Overview

File CVE-2014-9667.patch of Package freetype2.449

From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Nov 2014 20:26:44 +0000
Subject: [sfnt] Fix Savannah bug #43590.

* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
Protect against addition overflow.
---
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 0a3cd29..8338150 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -207,7 +207,10 @@
       }
 
       /* we ignore invalid tables */
-      if ( table.Offset + table.Length > stream->size )
+
+      /* table.Offset + table.Length > stream->size ? */
+      if ( table.Length > stream->size                ||
+           table.Offset > stream->size - table.Length )
       {
         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
         continue;
@@ -395,7 +398,10 @@
       entry->Length   = FT_GET_ULONG();
 
       /* ignore invalid tables */
-      if ( entry->Offset + entry->Length > stream->size )
+
+      /* entry->Offset + entry->Length > stream->size ? */
+      if ( entry->Length > stream->size                 ||
+           entry->Offset > stream->size - entry->Length )
         continue;
       else
       {
--
cgit v0.9.0.2
openSUSE Build Service is sponsored by
Places