File CVE-2014-9665.patch of Package freetype2.449
From 54abd22891bd51ef8b533b24df53b3019b5cee81 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 15 Nov 2014 08:05:22 +0000
Subject: [sfnt] Fix Savannah bug #43597.
* src/sfnt/pngshim.c (Load_SBit_Png): Protect against too large
bitmaps.
From b3500af717010137046ec4076d1e1c0641e33727 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 19 Nov 2014 20:28:21 +0000
Subject: Change some fields in `FT_Bitmap' to unsigned type.
This doesn't break ABI.
* include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays',
`pixel_mode', and `palette_mode' unsigned types.
* src/base/ftbitmap.c: Updated.
(FT_Bitmap_Copy): Fix casts.
* src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c:
Updated.
---
Index: freetype-2.5.3/src/sfnt/pngshim.c
===================================================================
--- freetype-2.5.3.orig/src/sfnt/pngshim.c
+++ freetype-2.5.3/src/sfnt/pngshim.c
@@ -205,11 +205,11 @@
goto Exit;
}
- if ( !populate_map_and_metrics &&
- ( x_offset + metrics->width > map->width ||
- y_offset + metrics->height > map->rows ||
- pix_bits != 32 ||
- map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
+ if ( !populate_map_and_metrics &&
+ ( (FT_UInt)x_offset + metrics->width > map->width ||
+ (FT_UInt)y_offset + metrics->height > map->rows ||
+ pix_bits != 32 ||
+ map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
{
error = FT_THROW( Invalid_Argument );
goto Exit;
@@ -269,6 +269,13 @@
map->pitch = map->width * 4;
map->num_grays = 256;
+ /* reject too large bitmaps similarly to the rasterizer */
+ if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto DestroyExit;
+ }
+
size = map->rows * map->pitch;
error = ft_glyphslot_alloc_bitmap( slot, size );
Index: freetype-2.5.3/include/ftimage.h
===================================================================
--- freetype-2.5.3.orig/include/ftimage.h
+++ freetype-2.5.3/include/ftimage.h
@@ -318,13 +318,13 @@ FT_BEGIN_HEADER
/* */
typedef struct FT_Bitmap_
{
- int rows;
- int width;
+ unsigned int rows;
+ unsigned int width;
int pitch;
unsigned char* buffer;
- short num_grays;
- char pixel_mode;
- char palette_mode;
+ unsigned short num_grays;
+ unsigned char pixel_mode;
+ unsigned char palette_mode;
void* palette;
} FT_Bitmap;
Index: freetype-2.5.3/src/base/ftbitmap.c
===================================================================
--- freetype-2.5.3.orig/src/base/ftbitmap.c
+++ freetype-2.5.3/src/base/ftbitmap.c
@@ -62,7 +62,7 @@
if ( pitch < 0 )
pitch = -pitch;
- size = (FT_ULong)( pitch * source->rows );
+ size = (FT_ULong)pitch * source->rows;
if ( target->buffer )
{
@@ -72,7 +72,7 @@
if ( target_pitch < 0 )
target_pitch = -target_pitch;
- target_size = (FT_ULong)( target_pitch * target->rows );
+ target_size = (FT_ULong)target_pitch * target->rows;
if ( target_size != size )
(void)FT_QREALLOC( target->buffer, target_size, size );
@@ -106,7 +106,7 @@
int pitch;
int new_pitch;
FT_UInt bpp;
- FT_Int i, width, height;
+ FT_UInt i, width, height;
unsigned char* buffer = NULL;
@@ -144,17 +144,17 @@
if ( ypixels == 0 && new_pitch <= pitch )
{
/* zero the padding */
- FT_Int bit_width = pitch * 8;
- FT_Int bit_last = ( width + xpixels ) * bpp;
+ FT_UInt bit_width = pitch * 8;
+ FT_UInt bit_last = ( width + xpixels ) * bpp;
if ( bit_last < bit_width )
{
FT_Byte* line = bitmap->buffer + ( bit_last >> 3 );
FT_Byte* end = bitmap->buffer + pitch;
- FT_Int shift = bit_last & 7;
+ FT_UInt shift = bit_last & 7;
FT_UInt mask = 0xFF00U >> shift;
- FT_Int count = height;
+ FT_UInt count = height;
for ( ; count > 0; count--, line += pitch, end += pitch )
@@ -180,7 +180,7 @@
if ( bitmap->pitch > 0 )
{
- FT_Int len = ( width * bpp + 7 ) >> 3;
+ FT_UInt len = ( width * bpp + 7 ) >> 3;
for ( i = 0; i < bitmap->rows; i++ )
@@ -189,7 +189,7 @@
}
else
{
- FT_Int len = ( width * bpp + 7 ) >> 3;
+ FT_UInt len = ( width * bpp + 7 ) >> 3;
for ( i = 0; i < bitmap->rows; i++ )
@@ -220,7 +220,8 @@
{
FT_Error error;
unsigned char* p;
- FT_Int i, x, y, pitch;
+ FT_Int i, x, pitch;
+ FT_UInt y;
FT_Int xstr, ystr;
@@ -459,8 +460,8 @@
case FT_PIXEL_MODE_LCD_V:
case FT_PIXEL_MODE_BGRA:
{
- FT_Int pad;
- FT_Long old_size;
+ FT_Int pad;
+ FT_ULong old_size;
old_size = target->rows * target->pitch;
Index: freetype-2.5.3/src/cache/ftcsbits.c
===================================================================
--- freetype-2.5.3.orig/src/cache/ftcsbits.c
+++ freetype-2.5.3/src/cache/ftcsbits.c
@@ -142,12 +142,12 @@
goto BadGlyph;
}
- /* Check that our values fit into 8-bit containers! */
+ /* Check whether our values fit into 8-bit containers! */
/* If this is not the case, our bitmap is too large */
/* and we will leave it as `missing' with sbit.buffer = 0 */
-#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d )
-#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d )
+#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d )
+#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d )
/* horizontal advance in pixels */
xadvance = ( slot->advance.x + 32 ) >> 6;
Index: freetype-2.5.3/src/raster/ftraster.c
===================================================================
--- freetype-2.5.3.orig/src/raster/ftraster.c
+++ freetype-2.5.3/src/raster/ftraster.c
@@ -2550,7 +2550,7 @@
e1 = TRUNC( e1 );
- if ( e1 >= 0 && e1 < ras.target.rows )
+ if ( e1 >= 0 && (ULong)e1 < ras.target.rows )
{
PByte p;
@@ -2644,7 +2644,7 @@
/* bounding box instead */
if ( pxl < 0 )
pxl = e1;
- else if ( TRUNC( pxl ) >= ras.target.rows )
+ else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows )
pxl = e2;
/* check that the other pixel isn't set */
@@ -2659,9 +2659,9 @@
if ( ras.target.pitch > 0 )
bits += ( ras.target.rows - 1 ) * ras.target.pitch;
- if ( e1 >= 0 &&
- e1 < ras.target.rows &&
- *bits & f1 )
+ if ( e1 >= 0 &&
+ (ULong)e1 < ras.target.rows &&
+ *bits & f1 )
return;
}
else
@@ -2673,7 +2673,7 @@
e1 = TRUNC( pxl );
- if ( e1 >= 0 && e1 < ras.target.rows )
+ if ( e1 >= 0 && (ULong)e1 < ras.target.rows )
{
bits -= e1 * ras.target.pitch;
if ( ras.target.pitch > 0 )
