freetype-freeworld/F-12/freetype-2.3.11-CVE-2010-2808.patch

--- freetype-2.3.11/src/base/ftobjs.c   2010-09-30 13:58:50.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c   2010-09-30 13:59:31.000000000 +0200
@@ -1529,6 +1529,7 @@
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
                    i, offsets[i], rlen, flags ));
 
+      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
       if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
         continue;
 
@@ -1568,6 +1569,10 @@
         pfb_data[pfb_pos++] = 0;
       }
 
+      error = FT_Err_Cannot_Open_Resource;
+      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+        goto Exit2;
+
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
       if ( error )
         goto Exit2;
Revision:	1.1
Committed:	Tue Oct 5 14:03:18 2010 UTC (2 years, 8 months ago) by kkofler
Branch:	MAIN
CVS Tags:	freetype-freeworld-2_3_11-2_fc12, freetype-freeworld-2_3_11-3_fc12, HEAD
Log Message:	* Tue Oct 05 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> 2.3.11-2 - Update the description to reflect that the bytecode interpreter is no longer patented (but still disabled in the stock Fedora freetype). - Add freetype-2.3.11-CVE-2010-2805.patch (Fix comparison.) - Add freetype-2.3.11-CVE-2010-2806.patch (Protect against negative string_size. Fix comparison.) - Add freetype-2.3.11-CVE-2010-2808.patch (Check the total length of collected POST segments.) - Add freetype-2.3.11-CVE-2010-3311.patch (Don't seek behind end of stream.) - Resolves: rh#638522 - Add freetype-2.3.11-CVE-2010-1797.patch (Check stack after execution of operations too. Skip the evaluations of the values in decoder, if cff_decoder_parse_charstrings() returns any error.) - Resolves: rh#621627 - Add freetype-2.3.11-CVE-2010-2498.patch (Assure that `end_point' is not larger than `glyph->num_points') - Add freetype-2.3.11-CVE-2010-2499.patch (Check the buffer size during gathering PFB fragments) - Add freetype-2.3.11-CVE-2010-2500.patch (Use smaller threshold values for `width' and `height') - Add freetype-2.3.11-CVE-2010-2519.patch (Check `rlen' the length of fragment declared in the POST fragment header) - Add freetype-2.3.11-CVE-2010-2520.patch (Fix bounds check) - Add freetype-2.3.11-CVE-2010-2527.patch (Use precision for `%s' where appropriate to avoid buffer overflows) - Add freetype-2.3.11-CVE-2010-2541.patch (Avoid overflow when dealing with names of axes) - Resolves: rh#613299
Line	User	Rev	File contents
1	kkofler	1.1	--- freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:58:50.000000000 +0200
2			+++ freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:59:31.000000000 +0200
3			@@ -1529,6 +1529,7 @@
4			FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
5			i, offsets[i], rlen, flags ));
6
7			+ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
8			if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
9			continue;
10
11			@@ -1568,6 +1569,10 @@
12			pfb_data[pfb_pos++] = 0;
13			}
14
15			+ error = FT_Err_Cannot_Open_Resource;
16			+ if ( pfb_pos > pfb_len \|\| pfb_pos + rlen > pfb_len )
17			+ goto Exit2;
18			+
19			error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
20			if ( error )
21			goto Exit2;