File CVE-2014-9661.patch of Package freetype2.449
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 22 Nov 2014 09:46:47 +0000
Subject: [type42] Fix Savannah bug #43659.
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
* src/type42/t42parse.c (t42_parse_sfnts): Always set
`face->ttf_size' directly. This ensures a correct stream size in
the call to `FT_Open_Face', which follows after parsing, even for
buggy input data.
Fix error messages.
From: Werner Lemberg <wl@gnu.org>
Date: Sat, 22 Nov 2014 11:44:33 +0000
Subject: [type42] Allow only embedded TrueType fonts.
This is a follow-up to Savannah bug #43659.
* src/type42/t42objs.c (T42_Face_Init): Exclusively use the
`truetype' font driver for loading the font contained in the `sfnts'
array.
---
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -47,6 +47,12 @@
if ( FT_ALLOC( face->ttf_data, 12 ) )
goto Exit;
+ /* while parsing the font we always update `face->ttf_size' so that */
+ /* even in case of buggy data (which might lead to premature end of */
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
+ /* `T42_Face_Init' passes the correct size */
+ face->ttf_size = 12;
+
error = t42_parser_init( parser,
face->root.stream,
memory,
@@ -292,7 +292,9 @@
FT_Open_Args args;
- args.flags = FT_OPEN_MEMORY;
+ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
+ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ),
+ "truetype" );
args.memory_base = face->ttf_data;
args.memory_size = face->ttf_size;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index a60e216..daf304d 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -524,7 +524,7 @@
FT_Byte* limit = parser->root.limit;
FT_Error error;
FT_Int num_tables = 0;
- FT_ULong count, ttf_size = 0;
+ FT_ULong count;
FT_Long n, string_size, old_string_size, real_size;
FT_Byte* string_buf = NULL;
@@ -617,7 +617,7 @@
if ( limit - parser->root.cursor < string_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
@@ -657,18 +657,18 @@
}
else
{
- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
- status = BEFORE_TABLE_DIR;
- ttf_size = 12 + 16 * num_tables;
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+ status = BEFORE_TABLE_DIR;
+ face->ttf_size = 12 + 16 * num_tables;
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
case BEFORE_TABLE_DIR:
/* the offset table is read; read the table directory */
- if ( count < ttf_size )
+ if ( count < face->ttf_size )
{
face->ttf_data[count++] = string_buf[n];
continue;
@@ -687,24 +687,23 @@
len = FT_PEEK_ULONG( p );
/* Pad to a 4-byte boundary length */
- ttf_size += ( len + 3 ) & ~3;
+ face->ttf_size += ( len + 3 ) & ~3;
}
- status = OTHER_TABLES;
- face->ttf_size = ttf_size;
+ status = OTHER_TABLES;
/* there are no more than 256 tables, so no size check here */
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
- ttf_size + 1 ) )
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
case OTHER_TABLES:
/* all other tables are just copied */
- if ( count >= ttf_size )
+ if ( count >= face->ttf_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
--
cgit v0.9.0.2
