File CVE-2014-9659.patch of Package freetype2

Overview Repositories Revisions Requests Users Attributes Meta

File CVE-2014-9659.patch of Package freetype2

From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001
From: Dave Arnold <darnold@adobe.com>
Date: Thu, 04 Dec 2014 05:10:16 +0000
Subject: [cff] Fix Savannah bug #43661.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
hintmask is constructed.

* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
avoid reading past end of hintmask.
---
diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
index 81049f4..28a892b 100644
--- a/src/cff/cf2hints.c
+++ b/src/cff/cf2hints.c
@@ -794,9 +794,12 @@
     maskPtr      = cf2_hintmask_getMaskPtr( &tempHintMask );
 
     /* use the hStem hints only, which are first in the mask */
-    /* TODO: compare this to cffhintmaskGetBitCount */
     bitCount = cf2_arrstack_size( hStemHintArray );
 
+    /* Defense-in-depth.  Should never return here. */
+    if ( bitCount > hintMask->bitCount )
+        return;
+
     /* synthetic embox hints get highest priority */
     if ( font->blues.doEmBoxHints )
     {
diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
index 5610917..a269606 100644
--- a/src/cff/cf2intrp.c
+++ b/src/cff/cf2intrp.c
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Adobe's CFF Interpreter (body).                                      */
 /*                                                                         */
-/*  Copyright 2007-2013 Adobe Systems Incorporated.                        */
+/*  Copyright 2007-2014 Adobe Systems Incorporated.                        */
 /*                                                                         */
 /*  This software, and all works of authorship, whether in source or       */
 /*  object code form as indicated by the copyright notice(s) included      */
@@ -593,8 +593,11 @@
 
         /* never add hints after the mask is computed */
         if ( cf2_hintmask_isValid( &hintMask ) )
+        {
           FT_TRACE4(( "cf2_interpT2CharString:"
                       " invalid horizontal hint mask\n" ));
+          break;
+        }
 
         cf2_doStems( font,
                      opStack,
@@ -614,8 +617,11 @@
 
         /* never add hints after the mask is computed */
         if ( cf2_hintmask_isValid( &hintMask ) )
+        {
           FT_TRACE4(( "cf2_interpT2CharString:"
                       " invalid vertical hint mask\n" ));
+          break;
+        }
 
         cf2_doStems( font,
                      opStack,
@@ -1141,15 +1147,16 @@
         /* `cf2_hintmask_read' (which also traces the mask bytes) */
         FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));
 
-        /* if there are arguments on the stack, there this is an */
-        /* implied cf2_cmdVSTEMHM                                */
-        if ( cf2_stack_count( opStack ) != 0 )
+        /* never add hints after the mask is computed */
+        if ( cf2_stack_count( opStack ) > 1    &&
+             cf2_hintmask_isValid( &hintMask ) )
         {
-          /* never add hints after the mask is computed */
-          if ( cf2_hintmask_isValid( &hintMask ) )
-            FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+          FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
+          break;
         }
 
+        /* if there are arguments on the stack, there this is an */
+        /* implied cf2_cmdVSTEMHM                                */
         cf2_doStems( font,
                      opStack,
                      &vStemHintArray,
--
cgit v0.9.0.2

Places

File CVE-2014-9659.patch of Package freetype2

Places