File CVE-2014-9656.patch of Package freetype2.449

From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 24 Nov 2014 09:51:21 +0000
Subject: [sfnt] Fix Savannah bug #43680.

This adds an additional constraint to make the fix from 2013-01-25
really work.

* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
Check `p' before `num_glyphs'.
---
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index b37bd7d..c2db96c 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -1170,7 +1170,8 @@
         num_glyphs = FT_NEXT_ULONG( p );
 
         /* overflow check for p + ( num_glyphs + 1 ) * 4 */
-        if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+        if ( p + 4 > p_limit                                         ||
+             num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
           goto NoBitmap;
 
         for ( mm = 0; mm < num_glyphs; mm++ )
--
cgit v0.9.0.2

Places

File CVE-2014-9656.patch of Package freetype2.449

Places