File CVE-2014-9673.patch of Package freetype2.449

From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:52:23 +0000
Subject: Fix Savannah bug #43539.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
Index: freetype-2.5.3/src/base/ftobjs.c
===================================================================
--- freetype-2.5.3.orig/src/base/ftobjs.c
+++ freetype-2.5.3/src/base/ftobjs.c
@@ -1627,6 +1627,11 @@
         goto Exit2;
       if ( FT_READ_LONG( rlen ) )
         goto Exit;
+      if ( rlen < 0 )
+      {
+        error = FT_THROW( Invalid_Offset );
+        goto Exit2;
+      }
       if ( FT_READ_USHORT( flags ) )
         goto Exit;
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
@@ -1644,7 +1649,14 @@
         rlen = 0;
 
       if ( ( flags >> 8 ) == type )
+      {
+        if ( 0x7FFFFFFFL - rlen < len )
+        {
+          error = FT_THROW( Array_Too_Large );
+          goto Exit2;
+        }
         len += rlen;
+      }
       else
       {
         if ( pfb_lenpos + 3 > pfb_len + 2 )
@@ -1673,6 +1685,11 @@
       }
 
       error = FT_ERR( Cannot_Open_Resource );
+      if ( rlen > 0x7FFFFFFFL - pfb_pos )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto Exit2;
+      }
       if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
         goto Exit2;
Places

File CVE-2014-9673.patch of Package freetype2.449

Places
