File bugzilla-154928-integer-overflows.patch of Package NX

Overview Repositories Revisions Requests Users Attributes Meta

File bugzilla-154928-integer-overflows.patch of Package NX

diff -ru freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h
--- freetype-2.1.7.orig/include/freetype/fterrdef.h	2002-05-21 16:13:00.000000000 +0200
+++ freetype-2.1.7/include/freetype/fterrdef.h	2006-06-12 17:26:49.000000000 +0200
@@ -224,6 +224,8 @@
                 "`ENCODING' field missing" )
   FT_ERRORDEF_( Missing_Bbx_Field,                           0xB6, \
                 "`BBX' field missing" )
+  FT_ERRORDEF_( Bbx_Too_Big,                                 0xB7, \
+                "`BBX' too big" )
 
 
 /* END */
diff -ru freetype-2.1.7.orig/src/base/ftutil.c freetype-2.1.7/src/base/ftutil.c
--- freetype-2.1.7.orig/src/base/ftutil.c	2002-07-28 07:05:22.000000000 +0200
+++ freetype-2.1.7/src/base/ftutil.c	2006-06-12 18:23:51.000000000 +0200
@@ -66,6 +66,14 @@
       }
       FT_MEM_ZERO( *P, size );
     }
+    else if ( size < 0 )
+    {
+        /* may help catch/prevent security issues */
+        FT_ERROR(( "FT_Alloc:" ));
+        FT_ERROR(( " Negative size requested. (%ld requested)\n",
+                   size ));
+	return FT_Err_Invalid_Argument;
+    }
     else
       *P = NULL;
 
@@ -95,7 +103,11 @@
       return FT_Alloc( memory, size, P );
 
     /* if the new block if zero-sized, clear the current one */
-    if ( size <= 0 )
+    if (size < 0 || current < 0)
+    {
+	    return FT_Err_Invalid_Argument;
+    }
+    else if ( size == 0 )
     {
       FT_Free( memory, P );
       return FT_Err_Ok;
diff -ru freetype-2.1.7.orig/src/bdf/bdflib.c freetype-2.1.7/src/bdf/bdflib.c
--- freetype-2.1.7.orig/src/bdf/bdflib.c	2003-10-16 00:20:56.000000000 +0200
+++ freetype-2.1.7/src/bdf/bdflib.c	2006-06-12 18:27:34.000000000 +0200
@@ -1098,7 +1098,7 @@
 #define ERRMSG1  "[line %ld] Missing \"%s\" line.\n"
 #define ERRMSG2  "[line %ld] Font header corrupted or missing fields.\n"
 #define ERRMSG3  "[line %ld] Font glyphs corrupted or missing fields.\n"
-
+#define ERRMSG4  "[line %ld] BBX too big.\n"
 
   static FT_Error
   _bdf_add_comment( bdf_font_t*    font,
@@ -1820,6 +1820,8 @@
     /* And finally, gather up the bitmap. */
     if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
     {
+      unsigned long  bitmap_size;
+      
       if ( !( p->flags & _BDF_BBX ) )
       {
         /* Missing BBX field. */
@@ -1830,7 +1832,16 @@
 
       /* Allocate enough space for the bitmap. */
       glyph->bpr   = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
-      glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
+
+      bitmap_size = glyph->bpr * glyph->bbx.height;
+      if ( bitmap_size > 0xFFFFU )
+      {
+        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+        error = BDF_Err_Bbx_Too_Big;
+        goto Exit;
+      }
+      else
+        glyph->bytes = (unsigned short)bitmap_size;
 
       if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
         goto Exit;
diff -ru freetype-2.1.7.orig/src/cff/cffload.c freetype-2.1.7/src/cff/cffload.c
--- freetype-2.1.7.orig/src/cff/cffload.c	2003-10-29 22:43:51.000000000 +0100
+++ freetype-2.1.7/src/cff/cffload.c	2006-06-12 18:32:31.000000000 +0200
@@ -1235,7 +1235,7 @@
       }
 
       /* access element */
-      if ( off1 )
+      if ( off1 && off2 > off1)
       {
         *pbyte_len = off2 - off1;
 
diff -ru freetype-2.1.7.orig/src/pshinter/pshglob.c freetype-2.1.7/src/pshinter/pshglob.c
--- freetype-2.1.7.orig/src/pshinter/pshglob.c	2003-06-09 17:54:18.000000000 +0200
+++ freetype-2.1.7/src/pshinter/pshglob.c	2006-06-12 18:35:41.000000000 +0200
@@ -150,7 +150,7 @@
     FT_UNUSED( target );
 
 
-    for ( ; read_count > 0; read_count -= 2 )
+    for ( ; read_count > 1; read_count -= 2 )
     {
       FT_Int         reference, delta;
       FT_UInt        count;

Places

File bugzilla-154928-integer-overflows.patch of Package NX

Places