← Back to branch summary

~ubuntu-branches/ubuntu/precise/freetype/precise-security

« back to all changes in this revision

Viewing changes to debian/patches-freetype/CVE-2014-96xx/CVE-2014-9667.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-02-24 10:35:56 UTC
  • Revision ID: package-import@ubuntu.com-20150224103556-1gtuu5oa9cjuzioh
Tags: 2.4.8-1ubuntu2.2
* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches-freetype/CVE-2014-96xx/CVE-2014-9667.patch
 
1
Backport of:
 
2
 
 
3
From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
 
4
From: Werner Lemberg <wl@gnu.org>
 
5
Date: Wed, 12 Nov 2014 20:26:44 +0000
 
6
Subject: [sfnt] Fix Savannah bug #43590.
 
7
 
 
8
* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
 
9
Protect against addition overflow.
 
10
---
 
11
Index: freetype-2.4.8/src/sfnt/ttload.c
 
12
===================================================================
 
13
--- freetype-2.4.8.orig/src/sfnt/ttload.c       2015-02-24 10:11:31.606211984 -0500
 
14
+++ freetype-2.4.8/src/sfnt/ttload.c    2015-02-24 10:11:31.606211984 -0500
 
15
@@ -208,7 +208,10 @@
 
16
       }
 
17
 
 
18
       /* we ignore invalid tables */
 
19
-      if ( table.Offset + table.Length > stream->size )
 
20
+
 
21
+      /* table.Offset + table.Length > stream->size ? */
 
22
+      if ( table.Length > stream->size                ||
 
23
+           table.Offset > stream->size - table.Length )
 
24
       {
 
25
         FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
 
26
         continue;
 
27
@@ -396,7 +399,10 @@
 
28
       entry->Length   = FT_GET_LONG();
 
29
 
 
30
       /* ignore invalid tables */
 
31
-      if ( entry->Offset + entry->Length > stream->size )
 
32
+
 
33
+      /* entry->Offset + entry->Length > stream->size ? */
 
34
+      if ( entry->Length > stream->size                 ||
 
35
+           entry->Offset > stream->size - entry->Length )
 
36
         continue;
 
37
       else
 
38
       {