File bnc629447_CVE-2010-2807.diff of Package freetype2
From 346f1867fd32dae8f56e5b482d1af98f626804ac Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 05 Aug 2010 22:47:57 +0000
Subject: Fix Savannah bug #30657.
* src/truetype/ttinterp.c (BOUNDSL): New macro.
Change `BOUNDS' to `BOUNDSL' where appropriate.
* src/truetype/ttinterp.h (TT_ExecContextRec): Fix type of
`cvtSize'.
---
---
src/truetype/ttinterp.c | 103 ++++++++++++++++++++++++------------------------
src/truetype/ttinterp.h | 2
2 files changed, 53 insertions(+), 52 deletions(-)
Index: freetype-2.3.9/src/truetype/ttinterp.c
===================================================================
--- freetype-2.3.9.orig/src/truetype/ttinterp.c
+++ freetype-2.3.9/src/truetype/ttinterp.c
@@ -223,9 +223,10 @@
/*************************************************************************/
/* */
- /* A simple bounds-checking macro. */
+ /* Two simple bounds-checking macros. */
/* */
-#define BOUNDS( x, n ) ( (FT_UInt)(x) >= (FT_UInt)(n) )
+#define BOUNDS( x, n ) ( (FT_UInt)(x) >= (FT_UInt)(n) )
+#define BOUNDSL( x, n ) ( (FT_ULong)(x) >= (FT_ULong)(n) )
#undef SUCCESS
#define SUCCESS 0
@@ -2995,39 +2996,39 @@
args[0] = FT_PIX_CEIL( args[0] );
-#define DO_RS \
- { \
- FT_ULong I = (FT_ULong)args[0]; \
- \
- \
- if ( BOUNDS( I, CUR.storeSize ) ) \
- { \
- if ( CUR.pedantic_hinting ) \
- { \
- ARRAY_BOUND_ERROR; \
- } \
- else \
- args[0] = 0; \
- } \
- else \
- args[0] = CUR.storage[I]; \
+#define DO_RS \
+ { \
+ FT_ULong I = (FT_ULong)args[0]; \
+ \
+ \
+ if ( BOUNDSL( I, CUR.storeSize ) ) \
+ { \
+ if ( CUR.pedantic_hinting ) \
+ { \
+ ARRAY_BOUND_ERROR; \
+ } \
+ else \
+ args[0] = 0; \
+ } \
+ else \
+ args[0] = CUR.storage[I]; \
}
-#define DO_WS \
- { \
- FT_ULong I = (FT_ULong)args[0]; \
- \
- \
- if ( BOUNDS( I, CUR.storeSize ) ) \
- { \
- if ( CUR.pedantic_hinting ) \
- { \
- ARRAY_BOUND_ERROR; \
- } \
- } \
- else \
- CUR.storage[I] = args[1]; \
+#define DO_WS \
+ { \
+ FT_ULong I = (FT_ULong)args[0]; \
+ \
+ \
+ if ( BOUNDSL( I, CUR.storeSize ) ) \
+ { \
+ if ( CUR.pedantic_hinting ) \
+ { \
+ ARRAY_BOUND_ERROR; \
+ } \
+ } \
+ else \
+ CUR.storage[I] = args[1]; \
}
@@ -3036,7 +3037,7 @@
FT_ULong I = (FT_ULong)args[0]; \
\
\
- if ( BOUNDS( I, CUR.cvtSize ) ) \
+ if ( BOUNDSL( I, CUR.cvtSize ) ) \
{ \
if ( CUR.pedantic_hinting ) \
{ \
@@ -3055,7 +3056,7 @@
FT_ULong I = (FT_ULong)args[0]; \
\
\
- if ( BOUNDS( I, CUR.cvtSize ) ) \
+ if ( BOUNDSL( I, CUR.cvtSize ) ) \
{ \
if ( CUR.pedantic_hinting ) \
{ \
@@ -3072,7 +3073,7 @@
FT_ULong I = (FT_ULong)args[0]; \
\
\
- if ( BOUNDS( I, CUR.cvtSize ) ) \
+ if ( BOUNDSL( I, CUR.cvtSize ) ) \
{ \
if ( CUR.pedantic_hinting ) \
{ \
@@ -4385,7 +4386,7 @@
/* first of all, check the index */
F = args[0];
- if ( BOUNDS( F, CUR.maxFunc + 1 ) )
+ if ( BOUNDSL( F, CUR.maxFunc + 1 ) )
goto Fail;
/* Except for some old Apple fonts, all functions in a TrueType */
@@ -4461,7 +4462,7 @@
/* first of all, check the index */
F = args[1];
- if ( BOUNDS( F, CUR.maxFunc + 1 ) )
+ if ( BOUNDSL( F, CUR.maxFunc + 1 ) )
goto Fail;
/* Except for some old Apple fonts, all functions in a TrueType */
@@ -4729,7 +4730,7 @@
L = (FT_ULong)args[0];
- if ( BOUNDS( L, CUR.zp2.n_points ) )
+ if ( BOUNDSL( L, CUR.zp2.n_points ) )
{
if ( CUR.pedantic_hinting )
{
@@ -4813,8 +4814,8 @@
K = (FT_UShort)args[1];
L = (FT_UShort)args[0];
- if( BOUNDS( L, CUR.zp0.n_points ) ||
- BOUNDS( K, CUR.zp1.n_points ) )
+ if ( BOUNDS( L, CUR.zp0.n_points ) ||
+ BOUNDS( K, CUR.zp1.n_points ) )
{
if ( CUR.pedantic_hinting )
{
@@ -5468,12 +5469,12 @@
static void
Ins_SHZ( INS_ARG )
{
- TT_GlyphZoneRec zp;
- FT_UShort refp;
- FT_F26Dot6 dx,
- dy;
+ TT_GlyphZoneRec zp;
+ FT_UShort refp;
+ FT_F26Dot6 dx,
+ dy;
- FT_UShort last_point, i;
+ FT_UShort last_point, i;
if ( BOUNDS( args[0], 2 ) )
@@ -5675,8 +5676,8 @@
cvtEntry = (FT_ULong)args[1];
point = (FT_UShort)args[0];
- if ( BOUNDS( point, CUR.zp0.n_points ) ||
- BOUNDS( cvtEntry, CUR.cvtSize ) )
+ if ( BOUNDS( point, CUR.zp0.n_points ) ||
+ BOUNDSL( cvtEntry, CUR.cvtSize ) )
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
@@ -5868,7 +5869,7 @@
/* XXX: UNDOCUMENTED! cvt[-1] = 0 always */
if ( BOUNDS( point, CUR.zp1.n_points ) ||
- BOUNDS( cvtEntry, CUR.cvtSize + 1 ) ||
+ BOUNDSL( cvtEntry, CUR.cvtSize + 1 ) ||
BOUNDS( CUR.GS.rp0, CUR.zp0.n_points ) )
{
if ( CUR.pedantic_hinting )
@@ -6117,8 +6118,8 @@
p1 = (FT_UShort)args[0];
p2 = (FT_UShort)args[1];
- if ( BOUNDS( args[0], CUR.zp1.n_points ) ||
- BOUNDS( args[1], CUR.zp0.n_points ) )
+ if ( BOUNDS( p1, CUR.zp1.n_points ) ||
+ BOUNDS( p2, CUR.zp0.n_points ) )
{
if ( CUR.pedantic_hinting )
CUR.error = TT_Err_Invalid_Reference;
@@ -6647,7 +6648,7 @@
A = (FT_ULong)CUR.stack[CUR.args + 1];
B = CUR.stack[CUR.args];
- if ( BOUNDS( A, CUR.cvtSize ) )
+ if ( BOUNDSL( A, CUR.cvtSize ) )
{
if ( CUR.pedantic_hinting )
{
Index: freetype-2.3.9/src/truetype/ttinterp.h
===================================================================
--- freetype-2.3.9.orig/src/truetype/ttinterp.h
+++ freetype-2.3.9/src/truetype/ttinterp.h
@@ -150,7 +150,7 @@ FT_BEGIN_HEADER
FT_Bool step_ins; /* true if the interpreter must */
/* increment IP after ins. exec */
- FT_Long cvtSize;
+ FT_ULong cvtSize;
FT_Long* cvt;
FT_UInt glyphSize; /* glyph instructions buffer size */
