Overview

File bnc647375_CVE-2010-3855.diff of Package freetype2

From 59eb9f8cfe7d1df379a2318316d1f04f80fba54a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Tue, 12 Oct 2010 07:49:17 +0200
Subject: [PATCH] Fix Savannah bug #31310.

* src/truetype/ttgxvar.c (ft_var_readpackedpoints): Protect against
invalid `runcnt' values.
---
 ChangeLog              |    7 +++++++
 src/truetype/ttgxvar.c |    6 +++---
 2 files changed, 10 insertions(+), 3 deletions(-)

--- freetype-2.3.9/src/truetype/ttgxvar.c.orig	2008-10-15 22:01:42.000000000 +0200
+++ freetype-2.3.9/src/truetype/ttgxvar.c	2011-02-28 18:04:38.536173000 +0100
@@ -158,6 +158,9 @@
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
+	if ( runcnt < 1 || i + runcnt >= n )
+	  goto Exit;
+
         /* first point not included in runcount */
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_USHORT() );
@@ -166,11 +169,15 @@
       {
         first = points[i++] = FT_GET_BYTE();
 
+        if ( runcnt < 1 || i + runcnt >= n )
+          goto Exit;
+
         for ( j = 0; j < runcnt; ++j )
           points[i++] = (FT_UShort)( first += FT_GET_BYTE() );
       }
     }
 
+  Exit:
     return points;
   }
openSUSE Build Service is sponsored by
Places