Browse Source
git-svn-id: svn://svn.opensde.net/opensde/package/trunk@20652 10447126-35f2-4685-b0cf-6dd780d3921fearly
Christian Wiese
18 years ago
3 changed files with 12 additions and 188 deletions
@ -1,178 +0,0 @@
|
||||
# --- T2-COPYRIGHT-NOTE-BEGIN ---
|
||||
# This copyright note is auto-generated by ./scripts/Create-CopyPatch.
|
||||
#
|
||||
# T2 SDE: package/.../freetype/CVE-2006-1861.patch
|
||||
# Copyright (C) 2006 The T2 SDE Project
|
||||
#
|
||||
# More information can be found in the files COPYING and README.
|
||||
#
|
||||
# This patch file is dual-licensed. It is available under the license the
|
||||
# patched project is licensed under, as long as it is an OpenSource license
|
||||
# as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms
|
||||
# of the GNU General Public License as published by the Free Software
|
||||
# Foundation; either version 2 of the License, or (at your option) any later
|
||||
# version.
|
||||
# --- T2-COPYRIGHT-NOTE-END ---
|
||||
|
||||
diff -Nur freetype-2.1.10-orig/include/freetype/fterrdef.h freetype-2.1.10/include/freetype/fterrdef.h
|
||||
--- freetype-2.1.10-orig/include/freetype/fterrdef.h 2004-02-12 08:33:20.000000000 +0000
|
||||
+++ freetype-2.1.10/include/freetype/fterrdef.h 2006-05-31 22:53:15.329323750 +0000
|
||||
@@ -4,7 +4,7 @@
|
||||
/* */
|
||||
/* FreeType error codes (specification). */
|
||||
/* */
|
||||
-/* Copyright 2002, 2004 by */
|
||||
+/* Copyright 2002, 2004, 2006 by */
|
||||
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
|
||||
/* */
|
||||
/* This file is part of the FreeType project, and may only be used, */
|
||||
@@ -226,6 +226,8 @@
|
||||
"`ENCODING' field missing" )
|
||||
FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \
|
||||
"`BBX' field missing" )
|
||||
+ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
|
||||
+ "`BBX' too big" )
|
||||
|
||||
|
||||
/* END */
|
||||
diff -Nur freetype-2.1.10-orig/src/bdf/bdflib.c freetype-2.1.10/src/bdf/bdflib.c
|
||||
--- freetype-2.1.10-orig/src/bdf/bdflib.c 2005-05-21 17:19:52.000000000 +0000
|
||||
+++ freetype-2.1.10/src/bdf/bdflib.c 2006-05-31 22:53:15.333324000 +0000
|
||||
@@ -1092,6 +1092,7 @@
|
||||
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
|
||||
#define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n"
|
||||
#define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"
|
||||
+#define ERRMSG4 "[line %ld] BBX too big.\n"
|
||||
|
||||
|
||||
static FT_Error
|
||||
@@ -1805,6 +1806,9 @@
|
||||
/* And finally, gather up the bitmap. */
|
||||
if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
|
||||
{
|
||||
+ unsigned long bitmap_size;
|
||||
+
|
||||
+
|
||||
if ( !( p->flags & _BDF_BBX ) )
|
||||
{
|
||||
/* Missing BBX field. */
|
||||
@@ -1815,7 +1819,16 @@
|
||||
|
||||
/* Allocate enough space for the bitmap. */
|
||||
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
|
||||
- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
|
||||
+
|
||||
+ bitmap_size = glyph->bpr * glyph->bbx.height;
|
||||
+ if ( bitmap_size > 0xFFFFU )
|
||||
+ {
|
||||
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
|
||||
+ error = BDF_Err_Bbx_Too_Big;
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+ else
|
||||
+ glyph->bytes = (unsigned short)bitmap_size;
|
||||
|
||||
if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
|
||||
goto Exit;
|
||||
diff -Nur freetype-2.1.10-orig/src/cff/cffgload.c freetype-2.1.10/src/cff/cffgload.c
|
||||
--- freetype-2.1.10-orig/src/cff/cffgload.c 2005-04-18 04:53:05.000000000 +0000
|
||||
+++ freetype-2.1.10/src/cff/cffgload.c 2006-05-31 23:03:31.567836250 +0000
|
||||
@@ -2284,7 +2284,7 @@
|
||||
FT_LOCAL_DEF( FT_Error )
|
||||
cff_slot_load( CFF_GlyphSlot glyph,
|
||||
CFF_Size size,
|
||||
- FT_Int glyph_index,
|
||||
+ FT_UInt glyph_index,
|
||||
FT_Int32 load_flags )
|
||||
{
|
||||
FT_Error error;
|
||||
@@ -2330,7 +2330,7 @@
|
||||
|
||||
error = sfnt->load_sbit_image( face,
|
||||
(FT_ULong)size->strike_index,
|
||||
- (FT_UInt)glyph_index,
|
||||
+ glyph_index,
|
||||
(FT_Int)load_flags,
|
||||
stream,
|
||||
&glyph->root.bitmap,
|
||||
@@ -2393,7 +2393,12 @@
|
||||
/* subsetted font, glyph_indices and CIDs are identical, though */
|
||||
if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
|
||||
cff->charset.cids )
|
||||
- glyph_index = cff->charset.cids[glyph_index];
|
||||
+ {
|
||||
+ if ( glyph_index < cff->charset.max_cid )
|
||||
+ glyph_index = cff->charset.cids[glyph_index];
|
||||
+ else
|
||||
+ glyph_index = 0;
|
||||
+ }
|
||||
|
||||
cff_decoder_init( &decoder, face, size, glyph, hinting,
|
||||
FT_LOAD_TARGET_MODE( load_flags ) );
|
||||
diff -Nur freetype-2.1.10-orig/src/cff/cffgload.h freetype-2.1.10/src/cff/cffgload.h
|
||||
--- freetype-2.1.10-orig/src/cff/cffgload.h 2004-05-13 21:59:17.000000000 +0000
|
||||
+++ freetype-2.1.10/src/cff/cffgload.h 2006-05-31 22:53:24.161875750 +0000
|
||||
@@ -4,7 +4,7 @@
|
||||
/* */
|
||||
/* OpenType Glyph Loader (specification). */
|
||||
/* */
|
||||
-/* Copyright 1996-2001, 2002, 2003, 2004 by */
|
||||
+/* Copyright 1996-2001, 2002, 2003, 2004, 2006 by */
|
||||
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
|
||||
/* */
|
||||
/* This file is part of the FreeType project, and may only be used, */
|
||||
@@ -196,7 +196,7 @@
|
||||
FT_LOCAL( FT_Error )
|
||||
cff_slot_load( CFF_GlyphSlot glyph,
|
||||
CFF_Size size,
|
||||
- FT_Int glyph_index,
|
||||
+ FT_UInt glyph_index,
|
||||
FT_Int32 load_flags );
|
||||
|
||||
|
||||
diff -Nur freetype-2.1.10-orig/src/cff/cffload.c freetype-2.1.10/src/cff/cffload.c
|
||||
--- freetype-2.1.10-orig/src/cff/cffload.c 2005-05-06 05:49:46.000000000 +0000
|
||||
+++ freetype-2.1.10/src/cff/cffload.c 2006-05-31 22:53:24.161875750 +0000
|
||||
@@ -1688,6 +1688,8 @@
|
||||
|
||||
for ( i = 0; i < num_glyphs; i++ )
|
||||
charset->cids[charset->sids[i]] = (FT_UShort)i;
|
||||
+
|
||||
+ charset->max_cid = max_cid;
|
||||
}
|
||||
|
||||
Exit:
|
||||
diff -Nur freetype-2.1.10-orig/src/cff/cfftypes.h freetype-2.1.10/src/cff/cfftypes.h
|
||||
--- freetype-2.1.10-orig/src/cff/cfftypes.h 2003-12-20 07:30:05.000000000 +0000
|
||||
+++ freetype-2.1.10/src/cff/cfftypes.h 2006-05-31 22:53:24.165876000 +0000
|
||||
@@ -5,7 +5,7 @@
|
||||
/* Basic OpenType/CFF type definitions and interface (specification */
|
||||
/* only). */
|
||||
/* */
|
||||
-/* Copyright 1996-2001, 2002, 2003 by */
|
||||
+/* Copyright 1996-2001, 2002, 2003, 2006 by */
|
||||
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
|
||||
/* */
|
||||
/* This file is part of the FreeType project, and may only be used, */
|
||||
@@ -84,6 +84,7 @@
|
||||
FT_UShort* sids;
|
||||
FT_UShort* cids; /* the inverse mapping of `sids'; only needed */
|
||||
/* for CID-keyed fonts */
|
||||
+ FT_UInt max_cid;
|
||||
} CFF_CharsetRec, *CFF_Charset;
|
||||
|
||||
|
||||
diff -Nur freetype-2.1.10-orig/src/sfnt/ttcmap.c freetype-2.1.10/src/sfnt/ttcmap.c
|
||||
--- freetype-2.1.10-orig/src/sfnt/ttcmap.c 2005-05-11 14:37:40.000000000 +0000
|
||||
+++ freetype-2.1.10/src/sfnt/ttcmap.c 2006-05-31 22:57:04.807665250 +0000
|
||||
@@ -2144,9 +2144,7 @@
|
||||
charmap.encoding = FT_ENCODING_NONE; /* will be filled later */
|
||||
offset = TT_NEXT_ULONG( p );
|
||||
|
||||
- if ( offset &&
|
||||
- table + offset + 2 < limit &&
|
||||
- table + offset >= table )
|
||||
+ if ( offset && offset <= face->cmap_size -2 )
|
||||
{
|
||||
FT_Byte* cmap = table + offset;
|
||||
volatile FT_UInt format = TT_PEEK_USHORT( cmap );
|
Loading…
Reference in new issue