summarylogtreecommitdiffstats
path: root/freetype-2.4.11-CVE-2014-9667.patch
diff options
context:
space:
mode:
Diffstat (limited to 'freetype-2.4.11-CVE-2014-9667.patch')
-rw-r--r--freetype-2.4.11-CVE-2014-9667.patch47
1 files changed, 47 insertions, 0 deletions
diff --git a/freetype-2.4.11-CVE-2014-9667.patch b/freetype-2.4.11-CVE-2014-9667.patch
new file mode 100644
index 00000000000..1e349405c40
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9667.patch
@@ -0,0 +1,47 @@
+From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 20:26:44 +0000
+Subject: [sfnt] Fix Savannah bug #43590.
+
+* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+Protect against addition overflow.
+---
+diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
+index 0a3cd29..8338150 100644
+--- a/src/sfnt/ttload.c
++++ b/src/sfnt/ttload.c
+@@ -5,7 +5,7 @@
+ /* Load the basic TrueType tables, i.e., tables that can be either in */
+ /* TTF or OTF fonts (body). */
+ /* */
+-/* Copyright 1996-2010, 2012 by */
++/* Copyright 1996-2010, 2012-2014 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -207,7 +207,10 @@
+ }
+
+ /* we ignore invalid tables */
+- if ( table.Offset + table.Length > stream->size )
++
++ /* table.Offset + table.Length > stream->size ? */
++ if ( table.Length > stream->size ||
++ table.Offset > stream->size - table.Length )
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+ continue;
+@@ -398,7 +398,10 @@
+ entry->Length = FT_GET_LONG();
+
+ /* ignore invalid tables */
+- if ( entry->Offset + entry->Length > stream->size )
++
++ /* entry->Offset + entry->Length > stream->size ? */
++ if ( entry->Length > stream->size ||
++ entry->Offset > stream->size - entry->Length )
+ continue;
+ else
+ {
+--
+cgit v0.9.0.2