File bnc730124_CVE-2011-3256.patch of Package freetype2.418

Overview Repositories Revisions Requests Users Attributes Meta

File bnc730124_CVE-2011-3256.patch of Package freetype2.418

Index: freetype-2.4.4/src/base/ftbitmap.c
===================================================================
--- freetype-2.4.4.orig/src/base/ftbitmap.c
+++ freetype-2.4.4/src/base/ftbitmap.c
@@ -417,6 +417,10 @@
 
         target->pitch = source->width + pad;
 
+        if ( target->pitch > 0                           &&
+             target->rows > FT_ULONG_MAX / target->pitch )
+          return FT_Err_Invalid_Argument;
+
         if ( target->rows * target->pitch > old_size             &&
              FT_QREALLOC( target->buffer,
                           old_size, target->rows * target->pitch ) )
Index: freetype-2.4.4/src/psaux/t1decode.c
===================================================================
--- freetype-2.4.4.orig/src/psaux/t1decode.c
+++ freetype-2.4.4/src/psaux/t1decode.c
@@ -747,6 +747,13 @@
             if ( arg_cnt != 0 )
               goto Unexpected_OtherSubr;
 
+            if ( decoder->flex_state == 0 )
+            {
+              FT_ERROR(( "t1_decoder_parse_charstrings:"
+                         " missing flex start\n" ));
+              goto Syntax_Error;
+            }
+
             /* note that we should not add a point for index 0; */
             /* this will move our current position to the flex  */
             /* point without adding any point to the outline    */
Index: freetype-2.4.4/src/raster/ftrend1.c
===================================================================
--- freetype-2.4.4.orig/src/raster/ftrend1.c
+++ freetype-2.4.4/src/raster/ftrend1.c
@@ -168,6 +168,13 @@
 
     width  = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
     height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
+    if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+    {
+      error = Raster_Err_Invalid_Argument;
+      goto Exit;
+    }
+
     bitmap = &slot->bitmap;
     memory = render->root.memory;
 
Index: freetype-2.4.4/src/truetype/ttgxvar.c
===================================================================
--- freetype-2.4.4.orig/src/truetype/ttgxvar.c
+++ freetype-2.4.4/src/truetype/ttgxvar.c
@@ -1474,6 +1474,9 @@
       {
         for ( j = 0; j < point_count; ++j )
         {
+          if ( localpoints[j] >= n_points )
+            continue;
+
           delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
           delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
         }
Index: freetype-2.4.4/include/freetype/config/ftstdlib.h
===================================================================
--- freetype-2.4.4.orig/include/freetype/config/ftstdlib.h
+++ freetype-2.4.4/include/freetype/config/ftstdlib.h
@@ -63,6 +63,7 @@
 #define FT_INT_MAX    INT_MAX
 #define FT_INT_MIN    INT_MIN
 #define FT_UINT_MAX   UINT_MAX
+#define FT_USHORT_MAX USHRT_MAX
 #define FT_ULONG_MAX  ULONG_MAX

Places

File bnc730124_CVE-2011-3256.patch of Package freetype2.418

Places