freetype-freeworld/F-12/freetype-2.3.11-CVE-2010-3311.patch

--- freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:38.000000000 +0200
+++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:59.000000000 +0200
@@ -59,8 +59,17 @@
   {
     FT_Error  error = FT_Err_Ok;
 
+    /* note that seeking to the first position after the file is valid */
+    if ( pos > stream->size )
+    {
+      FT_ERROR(( "FT_Stream_Seek:"
+                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
+                 pos, stream->size ));
 
-    if ( stream->read )
+      error = FT_Err_Invalid_Stream_Operation;
+    }
+
+    if ( !error && stream->read )
     {
       if ( stream->read( stream, pos, 0, 0 ) )
       {
@@ -71,15 +80,6 @@
         error = FT_Err_Invalid_Stream_Operation;
       }
     }
-    /* note that seeking to the first position after the file is valid */
-    else if ( pos > stream->size )
-    {
-      FT_ERROR(( "FT_Stream_Seek:"
-                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
-                 pos, stream->size ));
-
-      error = FT_Err_Invalid_Stream_Operation;
-    }
 
     if ( !error )
       stream->pos = pos;
Revision:	1.1
Committed:	Tue Oct 5 14:03:18 2010 UTC (2 years, 7 months ago) by kkofler
Branch:	MAIN
CVS Tags:	freetype-freeworld-2_3_11-2_fc12, freetype-freeworld-2_3_11-3_fc12, HEAD
Log Message:	* Tue Oct 05 2010 Kevin Kofler <Kevin@tigcc.ticalc.org> 2.3.11-2 - Update the description to reflect that the bytecode interpreter is no longer patented (but still disabled in the stock Fedora freetype). - Add freetype-2.3.11-CVE-2010-2805.patch (Fix comparison.) - Add freetype-2.3.11-CVE-2010-2806.patch (Protect against negative string_size. Fix comparison.) - Add freetype-2.3.11-CVE-2010-2808.patch (Check the total length of collected POST segments.) - Add freetype-2.3.11-CVE-2010-3311.patch (Don't seek behind end of stream.) - Resolves: rh#638522 - Add freetype-2.3.11-CVE-2010-1797.patch (Check stack after execution of operations too. Skip the evaluations of the values in decoder, if cff_decoder_parse_charstrings() returns any error.) - Resolves: rh#621627 - Add freetype-2.3.11-CVE-2010-2498.patch (Assure that `end_point' is not larger than `glyph->num_points') - Add freetype-2.3.11-CVE-2010-2499.patch (Check the buffer size during gathering PFB fragments) - Add freetype-2.3.11-CVE-2010-2500.patch (Use smaller threshold values for `width' and `height') - Add freetype-2.3.11-CVE-2010-2519.patch (Check `rlen' the length of fragment declared in the POST fragment header) - Add freetype-2.3.11-CVE-2010-2520.patch (Fix bounds check) - Add freetype-2.3.11-CVE-2010-2527.patch (Use precision for `%s' where appropriate to avoid buffer overflows) - Add freetype-2.3.11-CVE-2010-2541.patch (Avoid overflow when dealing with names of axes) - Resolves: rh#613299
Line	File contents
1	--- freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:38.000000000 +0200
2	+++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:59.000000000 +0200
3	@@ -59,8 +59,17 @@
4	{
5	FT_Error error = FT_Err_Ok;
6
7	+ /* note that seeking to the first position after the file is valid */
8	+ if ( pos > stream->size )
9	+ {
10	+ FT_ERROR(( "FT_Stream_Seek:"
11	+ " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
12	+ pos, stream->size ));
13
14	- if ( stream->read )
15	+ error = FT_Err_Invalid_Stream_Operation;
16	+ }
17	+
18	+ if ( !error && stream->read )
19	{
20	if ( stream->read( stream, pos, 0, 0 ) )
21	{
22	@@ -71,15 +80,6 @@
23	error = FT_Err_Invalid_Stream_Operation;
24	}
25	}
26	- /* note that seeking to the first position after the file is valid */
27	- else if ( pos > stream->size )
28	- {
29	- FT_ERROR(( "FT_Stream_Seek:"
30	- " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
31	- pos, stream->size ));
32	-
33	- error = FT_Err_Invalid_Stream_Operation;
34	- }
35
36	if ( !error )
37	stream->pos = pos;