1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
3 Protect against malformed compressed data.
4 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
6 Protect against invalid SID values in CFFs.
7 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
9 Fix validation for various cmap table formats.
10 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
12 Protect against too large glyphs.
13 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
16 --- a/src/cff/cffload.c
17 +++ b/src/cff/cffload.c
21 for ( j = 1; j < num_glyphs; j++ )
22 - charset->sids[j] = FT_GET_USHORT();
24 + FT_UShort sid = FT_GET_USHORT();
27 + /* this constant is given in the CFF specification */
29 + charset->sids[j] = sid;
32 + FT_ERROR(( "cff_charset_load:"
33 + " invalid SID value %d set to zero\n", sid ));
34 + charset->sids[j] = 0;
44 + /* check whether the range contains at least one valid glyph; */
45 + /* the constant is given in the CFF specification */
46 + if ( glyph_sid >= 65000 ) {
47 + FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
48 + error = CFF_Err_Invalid_File_Format;
52 + /* try to rescue some of the SIDs if `nleft' is too large */
53 + if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
54 + FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
55 + nleft = 65000 - 1 - glyph_sid;
58 /* Fill in the range of sids -- `nleft + 1' glyphs. */
59 for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
60 charset->sids[j] = glyph_sid;
61 --- a/src/lzw/ftzopen.c
62 +++ b/src/lzw/ftzopen.c
65 while ( code >= 256U )
67 + if ( !state->prefix )
70 FTLZW_STACK_PUSH( state->suffix[code - 256] );
71 code = state->prefix[code - 256];
73 --- a/src/smooth/ftsmooth.c
74 +++ b/src/smooth/ftsmooth.c
76 slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
79 - /* allocate new one, depends on pixel format */
80 + /* allocate new one */
88 + if ( pitch > 0xFFFF || height > 0xFFFF )
90 + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
92 + return Smooth_Err_Raster_Overflow;
95 bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
96 bitmap->num_grays = 256;
97 bitmap->width = width;
98 --- a/src/sfnt/ttcmap.c
99 +++ b/src/sfnt/ttcmap.c
100 @@ -1635,7 +1635,7 @@
101 FT_INVALID_TOO_SHORT;
103 length = TT_NEXT_ULONG( p );
104 - if ( table + length > valid->limit || length < 8208 )
105 + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
106 FT_INVALID_TOO_SHORT;
109 @@ -1863,7 +1863,8 @@
111 count = TT_NEXT_ULONG( p );
113 - if ( table + length > valid->limit || length < 20 + count * 2 )
114 + if ( length > (FT_ULong)( valid->limit - table ) ||
115 + length < 20 + count * 2 )
116 FT_INVALID_TOO_SHORT;
118 /* check glyph indices */
119 @@ -2048,7 +2049,8 @@
121 num_groups = TT_NEXT_ULONG( p );
123 - if ( table + length > valid->limit || length < 16 + 12 * num_groups )
124 + if ( length > (FT_ULong)( valid->limit - table ) ||
125 + length < 16 + 12 * num_groups )
126 FT_INVALID_TOO_SHORT;
128 /* check groups, they must be in increasing order */
129 @@ -2429,7 +2431,8 @@
130 FT_ULong num_selectors = TT_NEXT_ULONG( p );
133 - if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
134 + if ( length > (FT_ULong)( valid->limit - table ) ||
135 + length < 10 + 11 * num_selectors )
136 FT_INVALID_TOO_SHORT;
138 /* check selectors, they must be in increasing order */
139 @@ -2491,7 +2494,7 @@
140 FT_ULong i, lastUni = 0;
143 - if ( ndp + numMappings * 4 > valid->limit )
144 + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
145 FT_INVALID_TOO_SHORT;
147 for ( i = 0; i < numMappings; ++i )