# --- T2-COPYRIGHT-NOTE-BEGIN --- # This copyright note is auto-generated by ./scripts/Create-CopyPatch. # # T2 SDE: package/.../freetype/CVE-2006-1861.patch # Copyright (C) 2006 The T2 SDE Project # # More information can be found in the files COPYING and README. # # This patch file is dual-licensed. It is available under the license the # patched project is licensed under, as long as it is an OpenSource license # as defined at http://www.opensource.org/ (e.g. BSD, X11) or under the terms # of the GNU General Public License as published by the Free Software # Foundation; either version 2 of the License, or (at your option) any later # version. # --- T2-COPYRIGHT-NOTE-END --- diff -Nur freetype-2.1.10-orig/include/freetype/fterrdef.h freetype-2.1.10/include/freetype/fterrdef.h --- freetype-2.1.10-orig/include/freetype/fterrdef.h 2004-02-12 08:33:20.000000000 +0000 +++ freetype-2.1.10/include/freetype/fterrdef.h 2006-05-31 22:53:15.329323750 +0000 @@ -4,7 +4,7 @@ /* */ /* FreeType error codes (specification). */ /* */ -/* Copyright 2002, 2004 by */ +/* Copyright 2002, 2004, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -226,6 +226,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff -Nur freetype-2.1.10-orig/src/bdf/bdflib.c freetype-2.1.10/src/bdf/bdflib.c --- freetype-2.1.10-orig/src/bdf/bdflib.c 2005-05-21 17:19:52.000000000 +0000 +++ freetype-2.1.10/src/bdf/bdflib.c 2006-05-31 22:53:15.333324000 +0000 @@ -1092,6 +1092,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@ -1805,6 +1806,9 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1815,7 +1819,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; diff -Nur freetype-2.1.10-orig/src/cff/cffgload.c freetype-2.1.10/src/cff/cffgload.c --- freetype-2.1.10-orig/src/cff/cffgload.c 2005-04-18 04:53:05.000000000 +0000 +++ freetype-2.1.10/src/cff/cffgload.c 2006-05-31 23:03:31.567836250 +0000 @@ -2284,7 +2284,7 @@ FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ) { FT_Error error; @@ -2330,7 +2330,7 @@ error = sfnt->load_sbit_image( face, (FT_ULong)size->strike_index, - (FT_UInt)glyph_index, + glyph_index, (FT_Int)load_flags, stream, &glyph->root.bitmap, @@ -2393,7 +2393,12 @@ /* subsetted font, glyph_indices and CIDs are identical, though */ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && cff->charset.cids ) - glyph_index = cff->charset.cids[glyph_index]; + { + if ( glyph_index < cff->charset.max_cid ) + glyph_index = cff->charset.cids[glyph_index]; + else + glyph_index = 0; + } cff_decoder_init( &decoder, face, size, glyph, hinting, FT_LOAD_TARGET_MODE( load_flags ) ); diff -Nur freetype-2.1.10-orig/src/cff/cffgload.h freetype-2.1.10/src/cff/cffgload.h --- freetype-2.1.10-orig/src/cff/cffgload.h 2004-05-13 21:59:17.000000000 +0000 +++ freetype-2.1.10/src/cff/cffgload.h 2006-05-31 22:53:24.161875750 +0000 @@ -4,7 +4,7 @@ /* */ /* OpenType Glyph Loader (specification). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -196,7 +196,7 @@ FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ); diff -Nur freetype-2.1.10-orig/src/cff/cffload.c freetype-2.1.10/src/cff/cffload.c --- freetype-2.1.10-orig/src/cff/cffload.c 2005-05-06 05:49:46.000000000 +0000 +++ freetype-2.1.10/src/cff/cffload.c 2006-05-31 22:53:24.161875750 +0000 @@ -1688,6 +1688,8 @@ for ( i = 0; i < num_glyphs; i++ ) charset->cids[charset->sids[i]] = (FT_UShort)i; + + charset->max_cid = max_cid; } Exit: diff -Nur freetype-2.1.10-orig/src/cff/cfftypes.h freetype-2.1.10/src/cff/cfftypes.h --- freetype-2.1.10-orig/src/cff/cfftypes.h 2003-12-20 07:30:05.000000000 +0000 +++ freetype-2.1.10/src/cff/cfftypes.h 2006-05-31 22:53:24.165876000 +0000 @@ -5,7 +5,7 @@ /* Basic OpenType/CFF type definitions and interface (specification */ /* only). */ /* */ -/* Copyright 1996-2001, 2002, 2003 by */ +/* Copyright 1996-2001, 2002, 2003, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -84,6 +84,7 @@ FT_UShort* sids; FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ /* for CID-keyed fonts */ + FT_UInt max_cid; } CFF_CharsetRec, *CFF_Charset; diff -Nur freetype-2.1.10-orig/src/sfnt/ttcmap.c freetype-2.1.10/src/sfnt/ttcmap.c --- freetype-2.1.10-orig/src/sfnt/ttcmap.c 2005-05-11 14:37:40.000000000 +0000 +++ freetype-2.1.10/src/sfnt/ttcmap.c 2006-05-31 22:57:04.807665250 +0000 @@ -2144,9 +2144,7 @@ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset && - table + offset + 2 < limit && - table + offset >= table ) + if ( offset && offset <= face->cmap_size -2 ) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap );