freetype-freeworld/F-12/freetype-2.3.11-CVE-2010-2499.patch

--- freetype-2.3.11/src/base/ftobjs.c   2009-09-02 08:42:41.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c   2010-07-12 16:39:13.000000000 +0200
@@ -1531,6 +1531,8 @@
         len += rlen;
       else
       {
+        if ( pfb_lenpos + 3 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
         pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
         pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1539,6 +1541,8 @@
         if ( ( flags >> 8 ) == 5 )      /* End of font mark */
           break;
 
+        if ( pfb_pos + 6 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_pos++] = 0x80;
 
         type = flags >> 8;
@@ -1553,12 +1557,18 @@
       }
 
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+      if ( error )
+        goto Exit2;
       pfb_pos += rlen;
     }
 
+    if ( pfb_pos + 2 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_pos++] = 0x80;
     pfb_data[pfb_pos++] = 3;
 
+    if ( pfb_lenpos + 3 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
     pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
     pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
Revision:	1.1
Committed:	Tue Oct 5 14:03:18 2010 UTC (2 years, 7 months ago) by kkofler
Branch:	MAIN
CVS Tags:	freetype-freeworld-2_3_11-2_fc12, freetype-freeworld-2_3_11-3_fc12, HEAD
Log Message:	* Tue Oct 05 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> 2.3.11-2 - Update the description to reflect that the bytecode interpreter is no longer patented (but still disabled in the stock Fedora freetype). - Add freetype-2.3.11-CVE-2010-2805.patch (Fix comparison.) - Add freetype-2.3.11-CVE-2010-2806.patch (Protect against negative string_size. Fix comparison.) - Add freetype-2.3.11-CVE-2010-2808.patch (Check the total length of collected POST segments.) - Add freetype-2.3.11-CVE-2010-3311.patch (Don't seek behind end of stream.) - Resolves: rh#638522 - Add freetype-2.3.11-CVE-2010-1797.patch (Check stack after execution of operations too. Skip the evaluations of the values in decoder, if cff_decoder_parse_charstrings() returns any error.) - Resolves: rh#621627 - Add freetype-2.3.11-CVE-2010-2498.patch (Assure that `end_point' is not larger than `glyph->num_points') - Add freetype-2.3.11-CVE-2010-2499.patch (Check the buffer size during gathering PFB fragments) - Add freetype-2.3.11-CVE-2010-2500.patch (Use smaller threshold values for `width' and `height') - Add freetype-2.3.11-CVE-2010-2519.patch (Check `rlen' the length of fragment declared in the POST fragment header) - Add freetype-2.3.11-CVE-2010-2520.patch (Fix bounds check) - Add freetype-2.3.11-CVE-2010-2527.patch (Use precision for `%s' where appropriate to avoid buffer overflows) - Add freetype-2.3.11-CVE-2010-2541.patch (Avoid overflow when dealing with names of axes) - Resolves: rh#613299
Line	File contents
1	--- freetype-2.3.11/src/base/ftobjs.c 2009-09-02 08:42:41.000000000 +0200
2	+++ freetype-2.3.11/src/base/ftobjs.c 2010-07-12 16:39:13.000000000 +0200
3	@@ -1531,6 +1531,8 @@
4	len += rlen;
5	else
6	{
7	+ if ( pfb_lenpos + 3 > pfb_len + 2 )
8	+ goto Exit2;
9	pfb_data[pfb_lenpos ] = (FT_Byte)( len );
10	pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
11	pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
12	@@ -1539,6 +1541,8 @@
13	if ( ( flags >> 8 ) == 5 ) /* End of font mark */
14	break;
15
16	+ if ( pfb_pos + 6 > pfb_len + 2 )
17	+ goto Exit2;
18	pfb_data[pfb_pos++] = 0x80;
19
20	type = flags >> 8;
21	@@ -1553,12 +1557,18 @@
22	}
23
24	error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
25	+ if ( error )
26	+ goto Exit2;
27	pfb_pos += rlen;
28	}
29
30	+ if ( pfb_pos + 2 > pfb_len + 2 )
31	+ goto Exit2;
32	pfb_data[pfb_pos++] = 0x80;
33	pfb_data[pfb_pos++] = 3;
34
35	+ if ( pfb_lenpos + 3 > pfb_len + 2 )
36	+ goto Exit2;
37	pfb_data[pfb_lenpos ] = (FT_Byte)( len );
38	pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
39	pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );