Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
home:dominikborkowski:tools
NX
bugzilla-154928-integer-overflows.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bugzilla-154928-integer-overflows.patch of Package NX
diff -ru freetype-2.1.7.orig/include/freetype/fterrdef.h freetype-2.1.7/include/freetype/fterrdef.h --- freetype-2.1.7.orig/include/freetype/fterrdef.h 2002-05-21 16:13:00.000000000 +0200 +++ freetype-2.1.7/include/freetype/fterrdef.h 2006-06-12 17:26:49.000000000 +0200 @@ -224,6 +224,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff -ru freetype-2.1.7.orig/src/base/ftutil.c freetype-2.1.7/src/base/ftutil.c --- freetype-2.1.7.orig/src/base/ftutil.c 2002-07-28 07:05:22.000000000 +0200 +++ freetype-2.1.7/src/base/ftutil.c 2006-06-12 18:23:51.000000000 +0200 @@ -66,6 +66,14 @@ } FT_MEM_ZERO( *P, size ); } + else if ( size < 0 ) + { + /* may help catch/prevent security issues */ + FT_ERROR(( "FT_Alloc:" )); + FT_ERROR(( " Negative size requested. (%ld requested)\n", + size )); + return FT_Err_Invalid_Argument; + } else *P = NULL; @@ -95,7 +103,11 @@ return FT_Alloc( memory, size, P ); /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if (size < 0 || current < 0) + { + return FT_Err_Invalid_Argument; + } + else if ( size == 0 ) { FT_Free( memory, P ); return FT_Err_Ok; diff -ru freetype-2.1.7.orig/src/bdf/bdflib.c freetype-2.1.7/src/bdf/bdflib.c --- freetype-2.1.7.orig/src/bdf/bdflib.c 2003-10-16 00:20:56.000000000 +0200 +++ freetype-2.1.7/src/bdf/bdflib.c 2006-06-12 18:27:34.000000000 +0200 @@ -1098,7 +1098,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" - +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error _bdf_add_comment( bdf_font_t* font, @@ -1820,6 +1820,8 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1830,7 +1832,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; diff -ru freetype-2.1.7.orig/src/cff/cffload.c freetype-2.1.7/src/cff/cffload.c --- freetype-2.1.7.orig/src/cff/cffload.c 2003-10-29 22:43:51.000000000 +0100 +++ freetype-2.1.7/src/cff/cffload.c 2006-06-12 18:32:31.000000000 +0200 @@ -1235,7 +1235,7 @@ } /* access element */ - if ( off1 ) + if ( off1 && off2 > off1) { *pbyte_len = off2 - off1; diff -ru freetype-2.1.7.orig/src/pshinter/pshglob.c freetype-2.1.7/src/pshinter/pshglob.c --- freetype-2.1.7.orig/src/pshinter/pshglob.c 2003-06-09 17:54:18.000000000 +0200 +++ freetype-2.1.7/src/pshinter/pshglob.c 2006-06-12 18:35:41.000000000 +0200 @@ -150,7 +150,7 @@ FT_UNUSED( target ); - for ( ; read_count > 0; read_count -= 2 ) + for ( ; read_count > 1; read_count -= 2 ) { FT_Int reference, delta; FT_UInt count;
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor