@

  84.          return;

  85.        T1_Skip_Spaces  ( parser );

  86.  

  87. -      if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )

  88. +      if ( parser->root.cursor + 4 < parser->root.limit            &&

  89. +           ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )

  90.        {

  91.          T1_Skip_PS_Token( parser ); /* skip `put' */

  92.          T1_Skip_Spaces  ( parser );

  93. @@ -1572,7 +1587,7 @@

  94.          cur++;                              /* skip `/' */

  95.          len = parser->root.cursor - cur;

  96.  

  97. -        if ( !read_binary_data( parser, &size, &base ) )

  98. +        if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )

  99.            return;

  100.  

  101.          /* for some non-standard fonts like `Optima' which provides */

  102. @@ -1861,7 +1876,7 @@

  103.  

  104.  

  105.          parser->root.cursor = start_binary;

  106. -        if ( !read_binary_data( parser, &s, &b ) )

  107. +        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )

  108.            return T1_Err_Invalid_File_Format;

  109.          have_integer = 0;

  110.        }

  111. @@ -1874,7 +1889,7 @@

  112.  

  113.  

  114.          parser->root.cursor = start_binary;

  115. -        if ( !read_binary_data( parser, &s, &b ) )

  116. +        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )

  117.            return T1_Err_Invalid_File_Format;

  118.          have_integer = 0;

  119.        }

  120. @@ -2148,9 +2163,7 @@

  121.        type1->subrs_len   = loader.subrs.lengths;

  122.      }

  123.  

  124. -#ifdef FT_CONFIG_OPTION_INCREMENTAL

  125. -    if ( !face->root.internal->incremental_interface )

  126. -#endif

  127. +    if ( !IS_INCREMENTAL )

  128.        if ( !loader.charstrings.init )

  129.        {

  130.          FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));