summarylogtreecommitdiffstats
path: root/freetype-2.4.11-CVE-2014-9657.patch
diff options
context:
space:
mode:
authorvlad2015-07-08 15:45:40 +0300
committervlad2015-07-08 15:45:40 +0300
commit619a79ad7ef869b81ee83ce63247db2300594337 (patch)
tree32c7927919f29774199c7958918d329adc41b4f6 /freetype-2.4.11-CVE-2014-9657.patch
downloadaur-619a79ad7ef869b81ee83ce63247db2300594337.tar.gz
Initial import
Diffstat (limited to 'freetype-2.4.11-CVE-2014-9657.patch')
-rw-r--r--freetype-2.4.11-CVE-2014-9657.patch40
1 files changed, 40 insertions, 0 deletions
diff --git a/freetype-2.4.11-CVE-2014-9657.patch b/freetype-2.4.11-CVE-2014-9657.patch
new file mode 100644
index 00000000000..89544067708
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9657.patch
@@ -0,0 +1,40 @@
+From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 09:22:08 +0000
+Subject: [truetype] Fix Savannah bug #43679.
+
+* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
+`record_size'.
+---
+diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
+index 9723a51..9991925 100644
+--- a/src/truetype/ttpload.c
++++ b/src/truetype/ttpload.c
+@@ -508,9 +508,9 @@
+ record_size = FT_NEXT_ULONG( p );
+
+ /* The maximum number of bytes in an hdmx device record is the */
+- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
+- /* the reason why `record_size' is a long (which we read as */
+- /* unsigned long for convenience). In practice, two bytes */
++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
++ /* explaining why `record_size' is a long (which we read as */
++ /* unsigned long for convenience). In practice, two bytes are */
+ /* sufficient to hold the size value. */
+ /* */
+ /* There are at least two fonts, HANNOM-A and HANNOM-B version */
+@@ -522,8 +522,10 @@
+ record_size &= 0xFFFFU;
+
+ /* The limit for `num_records' is a heuristic value. */
+-
+- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
++ if ( version != 0 ||
++ num_records > 255 ||
++ record_size > 0x10001L ||
++ record_size < 4 )
+ {
+ error = TT_Err_Invalid_File_Format;
+ goto Fail;
+--
+cgit v0.9.0.2