Overview

File CVE-2014-9664.patch of Package freetype2.449

From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 21 Nov 2014 21:19:28 +0000
Subject: [type1, type42] Fix Savannah bug #43655.

* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Fix boundary testing.

From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Mon, 24 Nov 2014 06:30:05 +0000
Subject: [type1, type42] Another fix for Savannah bug #43655.

* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Add another boundary testing.
---
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1596,6 +1596,11 @@
       }
 
       T1_Skip_PS_Token( parser );
+      if ( parser->root.cursor >= limit )
+      {
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
       if ( parser->root.error )
         return;
 
@@ -1604,7 +1604,7 @@
         FT_PtrDist  len;
 
 
-        if ( cur + 1 >= limit )
+        if ( cur + 2 >= limit )
         {
           error = FT_THROW( Invalid_File_Format );
           goto Fail;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -849,6 +849,12 @@
         break;
 
       T1_Skip_PS_Token( parser );
+      if ( parser->root.cursor >= limit )
+      {
+        FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+        error = FT_THROW( Invalid_File_Format );
+        goto Fail;
+      }
       if ( parser->root.error )
         return;
 
@@ -858,7 +858,7 @@
         FT_PtrDist  len;
 
 
-        if ( cur + 1 >= limit )
+        if ( cur + 2 >= limit )
         {
           FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
           error = FT_THROW( Invalid_File_Format );
--
cgit v0.9.0.2
openSUSE Build Service is sponsored by
Places