File bnc619562_CVE-2010-2500.diff of Package ft2demos
From 6305b869d86ff415a33576df6d43729673c66eee Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 30 Jun 2010 16:24:33 +0000
Subject: Fix Savannah bug #30263.
* src/smooth/ftgrays.c (gray_render_span): Use cast to `unsigned
int' to avoid integer overflow.
* src/smooth/ftsmooth.c (ft_smooth_render_generic): Use smaller
threshold values for `width' and `height'. This is not directly
related to the bug fix but makes sense anyway.
---
---
src/smooth/ftgrays.c | 2 +-
src/smooth/ftsmooth.c | 4 ++--
2 files changed, 3 insertions(+), 3 deletions(-)
Index: freetype-2.3.9/src/smooth/ftgrays.c
===================================================================
--- freetype-2.3.9.orig/src/smooth/ftgrays.c
+++ freetype-2.3.9/src/smooth/ftgrays.c
@@ -1156,7 +1156,7 @@
/* first of all, compute the scanline offset */
p = (unsigned char*)map->buffer - y * map->pitch;
if ( map->pitch >= 0 )
- p += ( map->rows - 1 ) * map->pitch;
+ p += (unsigned)( ( map->rows - 1 ) * map->pitch );
for ( ; count > 0; count--, spans++ )
{
Index: freetype-2.3.9/src/smooth/ftsmooth.c
===================================================================
--- freetype-2.3.9.orig/src/smooth/ftsmooth.c
+++ freetype-2.3.9/src/smooth/ftsmooth.c
@@ -4,7 +4,7 @@
/* */
/* Anti-aliasing renderer interface (body). */
/* */
-/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
+/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -194,7 +194,7 @@
#endif
- if ( pitch > 0xFFFF || height > 0xFFFF )
+ if ( pitch > 0x7FFFU || height > 0x7FFFU )
{
FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
width, height ));
