|
|
# --- T2-COPYRIGHT-NOTE-BEGIN ---# This copyright note is auto-generated by ./scripts/Create-CopyPatch.# # T2 SDE: package/.../freetype/CVE-2006-1861.patch# Copyright (C) 2006 The T2 SDE Project# # More information can be found in the files COPYING and README.# # This patch file is dual-licensed. It is available under the license the# patched project is licensed under, as long as it is an OpenSource license# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms# of the GNU General Public License as published by the Free Software# Foundation; either version 2 of the License, or (at your option) any later# version.# --- T2-COPYRIGHT-NOTE-END ---
diff -Nur freetype-2.1.10-orig/include/freetype/fterrdef.h freetype-2.1.10/include/freetype/fterrdef.h
--- freetype-2.1.10-orig/include/freetype/fterrdef.h 2004-02-12 08:33:20.000000000 +0000
+++ freetype-2.1.10/include/freetype/fterrdef.h 2006-05-31 22:53:15.329323750 +0000
@@ -4,7 +4,7 @@
/* */ /* FreeType error codes (specification). */ /* */-/* Copyright 2002, 2004 by */
+/* Copyright 2002, 2004, 2006 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */@@ -226,6 +226,8 @@
"`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" )+ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
+ "`BBX' too big" )
/* END */diff -Nur freetype-2.1.10-orig/src/bdf/bdflib.c freetype-2.1.10/src/bdf/bdflib.c
--- freetype-2.1.10-orig/src/bdf/bdflib.c 2005-05-21 17:19:52.000000000 +0000
+++ freetype-2.1.10/src/bdf/bdflib.c 2006-05-31 22:53:15.333324000 +0000
@@ -1092,6 +1092,7 @@
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"+#define ERRMSG4 "[line %ld] BBX too big.\n"
static FT_Error@@ -1805,6 +1806,9 @@
/* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) {+ unsigned long bitmap_size;
+
+
if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */@@ -1815,7 +1819,16 @@
/* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
+
+ bitmap_size = glyph->bpr * glyph->bbx.height;
+ if ( bitmap_size > 0xFFFFU )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+ error = BDF_Err_Bbx_Too_Big;
+ goto Exit;
+ }
+ else
+ glyph->bytes = (unsigned short)bitmap_size;
if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit;diff -Nur freetype-2.1.10-orig/src/cff/cffgload.c freetype-2.1.10/src/cff/cffgload.c
--- freetype-2.1.10-orig/src/cff/cffgload.c 2005-04-18 04:53:05.000000000 +0000
+++ freetype-2.1.10/src/cff/cffgload.c 2006-05-31 23:03:31.567836250 +0000
@@ -2284,7 +2284,7 @@
FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size,- FT_Int glyph_index,
+ FT_UInt glyph_index,
FT_Int32 load_flags ) { FT_Error error;@@ -2330,7 +2330,7 @@
error = sfnt->load_sbit_image( face, (FT_ULong)size->strike_index,- (FT_UInt)glyph_index,
+ glyph_index,
(FT_Int)load_flags, stream, &glyph->root.bitmap,@@ -2393,7 +2393,12 @@
/* subsetted font, glyph_indices and CIDs are identical, though */ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && cff->charset.cids )- glyph_index = cff->charset.cids[glyph_index];
+ {
+ if ( glyph_index < cff->charset.max_cid )
+ glyph_index = cff->charset.cids[glyph_index];
+ else
+ glyph_index = 0;
+ }
cff_decoder_init( &decoder, face, size, glyph, hinting, FT_LOAD_TARGET_MODE( load_flags ) );diff -Nur freetype-2.1.10-orig/src/cff/cffgload.h freetype-2.1.10/src/cff/cffgload.h
--- freetype-2.1.10-orig/src/cff/cffgload.h 2004-05-13 21:59:17.000000000 +0000
+++ freetype-2.1.10/src/cff/cffgload.h 2006-05-31 22:53:24.161875750 +0000
@@ -4,7 +4,7 @@
/* */ /* OpenType Glyph Loader (specification). */ /* */-/* Copyright 1996-2001, 2002, 2003, 2004 by */
+/* Copyright 1996-2001, 2002, 2003, 2004, 2006 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */@@ -196,7 +196,7 @@
FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size,- FT_Int glyph_index,
+ FT_UInt glyph_index,
FT_Int32 load_flags ); diff -Nur freetype-2.1.10-orig/src/cff/cffload.c freetype-2.1.10/src/cff/cffload.c
--- freetype-2.1.10-orig/src/cff/cffload.c 2005-05-06 05:49:46.000000000 +0000
+++ freetype-2.1.10/src/cff/cffload.c 2006-05-31 22:53:24.161875750 +0000
@@ -1688,6 +1688,8 @@
for ( i = 0; i < num_glyphs; i++ ) charset->cids[charset->sids[i]] = (FT_UShort)i;+
+ charset->max_cid = max_cid;
} Exit:diff -Nur freetype-2.1.10-orig/src/cff/cfftypes.h freetype-2.1.10/src/cff/cfftypes.h
--- freetype-2.1.10-orig/src/cff/cfftypes.h 2003-12-20 07:30:05.000000000 +0000
+++ freetype-2.1.10/src/cff/cfftypes.h 2006-05-31 22:53:24.165876000 +0000
@@ -5,7 +5,7 @@
/* Basic OpenType/CFF type definitions and interface (specification */ /* only). */ /* */-/* Copyright 1996-2001, 2002, 2003 by */
+/* Copyright 1996-2001, 2002, 2003, 2006 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */@@ -84,6 +84,7 @@
FT_UShort* sids; FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ /* for CID-keyed fonts */+ FT_UInt max_cid;
} CFF_CharsetRec, *CFF_Charset; diff -Nur freetype-2.1.10-orig/src/sfnt/ttcmap.c freetype-2.1.10/src/sfnt/ttcmap.c
--- freetype-2.1.10-orig/src/sfnt/ttcmap.c 2005-05-11 14:37:40.000000000 +0000
+++ freetype-2.1.10/src/sfnt/ttcmap.c 2006-05-31 22:57:04.807665250 +0000
@@ -2144,9 +2144,7 @@
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset &&
- table + offset + 2 < limit &&
- table + offset >= table )
+ if ( offset && offset <= face->cmap_size -2 )
{ FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap );
|
