← Back to branch summary

~ubuntu-branches/ubuntu/precise/freetype/precise-updates

« back to all changes in this revision

Viewing changes to debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-1.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-02-24 10:35:56 UTC
  • Revision ID: package-import@ubuntu.com-20150224103556-1gtuu5oa9cjuzioh
Tags: 2.4.8-1ubuntu2.2
* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-1.patch
 
1
Backport of:
 
2
 
 
3
From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
 
4
From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
 
5
Date: Wed, 26 Nov 2014 06:43:29 +0000
 
6
Subject: Fix Savannah bug #43538.
 
7
 
 
8
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
 
9
by a broken POST table in resource-fork.
 
10
---
 
11
Index: freetype-2.4.8/src/base/ftobjs.c
 
12
===================================================================
 
13
--- freetype-2.4.8.orig/src/base/ftobjs.c       2015-02-24 10:29:22.135617460 -0500
 
14
+++ freetype-2.4.8/src/base/ftobjs.c    2015-02-24 10:29:22.131617426 -0500
 
15
@@ -1560,10 +1560,23 @@
 
16
         goto Exit;
 
17
       if ( FT_READ_LONG( temp ) )
 
18
         goto Exit;
 
19
+      if ( 0 > temp )
 
20
+        error = FT_Err_Invalid_Offset;
 
21
+      else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
 
22
+        error = FT_Err_Array_Too_Large;
 
23
+
 
24
+      if ( error )
 
25
+        goto Exit;
 
26
+
 
27
       pfb_len += temp + 6;
 
28
     }
 
29
 
 
30
-    if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
 
31
+    if ( 0x7FFFFFFFL - 2 < pfb_len )
 
32
+      error = FT_Err_Array_Too_Large;
 
33
+    else
 
34
+      error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
 
35
+
 
36
+    if ( error )
 
37
       goto Exit;
 
38
 
 
39
     pfb_data[0] = 0x80;