File CVE-2014-9747.patch of Package freetype2
--- freetype-2.5.0.1/src/cid/cidload.c 2013-05-28 23:00:03.000000000 +0200
+++ freetype-2.5.0.1/src/cid/cidload.c 2015-09-30 11:37:53.445098361 +0200
@@ -160,14 +160,25 @@
if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
{
+ FT_Int result;
+
dict = face->cid.font_dicts + parser->num_dict;
matrix = &dict->font_matrix;
offset = &dict->font_offset;
- (void)cid_parser_to_fixed_array( parser, 6, temp, 3 );
+ result = cid_parser_to_fixed_array( parser, 6, temp, 3 );
+
+ if ( result < 6 )
+ return FT_THROW( Invalid_File_Format );
temp_scale = FT_ABS( temp[3] );
+ if ( temp_scale == 0 )
+ {
+ FT_ERROR(( "cid_parse_font_matrix: invalid font matrix\n" ));
+ return FT_THROW( Invalid_File_Format );
+ }
+
/* Set Units per EM based on FontMatrix values. We set the value to */
/* 1000 / temp_scale, because temp_scale was already multiplied by */
/* 1000 (in t1_tofixed, from psobjs.c). */
@@ -182,7 +193,7 @@
temp[2] = FT_DivFix( temp[2], temp_scale );
temp[4] = FT_DivFix( temp[4], temp_scale );
temp[5] = FT_DivFix( temp[5], temp_scale );
- temp[3] = 0x10000L;
+ temp[3] = temp[3] < 0 ? -0x10000L : 0x10000L;
}
matrix->xx = temp[0];
@@ -195,8 +206,7 @@
offset->y = temp[5] >> 16;
}
- return FT_Err_Ok; /* this is a callback function; */
- /* we must return an error code */
+ return FT_Err_Ok;
}
--- freetype-2.5.0.1/src/psaux/psobjs.c 2013-06-06 06:51:42.000000000 +0200
+++ freetype-2.5.0.1/src/psaux/psobjs.c 2015-09-30 11:33:58.654280735 +0200
@@ -1200,7 +1200,7 @@
result = ps_tofixedarray( &cur, limit, 4, temp, 0 );
- if ( result < 0 )
+ if ( result < 4 )
{
FT_ERROR(( "ps_parser_load_field:"
" expected four integers in bounding box\n" ));
@@ -1230,7 +1230,7 @@
{
result = ps_tofixedarray( &cur, limit, max_objects,
temp + i * max_objects, 0 );
- if ( result < 0 )
+ if ( result < 0 || (FT_UInt)result < max_objects )
{
FT_ERROR(( "ps_parser_load_field:"
" expected %d integers in the %s subarray\n"
--- freetype-2.5.0.1/src/type1/t1load.c 2013-06-11 16:41:21.000000000 +0200
+++ freetype-2.5.0.1/src/type1/t1load.c 2015-09-30 11:33:58.654280735 +0200
@@ -1107,7 +1107,7 @@
result = T1_ToFixedArray( parser, 6, temp, 3 );
- if ( result < 0 )
+ if ( result < 6 )
{
parser->root.error = FT_THROW( Invalid_File_Format );
return;
--- freetype-2.5.0.1/src/type42/t42parse.c 2013-05-28 23:00:03.000000000 +0200
+++ freetype-2.5.0.1/src/type42/t42parse.c 2015-09-30 11:33:58.655280713 +0200
@@ -255,12 +255,26 @@
FT_Face root = (FT_Face)&face->root;
FT_Fixed temp[6];
FT_Fixed temp_scale;
+ FT_Int result;
- (void)T1_ToFixedArray( parser, 6, temp, 3 );
+ result = T1_ToFixedArray( parser, 6, temp, 3 );
+
+ if ( result < 6 )
+ {
+ parser->root.error = FT_THROW( Invalid_File_Format );
+ return;
+ }
temp_scale = FT_ABS( temp[3] );
+ if ( temp_scale == 0 )
+ {
+ FT_ERROR(( "t1_parse_font_matrix: invalid font matrix\n" ));
+ parser->root.error = FT_THROW( Invalid_File_Format );
+ return;
+ }
+
/* Set Units per EM based on FontMatrix values. We set the value to */
/* 1000 / temp_scale, because temp_scale was already multiplied by */
/* 1000 (in t1_tofixed, from psobjs.c). */
@@ -275,7 +289,7 @@
temp[2] = FT_DivFix( temp[2], temp_scale );
temp[4] = FT_DivFix( temp[4], temp_scale );
temp[5] = FT_DivFix( temp[5], temp_scale );
- temp[3] = 0x10000L;
+ temp[3] = temp[3] < 0 ? -0x10000L : 0x10000L;
}
matrix->xx = temp[0];
@@ -314,7 +328,7 @@
if ( ft_isdigit( *cur ) || *cur == '[' )
{
T1_Encoding encode = &face->type1.encoding;
- FT_UInt count, n;
+ FT_Int count, n;
PS_Table char_table = &loader->encoding_table;
FT_Memory memory = parser->root.memory;
FT_Error error;
@@ -329,7 +343,7 @@
parser->root.cursor++;
}
else
- count = (FT_UInt)T1_ToInt( parser );
+ count = (FT_Int)T1_ToInt( parser );
T1_Skip_Spaces( parser );
if ( parser->root.cursor >= limit )
@@ -417,7 +431,7 @@
cur = parser->root.cursor;
- if ( *cur == '/' && cur + 2 < limit && n < count )
+ if ( cur + 2 < limit && *cur == '/' && n < count )
{
FT_PtrDist len;
@@ -426,6 +440,8 @@
parser->root.cursor = cur;
T1_Skip_PS_Token( parser );
+ if ( parser->root.cursor >= limit )
+ return;
if ( parser->root.error )
return;
@@ -439,6 +455,19 @@
n++;
}
+ else if ( only_immediates )
+ {
+ /* Since the current position is not updated for */
+ /* immediates-only mode we would get an infinite loop if */
+ /* we don't do anything here. */
+ /* */
+ /* This encoding array is not valid according to the type1 */
+ /* specification (it might be an encoding for a CID type1 */
+ /* font, however), so we conclude that this font is NOT a */
+ /* type1 font. */
+ parser->root.error = FT_THROW( Unknown_File_Format );
+ return;
+ }
}
else
{
@@ -471,10 +500,7 @@
face->type1.encoding_type = T1_ENCODING_TYPE_ISOLATIN1;
else
- {
- FT_ERROR(( "t42_parse_encoding: invalid token\n" ));
- parser->root.error = FT_THROW( Invalid_File_Format );
- }
+ parser->root.error = FT_THROW( Ignore );
}
}
