File CVE-2014-9667.patch of Package freetype2.4050

From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Wed, 12 Nov 2014 20:26:44 +0000
Subject: [sfnt] Fix Savannah bug #43590.

* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
Protect against addition overflow.
---
Index: freetype-2.5.0.1/src/sfnt/ttload.c
===================================================================
--- freetype-2.5.0.1.orig/src/sfnt/ttload.c
+++ freetype-2.5.0.1/src/sfnt/ttload.c
@@ -207,7 +207,10 @@
       }
 
       /* we ignore invalid tables */
-      if ( table.Offset + table.Length > stream->size )
+
+      /* table.Offset + table.Length > stream->size ? */
+      if ( table.Length > stream->size                ||
+           table.Offset > stream->size - table.Length )
       {
         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
         continue;
@@ -398,7 +401,10 @@
       entry->Length   = FT_GET_LONG();
 
       /* ignore invalid tables */
-      if ( entry->Offset + entry->Length > stream->size )
+
+      /* entry->Offset + entry->Length > stream->size ? */
+      if ( entry->Length > stream->size                 ||
+           entry->Offset > stream->size - entry->Length )
         continue;
       else
       {
Places

File CVE-2014-9667.patch of Package freetype2.4050

Places
