6505703687daa2ec2c41595364a0c07f5d894823
[openwrt/svn-archive/archive.git] / libs / freetype / patches / 901-cve-2009-0946.patch
1 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
2
3 Protect against malformed compressed data.
4 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
5
6 Protect against invalid SID values in CFFs.
7 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
8
9 Fix validation for various cmap table formats.
10 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
11
12 Protect against too large glyphs.
13 http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
14
15
16 --- a/src/cff/cffload.c
17 +++ b/src/cff/cffload.c
18 @@ -842,7 +842,20 @@
19 goto Exit;
20
21 for ( j = 1; j < num_glyphs; j++ )
22 - charset->sids[j] = FT_GET_USHORT();
23 + {
24 + FT_UShort sid = FT_GET_USHORT();
25 +
26 +
27 + /* this constant is given in the CFF specification */
28 + if ( sid < 65000 )
29 + charset->sids[j] = sid;
30 + else
31 + {
32 + FT_ERROR(( "cff_charset_load:"
33 + " invalid SID value %d set to zero\n", sid ));
34 + charset->sids[j] = 0;
35 + }
36 + }
37
38 FT_FRAME_EXIT();
39 }
40 @@ -875,6 +888,20 @@
41 goto Exit;
42 }
43
44 + /* check whether the range contains at least one valid glyph; */
45 + /* the constant is given in the CFF specification */
46 + if ( glyph_sid >= 65000 ) {
47 + FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
48 + error = CFF_Err_Invalid_File_Format;
49 + goto Exit;
50 + }
51 +
52 + /* try to rescue some of the SIDs if `nleft' is too large */
53 + if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
54 + FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
55 + nleft = 65000 - 1 - glyph_sid;
56 + }
57 +
58 /* Fill in the range of sids -- `nleft + 1' glyphs. */
59 for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
60 charset->sids[j] = glyph_sid;
61 --- a/src/lzw/ftzopen.c
62 +++ b/src/lzw/ftzopen.c
63 @@ -332,6 +332,9 @@
64
65 while ( code >= 256U )
66 {
67 + if ( !state->prefix )
68 + goto Eof;
69 +
70 FTLZW_STACK_PUSH( state->suffix[code - 256] );
71 code = state->prefix[code - 256];
72 }
73 --- a/src/smooth/ftsmooth.c
74 +++ b/src/smooth/ftsmooth.c
75 @@ -153,7 +153,7 @@
76 slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
77 }
78
79 - /* allocate new one, depends on pixel format */
80 + /* allocate new one */
81 pitch = width;
82 if ( hmul )
83 {
84 @@ -194,6 +194,13 @@
85
86 #endif
87
88 + if ( pitch > 0xFFFF || height > 0xFFFF )
89 + {
90 + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
91 + width, height ));
92 + return Smooth_Err_Raster_Overflow;
93 + }
94 +
95 bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
96 bitmap->num_grays = 256;
97 bitmap->width = width;
98 --- a/src/sfnt/ttcmap.c
99 +++ b/src/sfnt/ttcmap.c
100 @@ -1635,7 +1635,7 @@
101 FT_INVALID_TOO_SHORT;
102
103 length = TT_NEXT_ULONG( p );
104 - if ( table + length > valid->limit || length < 8208 )
105 + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
106 FT_INVALID_TOO_SHORT;
107
108 is32 = table + 12;
109 @@ -1863,7 +1863,8 @@
110 p = table + 16;
111 count = TT_NEXT_ULONG( p );
112
113 - if ( table + length > valid->limit || length < 20 + count * 2 )
114 + if ( length > (FT_ULong)( valid->limit - table ) ||
115 + length < 20 + count * 2 )
116 FT_INVALID_TOO_SHORT;
117
118 /* check glyph indices */
119 @@ -2048,7 +2049,8 @@
120 p = table + 12;
121 num_groups = TT_NEXT_ULONG( p );
122
123 - if ( table + length > valid->limit || length < 16 + 12 * num_groups )
124 + if ( length > (FT_ULong)( valid->limit - table ) ||
125 + length < 16 + 12 * num_groups )
126 FT_INVALID_TOO_SHORT;
127
128 /* check groups, they must be in increasing order */
129 @@ -2429,7 +2431,8 @@
130 FT_ULong num_selectors = TT_NEXT_ULONG( p );
131
132
133 - if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
134 + if ( length > (FT_ULong)( valid->limit - table ) ||
135 + length < 10 + 11 * num_selectors )
136 FT_INVALID_TOO_SHORT;
137
138 /* check selectors, they must be in increasing order */
139 @@ -2491,7 +2494,7 @@
140 FT_ULong i, lastUni = 0;
141
142
143 - if ( ndp + numMappings * 4 > valid->limit )
144 + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
145 FT_INVALID_TOO_SHORT;
146
147 for ( i = 0; i < numMappings; ++i )