File bnc619562_CVE-2010-2499.diff of Package ft2demos
From c69891a1345640096fbf396e8dd567fe879ce233 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Fri, 25 Jun 2010 00:02:18 +0000
Subject: Initial fix for Savannah bug #30248 and #30249.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the error during
reading a PFB fragment embedded in LaserWriter PS font for Macintosh.
Reported by Robert Swiecki.
already covered
---
--
cgit v0.8.3.2
From f29f741efbba0a5ce2f16464f648fb8d026ed4c8 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <sssa@flavor1.ipc.hiroshima-u.ac.jp>
Date: Thu, 01 Jul 2010 08:31:03 +0000
Subject: Additional fix for Savannah bug #30248 and #30249.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.
---
---
src/base/ftobjs.c | 8 ++++++++
1 file changed, 8 insertions(+)
Index: freetype-2.3.9/src/base/ftobjs.c
===================================================================
--- freetype-2.3.9.orig/src/base/ftobjs.c
+++ freetype-2.3.9/src/base/ftobjs.c
@@ -1525,6 +1525,8 @@
len += rlen;
else
{
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1533,6 +1535,8 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
type = flags >> 8;
@@ -1557,9 +1561,13 @@
pfb_pos += rlen;
}
+ if ( pfb_pos + 2 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_pos++] = 0x80;
pfb_data[pfb_pos++] = 3;
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
