libs/freetype/patches/901-cve-2009-0946.patch

   1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
   2
   3 Protect against malformed compressed data.
   4 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
   5
   6 Protect against invalid SID values in CFFs.
   7 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
   8
   9 Fix validation for various cmap table formats.
  10 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
  11
  12 Protect against too large glyphs.
  13 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
  14
  15
  16 --- a/src/cff/cffload.c
  17 +++ b/src/cff/cffload.c
  18 @@ -842,7 +842,20 @@
  19              goto Exit;
  20
  21            for ( j = 1; j < num_glyphs; j++ )
  22 -            charset->sids[j] = FT_GET_USHORT();
  23 +          {
  24 +            FT_UShort sid = FT_GET_USHORT();
  25 +
  26 +
  27 +            /* this constant is given in the CFF specification */
  28 +            if ( sid < 65000 )
  29 +              charset->sids[j] = sid;
  30 +            else
  31 +            {
  32 +              FT_ERROR(( "cff_charset_load:"
  33 +                         " invalid SID value %d set to zero\n", sid ));
  34 +              charset->sids[j] = 0;
  35 +            }
  36 +          }
  37
  38            FT_FRAME_EXIT();
  39          }
  40 @@ -875,6 +888,20 @@
  41                  goto Exit;
  42              }
  43
  44 +            /* check whether the range contains at least one valid glyph; */
  45 +            /* the constant is given in the CFF specification             */
  46 +            if ( glyph_sid >= 65000 ) {
  47 +              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
  48 +              error = CFF_Err_Invalid_File_Format;
  49 +              goto Exit;
  50 +            }
  51 +
  52 +            /* try to rescue some of the SIDs if `nleft' is too large */
  53 +            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
  54 +              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
  55 +              nleft = 65000 - 1 - glyph_sid;
  56 +            }
  57 +
  58              /* Fill in the range of sids -- `nleft + 1' glyphs. */
  59              for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
  60                charset->sids[j] = glyph_sid;
  61 --- a/src/lzw/ftzopen.c
  62 +++ b/src/lzw/ftzopen.c
  63 @@ -332,6 +332,9 @@
  64
  65            while ( code >= 256U )
  66            {
  67 +            if ( !state->prefix )
  68 +              goto Eof;
  69 +
  70              FTLZW_STACK_PUSH( state->suffix[code - 256] );
  71              code = state->prefix[code - 256];
  72            }
  73 --- a/src/smooth/ftsmooth.c
  74 +++ b/src/smooth/ftsmooth.c
  75 @@ -153,7 +153,7 @@
  76        slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
  77      }
  78
  79 -    /* allocate new one, depends on pixel format */
  80 +    /* allocate new one */
  81      pitch = width;
  82      if ( hmul )
  83      {
  84 @@ -194,6 +194,13 @@
  85
  86  #endif
  87
  88 +    if ( pitch > 0xFFFF || height > 0xFFFF )
  89 +    {
  90 +      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
  91 +                 width, height ));
  92 +      return Smooth_Err_Raster_Overflow;
  93 +    }
  94 +
  95      bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
  96      bitmap->num_grays  = 256;
  97      bitmap->width      = width;
  98 --- a/src/sfnt/ttcmap.c
  99 +++ b/src/sfnt/ttcmap.c
 100 @@ -1635,7 +1635,7 @@
 101        FT_INVALID_TOO_SHORT;
 102
 103      length = TT_NEXT_ULONG( p );
 104 -    if ( table + length > valid->limit || length < 8208 )
 105 +    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
 106        FT_INVALID_TOO_SHORT;
 107
 108      is32       = table + 12;
 109 @@ -1863,7 +1863,8 @@
 110      p      = table + 16;
 111      count  = TT_NEXT_ULONG( p );
 112
 113 -    if ( table + length > valid->limit || length < 20 + count * 2 )
 114 +    if ( length > (FT_ULong)( valid->limit - table ) ||
 115 +         length < 20 + count * 2                     )
 116        FT_INVALID_TOO_SHORT;
 117
 118      /* check glyph indices */
 119 @@ -2048,7 +2049,8 @@
 120      p          = table + 12;
 121      num_groups = TT_NEXT_ULONG( p );
 122
 123 -    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
 124 +    if ( length > (FT_ULong)( valid->limit - table ) ||
 125 +         length < 16 + 12 * num_groups               )
 126        FT_INVALID_TOO_SHORT;
 127
 128      /* check groups, they must be in increasing order */
 129 @@ -2429,7 +2431,8 @@
 130      FT_ULong  num_selectors = TT_NEXT_ULONG( p );
 131
 132
 133 -    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
 134 +    if ( length > (FT_ULong)( valid->limit - table ) ||
 135 +         length < 10 + 11 * num_selectors            )
 136        FT_INVALID_TOO_SHORT;
 137
 138      /* check selectors, they must be in increasing order */
 139 @@ -2491,7 +2494,7 @@
 140            FT_ULong  i, lastUni = 0;
 141
 142
 143 -          if ( ndp + numMappings * 4 > valid->limit )
 144 +          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
 145              FT_INVALID_TOO_SHORT;
 146
 147            for ( i = 0; i < numMappings; ++i )