Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:AndreasSchwab:13.1
freetype2
CVE-2014-9747.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-9747.patch of Package freetype2
--- freetype-2.5.0.1/src/cid/cidload.c 2013-05-28 23:00:03.000000000 +0200 +++ freetype-2.5.0.1/src/cid/cidload.c 2015-09-30 11:37:53.445098361 +0200 @@ -160,14 +160,25 @@ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { + FT_Int result; + dict = face->cid.font_dicts + parser->num_dict; matrix = &dict->font_matrix; offset = &dict->font_offset; - (void)cid_parser_to_fixed_array( parser, 6, temp, 3 ); + result = cid_parser_to_fixed_array( parser, 6, temp, 3 ); + + if ( result < 6 ) + return FT_THROW( Invalid_File_Format ); temp_scale = FT_ABS( temp[3] ); + if ( temp_scale == 0 ) + { + FT_ERROR(( "cid_parse_font_matrix: invalid font matrix\n" )); + return FT_THROW( Invalid_File_Format ); + } + /* Set Units per EM based on FontMatrix values. We set the value to */ /* 1000 / temp_scale, because temp_scale was already multiplied by */ /* 1000 (in t1_tofixed, from psobjs.c). */ @@ -182,7 +193,7 @@ temp[2] = FT_DivFix( temp[2], temp_scale ); temp[4] = FT_DivFix( temp[4], temp_scale ); temp[5] = FT_DivFix( temp[5], temp_scale ); - temp[3] = 0x10000L; + temp[3] = temp[3] < 0 ? -0x10000L : 0x10000L; } matrix->xx = temp[0]; @@ -195,8 +206,7 @@ offset->y = temp[5] >> 16; } - return FT_Err_Ok; /* this is a callback function; */ - /* we must return an error code */ + return FT_Err_Ok; } --- freetype-2.5.0.1/src/psaux/psobjs.c 2013-06-06 06:51:42.000000000 +0200 +++ freetype-2.5.0.1/src/psaux/psobjs.c 2015-09-30 11:33:58.654280735 +0200 @@ -1200,7 +1200,7 @@ result = ps_tofixedarray( &cur, limit, 4, temp, 0 ); - if ( result < 0 ) + if ( result < 4 ) { FT_ERROR(( "ps_parser_load_field:" " expected four integers in bounding box\n" )); @@ -1230,7 +1230,7 @@ { result = ps_tofixedarray( &cur, limit, max_objects, temp + i * max_objects, 0 ); - if ( result < 0 ) + if ( result < 0 || (FT_UInt)result < max_objects ) { FT_ERROR(( "ps_parser_load_field:" " expected %d integers in the %s subarray\n" --- freetype-2.5.0.1/src/type1/t1load.c 2013-06-11 16:41:21.000000000 +0200 +++ freetype-2.5.0.1/src/type1/t1load.c 2015-09-30 11:33:58.654280735 +0200 @@ -1107,7 +1107,7 @@ result = T1_ToFixedArray( parser, 6, temp, 3 ); - if ( result < 0 ) + if ( result < 6 ) { parser->root.error = FT_THROW( Invalid_File_Format ); return; --- freetype-2.5.0.1/src/type42/t42parse.c 2013-05-28 23:00:03.000000000 +0200 +++ freetype-2.5.0.1/src/type42/t42parse.c 2015-09-30 11:33:58.655280713 +0200 @@ -255,12 +255,26 @@ FT_Face root = (FT_Face)&face->root; FT_Fixed temp[6]; FT_Fixed temp_scale; + FT_Int result; - (void)T1_ToFixedArray( parser, 6, temp, 3 ); + result = T1_ToFixedArray( parser, 6, temp, 3 ); + + if ( result < 6 ) + { + parser->root.error = FT_THROW( Invalid_File_Format ); + return; + } temp_scale = FT_ABS( temp[3] ); + if ( temp_scale == 0 ) + { + FT_ERROR(( "t1_parse_font_matrix: invalid font matrix\n" )); + parser->root.error = FT_THROW( Invalid_File_Format ); + return; + } + /* Set Units per EM based on FontMatrix values. We set the value to */ /* 1000 / temp_scale, because temp_scale was already multiplied by */ /* 1000 (in t1_tofixed, from psobjs.c). */ @@ -275,7 +289,7 @@ temp[2] = FT_DivFix( temp[2], temp_scale ); temp[4] = FT_DivFix( temp[4], temp_scale ); temp[5] = FT_DivFix( temp[5], temp_scale ); - temp[3] = 0x10000L; + temp[3] = temp[3] < 0 ? -0x10000L : 0x10000L; } matrix->xx = temp[0]; @@ -314,7 +328,7 @@ if ( ft_isdigit( *cur ) || *cur == '[' ) { T1_Encoding encode = &face->type1.encoding; - FT_UInt count, n; + FT_Int count, n; PS_Table char_table = &loader->encoding_table; FT_Memory memory = parser->root.memory; FT_Error error; @@ -329,7 +343,7 @@ parser->root.cursor++; } else - count = (FT_UInt)T1_ToInt( parser ); + count = (FT_Int)T1_ToInt( parser ); T1_Skip_Spaces( parser ); if ( parser->root.cursor >= limit ) @@ -417,7 +431,7 @@ cur = parser->root.cursor; - if ( *cur == '/' && cur + 2 < limit && n < count ) + if ( cur + 2 < limit && *cur == '/' && n < count ) { FT_PtrDist len; @@ -426,6 +440,8 @@ parser->root.cursor = cur; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + return; if ( parser->root.error ) return; @@ -439,6 +455,19 @@ n++; } + else if ( only_immediates ) + { + /* Since the current position is not updated for */ + /* immediates-only mode we would get an infinite loop if */ + /* we don't do anything here. */ + /* */ + /* This encoding array is not valid according to the type1 */ + /* specification (it might be an encoding for a CID type1 */ + /* font, however), so we conclude that this font is NOT a */ + /* type1 font. */ + parser->root.error = FT_THROW( Unknown_File_Format ); + return; + } } else { @@ -471,10 +500,7 @@ face->type1.encoding_type = T1_ENCODING_TYPE_ISOLATIN1; else - { - FT_ERROR(( "t42_parse_encoding: invalid token\n" )); - parser->root.error = FT_THROW( Invalid_File_Format ); - } + parser->root.error = FT_THROW( Ignore ); } }
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
