File bnc730124_CVE-2011-3439.patch of Package freetype2

Overview Repositories Revisions Requests Users Attributes Meta

File bnc730124_CVE-2011-3439.patch of Package freetype2

diff -up src/cid/cidload.c.orig-3439 src/cid/cidload.c
--- src/cid/cidload.c.orig-3439	2006-08-19 09:09:37.000000000 +0200
+++ src/cid/cidload.c	2011-12-08 16:09:02.832811300 +0100
@@ -106,7 +106,7 @@
         CID_FaceDict  dict;
 
 
-        if ( parser->num_dict < 0 )
+        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
         {
           FT_ERROR(( "cid_load_keyword: invalid use of `%s'!\n",
                      keyword->ident ));
@@ -154,7 +154,7 @@
     FT_Fixed      temp_scale;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict   = face->cid.font_dicts + parser->num_dict;
       matrix = &dict->font_matrix;
@@ -385,12 +385,25 @@
       FT_Byte*      p;
 
 
+      /* Check for possible overflow. */
+      if ( num_subrs == FT_UINT_MAX )
+      {
+        error = CID_Err_Syntax_Error;
+        goto Fail;
+      }
+
       /* reallocate offsets array if needed */
       if ( num_subrs + 1 > max_offsets )
       {
         FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
 
 
+        if ( new_max <= max_offsets )
+        {
+          error = CID_Err_Syntax_Error;
+          goto Fail;
+        }
+
         if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
           goto Fail;
 
@@ -408,6 +421,11 @@
 
       FT_FRAME_EXIT();
 
+      /* offsets must be ordered */
+      for ( count = 1; count <= num_subrs; count++ )
+        if ( offsets[count - 1] > offsets[count] )
+          goto Fail;
+
       /* now, compute the size of subrs charstrings, */
       /* allocate, and read them                     */
       data_len = offsets[num_subrs] - offsets[0];

Places

File bnc730124_CVE-2011-3439.patch of Package freetype2

Places