Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:Alexander_Naumov:SLE-12:Update
ft2demos.449
CVE-2014-9665.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-9665.patch of Package ft2demos.449
From 54abd22891bd51ef8b533b24df53b3019b5cee81 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Sat, 15 Nov 2014 08:05:22 +0000 Subject: [sfnt] Fix Savannah bug #43597. * src/sfnt/pngshim.c (Load_SBit_Png): Protect against too large bitmaps. From b3500af717010137046ec4076d1e1c0641e33727 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl@gnu.org> Date: Wed, 19 Nov 2014 20:28:21 +0000 Subject: Change some fields in `FT_Bitmap' to unsigned type. This doesn't break ABI. * include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays', `pixel_mode', and `palette_mode' unsigned types. * src/base/ftbitmap.c: Updated. (FT_Bitmap_Copy): Fix casts. * src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c: Updated. --- Index: freetype-2.5.3/src/sfnt/pngshim.c =================================================================== --- freetype-2.5.3.orig/src/sfnt/pngshim.c +++ freetype-2.5.3/src/sfnt/pngshim.c @@ -205,11 +205,11 @@ goto Exit; } - if ( !populate_map_and_metrics && - ( x_offset + metrics->width > map->width || - y_offset + metrics->height > map->rows || - pix_bits != 32 || - map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) + if ( !populate_map_and_metrics && + ( (FT_UInt)x_offset + metrics->width > map->width || + (FT_UInt)y_offset + metrics->height > map->rows || + pix_bits != 32 || + map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) { error = FT_THROW( Invalid_Argument ); goto Exit; @@ -269,6 +269,13 @@ map->pitch = map->width * 4; map->num_grays = 256; + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + size = map->rows * map->pitch; error = ft_glyphslot_alloc_bitmap( slot, size ); Index: freetype-2.5.3/include/ftimage.h =================================================================== --- freetype-2.5.3.orig/include/ftimage.h +++ freetype-2.5.3/include/ftimage.h @@ -318,13 +318,13 @@ FT_BEGIN_HEADER /* */ typedef struct FT_Bitmap_ { - int rows; - int width; + unsigned int rows; + unsigned int width; int pitch; unsigned char* buffer; - short num_grays; - char pixel_mode; - char palette_mode; + unsigned short num_grays; + unsigned char pixel_mode; + unsigned char palette_mode; void* palette; } FT_Bitmap; Index: freetype-2.5.3/src/base/ftbitmap.c =================================================================== --- freetype-2.5.3.orig/src/base/ftbitmap.c +++ freetype-2.5.3/src/base/ftbitmap.c @@ -62,7 +62,7 @@ if ( pitch < 0 ) pitch = -pitch; - size = (FT_ULong)( pitch * source->rows ); + size = (FT_ULong)pitch * source->rows; if ( target->buffer ) { @@ -72,7 +72,7 @@ if ( target_pitch < 0 ) target_pitch = -target_pitch; - target_size = (FT_ULong)( target_pitch * target->rows ); + target_size = (FT_ULong)target_pitch * target->rows; if ( target_size != size ) (void)FT_QREALLOC( target->buffer, target_size, size ); @@ -106,7 +106,7 @@ int pitch; int new_pitch; FT_UInt bpp; - FT_Int i, width, height; + FT_UInt i, width, height; unsigned char* buffer = NULL; @@ -144,17 +144,17 @@ if ( ypixels == 0 && new_pitch <= pitch ) { /* zero the padding */ - FT_Int bit_width = pitch * 8; - FT_Int bit_last = ( width + xpixels ) * bpp; + FT_UInt bit_width = pitch * 8; + FT_UInt bit_last = ( width + xpixels ) * bpp; if ( bit_last < bit_width ) { FT_Byte* line = bitmap->buffer + ( bit_last >> 3 ); FT_Byte* end = bitmap->buffer + pitch; - FT_Int shift = bit_last & 7; + FT_UInt shift = bit_last & 7; FT_UInt mask = 0xFF00U >> shift; - FT_Int count = height; + FT_UInt count = height; for ( ; count > 0; count--, line += pitch, end += pitch ) @@ -180,7 +180,7 @@ if ( bitmap->pitch > 0 ) { - FT_Int len = ( width * bpp + 7 ) >> 3; + FT_UInt len = ( width * bpp + 7 ) >> 3; for ( i = 0; i < bitmap->rows; i++ ) @@ -189,7 +189,7 @@ } else { - FT_Int len = ( width * bpp + 7 ) >> 3; + FT_UInt len = ( width * bpp + 7 ) >> 3; for ( i = 0; i < bitmap->rows; i++ ) @@ -220,7 +220,8 @@ { FT_Error error; unsigned char* p; - FT_Int i, x, y, pitch; + FT_Int i, x, pitch; + FT_UInt y; FT_Int xstr, ystr; @@ -459,8 +460,8 @@ case FT_PIXEL_MODE_LCD_V: case FT_PIXEL_MODE_BGRA: { - FT_Int pad; - FT_Long old_size; + FT_Int pad; + FT_ULong old_size; old_size = target->rows * target->pitch; Index: freetype-2.5.3/src/cache/ftcsbits.c =================================================================== --- freetype-2.5.3.orig/src/cache/ftcsbits.c +++ freetype-2.5.3/src/cache/ftcsbits.c @@ -142,12 +142,12 @@ goto BadGlyph; } - /* Check that our values fit into 8-bit containers! */ + /* Check whether our values fit into 8-bit containers! */ /* If this is not the case, our bitmap is too large */ /* and we will leave it as `missing' with sbit.buffer = 0 */ -#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d ) -#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d ) +#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d ) +#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d ) /* horizontal advance in pixels */ xadvance = ( slot->advance.x + 32 ) >> 6; Index: freetype-2.5.3/src/raster/ftraster.c =================================================================== --- freetype-2.5.3.orig/src/raster/ftraster.c +++ freetype-2.5.3/src/raster/ftraster.c @@ -2550,7 +2550,7 @@ e1 = TRUNC( e1 ); - if ( e1 >= 0 && e1 < ras.target.rows ) + if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) { PByte p; @@ -2644,7 +2644,7 @@ /* bounding box instead */ if ( pxl < 0 ) pxl = e1; - else if ( TRUNC( pxl ) >= ras.target.rows ) + else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows ) pxl = e2; /* check that the other pixel isn't set */ @@ -2659,9 +2659,9 @@ if ( ras.target.pitch > 0 ) bits += ( ras.target.rows - 1 ) * ras.target.pitch; - if ( e1 >= 0 && - e1 < ras.target.rows && - *bits & f1 ) + if ( e1 >= 0 && + (ULong)e1 < ras.target.rows && + *bits & f1 ) return; } else @@ -2673,7 +2673,7 @@ e1 = TRUNC( pxl ); - if ( e1 >= 0 && e1 < ras.target.rows ) + if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) { bits -= e1 * ras.target.pitch; if ( ras.target.pitch > 0 )
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor