File bnc619562_CVE-2010-2499.diff of Package freetype2

Overview Repositories Revisions Requests Users Attributes Meta

File bnc619562_CVE-2010-2499.diff of Package freetype2

From c69891a1345640096fbf396e8dd567fe879ce233 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
Date: Fri, 25 Jun 2010 00:02:18 +0000
Subject: Initial fix for Savannah bug #30248 and #30249.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the error during
reading a PFB fragment embedded in LaserWriter PS font for Macintosh.
Reported by Robert Swiecki.

already covered
---
--
cgit v0.8.3.2
From f29f741efbba0a5ce2f16464f648fb8d026ed4c8 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <sssa@flavor1.ipc.hiroshima-u.ac.jp>
Date: Thu, 01 Jul 2010 08:31:03 +0000
Subject: Additional fix for Savannah bug #30248 and #30249.

* src/base/ftobjs.c (Mac_Read_POST_Resource): Check the buffer
size during gathering PFB fragments embedded in LaserWriter PS
font for Macintosh. Reported by Robert Swiecki.
---
--- freetype-2.3.12/src/base/ftobjs.c.orig	2010-08-11 19:40:15.022793475 +0200
+++ freetype-2.3.12/src/base/ftobjs.c	2010-08-11 19:40:15.042794082 +0200
@@ -1553,6 +1553,8 @@
         len += rlen;
       else
       {
+        if ( pfb_lenpos + 3 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
         pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
         pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1561,6 +1563,8 @@
         if ( ( flags >> 8 ) == 5 )      /* End of font mark */
           break;
 
+        if ( pfb_pos + 6 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_pos++] = 0x80;
 
         type = flags >> 8;
@@ -1585,9 +1589,13 @@
       pfb_pos += rlen;
     }
 
+    if ( pfb_pos + 2 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_pos++] = 0x80;
     pfb_data[pfb_pos++] = 3;
 
+    if ( pfb_lenpos + 3 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
     pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
     pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );

Places

File bnc619562_CVE-2010-2499.diff of Package freetype2

Places