File bnc619562_CVE-2010-2527.diff of Package ft2demos
From b995299b73ba4cd259f221f500d4e63095508bec Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 07 Jun 2010 07:13:41 +0000
Subject: Fix Savannah bug #30054.
* src/ftdiff.c, src/ftgrid.c, src/ftmulti.c, src/ftstring.c,
src/ftview.c: Use precision for `%s' where appropriate to avoid
buffer overflows.
diff --git a/src/ftmulti.c b/src/ftmulti.c
index 15133d4..bb030fb 100644
--- a/src/ftmulti.c
+++ b/src/ftmulti.c
@@ -2,7 +2,7 @@
/* */
/* The FreeType project -- a free and portable quality TrueType renderer. */
/* */
-/* Copyright 1996-2000, 2003, 2004, 2005 by */
+/* Copyright 1996-2000, 2003, 2004, 2005, 2010 by */
/* D. Turner, R.Wilhelm, and W. Lemberg */
/* */
/* */
@@ -34,7 +34,7 @@
#define MAXPTSIZE 500 /* dtp */
- char Header[128];
+ char Header[256];
char* new_header = 0;
const unsigned char* Text = (unsigned char*)
@@ -795,7 +795,7 @@
Render_All( Num, ptsize );
}
- sprintf( Header, "%s %s (file %s)",
+ sprintf( Header, "%.50s %.50s (file %.100s)",
face->family_name,
face->style_name,
ft_basename( argv[file] ) );
@@ -830,7 +830,7 @@
}
else
{
- sprintf( Header, "%s: not an MM font file, or could not be opened",
+ sprintf( Header, "%.100s: not an MM font file, or could not be opened",
ft_basename( argv[file] ) );
}
diff --git a/src/ftstring.c b/src/ftstring.c
index f567596..ffa7f45 100644
--- a/src/ftstring.c
+++ b/src/ftstring.c
@@ -2,7 +2,7 @@
/* */
/* The FreeType project -- a free and portable quality TrueType renderer. */
/* */
-/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009 by */
+/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */
/* D. Turner, R.Wilhelm, and W. Lemberg */
/* */
/* */
@@ -413,19 +413,20 @@
switch ( error_code )
{
case FT_Err_Ok:
- sprintf( status.header_buffer, "%s %s (file `%s')", face->family_name,
+ sprintf( status.header_buffer,
+ "%.50s %.50s (file `%.100s')", face->family_name,
face->style_name, basename );
break;
case FT_Err_Invalid_Pixel_Size:
- sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
+ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
basename );
break;
case FT_Err_Invalid_PPem:
- sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
+ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
basename );
break;
default:
- sprintf( status.header_buffer, "File `%s': error 0x%04x", basename,
+ sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename,
(FT_UShort)error_code );
break;
}
--- ft2demos-2.3.9/src/ftview.c.orig 2009-03-04 00:06:59.000000000 +0100
+++ ft2demos-2.3.9/src/ftview.c 2010-08-11 20:13:06.266668844 +0200
@@ -970,18 +970,20 @@ Next:
switch ( error_code )
{
case FT_Err_Ok:
- sprintf( status.header_buffer, "%s %s (file `%s')", face->family_name,
- face->style_name, basename );
+ sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
+ face->family_name, face->style_name, basename );
break;
case FT_Err_Invalid_Pixel_Size:
- sprintf( status.header_buffer, "Invalid pixel size (file `%s')", basename );
+ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
+ basename );
break;
case FT_Err_Invalid_PPem:
- sprintf( status.header_buffer, "Invalid ppem value (file `%s')", basename );
+ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
+ basename );
break;
default:
- sprintf( status.header_buffer, "File `%s': error 0x%04x", basename,
- (FT_UShort)error_code );
+ sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
+ basename, (FT_UShort)error_code );
break;
}
--- ft2demos-2.3.9/src/ftdiff.c.orig 2009-01-07 09:16:41.000000000 +0100
+++ ft2demos-2.3.9/src/ftdiff.c 2010-08-11 20:10:43.089794239 +0200
@@ -1054,11 +1054,11 @@
state->message = state->message0;
if ( total > 1 )
- sprintf( state->message0, "%s %d/%d @ %5.1fpt",
+ sprintf( state->message0, "%.100s %d/%d @ %5.1fpt",
state->filename, idx + 1, total,
state->char_size );
else
- sprintf( state->message0, "%s @ %5.1fpt",
+ sprintf( state->message0, "%.100s @ %5.1fpt",
state->filename,
state->char_size );
}
--- ft2demos-2.3.9/src/ftgrid.c.orig 2009-03-11 06:42:57.000000000 +0100
+++ ft2demos-2.3.9/src/ftgrid.c 2010-08-11 20:10:43.090794072 +0200
@@ -2,7 +2,7 @@
/* */
/* The FreeType project -- a free and portable quality TrueType renderer. */
/* */
-/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009 by */
+/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */
/* D. Turner, R.Wilhelm, and W. Lemberg */
/* */
/* */
@@ -786,22 +786,22 @@ grid_status_draw_outline( GridStatus
switch ( error_code )
{
case FT_Err_Ok:
- sprintf( status.header_buffer, "%s %s (file `%s')",
+ sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
face->family_name, face->style_name, basename );
break;
case FT_Err_Invalid_Pixel_Size:
- sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
+ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
basename );
break;
case FT_Err_Invalid_PPem:
- sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
+ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
basename );
break;
default:
- sprintf( status.header_buffer, "File `%s': error 0x%04x",
+ sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
basename, (FT_UShort)error_code );
break;
}