Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1
freetype2
bnc730124_CVE-2011-3439.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bnc730124_CVE-2011-3439.patch of Package freetype2
diff -up src/cid/cidload.c.orig-3439 src/cid/cidload.c --- src/cid/cidload.c.orig-3439 2006-08-19 09:09:37.000000000 +0200 +++ src/cid/cidload.c 2011-12-08 16:09:02.832811300 +0100 @@ -106,7 +106,7 @@ CID_FaceDict dict; - if ( parser->num_dict < 0 ) + if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts ) { FT_ERROR(( "cid_load_keyword: invalid use of `%s'!\n", keyword->ident )); @@ -154,7 +154,7 @@ FT_Fixed temp_scale; - if ( parser->num_dict >= 0 ) + if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { dict = face->cid.font_dicts + parser->num_dict; matrix = &dict->font_matrix; @@ -385,12 +385,25 @@ FT_Byte* p; + /* Check for possible overflow. */ + if ( num_subrs == FT_UINT_MAX ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + /* reallocate offsets array if needed */ if ( num_subrs + 1 > max_offsets ) { FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 ); + if ( new_max <= max_offsets ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) ) goto Fail; @@ -408,6 +421,11 @@ FT_FRAME_EXIT(); + /* offsets must be ordered */ + for ( count = 1; count <= num_subrs; count++ ) + if ( offsets[count - 1] > offsets[count] ) + goto Fail; + /* now, compute the size of subrs charstrings, */ /* allocate, and read them */ data_len = offsets[num_subrs] - offsets[0];
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor