← Back to branch summary

~ubuntu-branches/ubuntu/vivid/freetype/vivid-proposed

« back to all changes in this revision

Viewing changes to debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-2.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-02-24 11:28:03 UTC
  • Revision ID: package-import@ubuntu.com-20150224112803-k20pw5pv807q5jcv
Tags: 2.5.2-2ubuntu3
* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9659
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9662
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9665
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9668
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

Show diffs side-by-side

added added

removed removed

Lines of Context:
debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-2.patch
 
1
From b1fc00d5dc0e89432c58367477b6d9d63b6b0be9 Mon Sep 17 00:00:00 2001
 
2
From: Werner Lemberg <wl@gnu.org>
 
3
Date: Fri, 21 Nov 2014 11:06:40 +0000
 
4
Subject: * src/pcf/pcfread.c (pcf_get_metrics): Sanitize invalid metrics.
 
5
 
 
6
---
 
7
Index: freetype-2.5.2/src/pcf/pcfread.c
 
8
===================================================================
 
9
--- freetype-2.5.2.orig/src/pcf/pcfread.c       2015-02-24 08:28:02.140557042 -0500
 
10
+++ freetype-2.5.2/src/pcf/pcfread.c    2015-02-24 08:28:02.136557016 -0500
 
11
@@ -631,24 +631,40 @@
 
12
       return FT_THROW( Out_Of_Memory );
 
13
 
 
14
     metrics = face->metrics;
 
15
-    for ( i = 0; i < nmetrics; i++ )
 
16
+    for ( i = 0; i < nmetrics; i++, metrics++ )
 
17
     {
 
18
-      error = pcf_get_metric( stream, format, metrics + i );
 
19
+      error = pcf_get_metric( stream, format, metrics );
 
20
 
 
21
-      metrics[i].bits = 0;
 
22
+      metrics->bits = 0;
 
23
 
 
24
       FT_TRACE5(( "  idx %d: width=%d, "
 
25
                   "lsb=%d, rsb=%d, ascent=%d, descent=%d, swidth=%d\n",
 
26
                   i,
 
27
-                  ( metrics + i )->characterWidth,
 
28
-                  ( metrics + i )->leftSideBearing,
 
29
-                  ( metrics + i )->rightSideBearing,
 
30
-                  ( metrics + i )->ascent,
 
31
-                  ( metrics + i )->descent,
 
32
-                  ( metrics + i )->attributes ));
 
33
+                  metrics->characterWidth,
 
34
+                  metrics->leftSideBearing,
 
35
+                  metrics->rightSideBearing,
 
36
+                  metrics->ascent,
 
37
+                  metrics->descent,
 
38
+                  metrics->attributes ));
 
39
 
 
40
       if ( error )
 
41
         break;
 
42
+
 
43
+      /* sanity checks -- those values are used in `PCF_Glyph_Load' to     */
 
44
+      /* compute a glyph's bitmap dimensions, thus setting them to zero in */
 
45
+      /* case of an error disables this particular glyph only              */
 
46
+      if ( metrics->rightSideBearing < metrics->leftSideBearing ||
 
47
+           metrics->ascent + metrics->descent < 0               )
 
48
+      {
 
49
+        metrics->characterWidth   = 0;
 
50
+        metrics->leftSideBearing  = 0;
 
51
+        metrics->rightSideBearing = 0;
 
52
+        metrics->ascent           = 0;
 
53
+        metrics->descent          = 0;
 
54
+
 
55
+        FT_TRACE0(( "pcf_get_metrics:"
 
56
+                    " invalid metrics for glyph %d\n", i ));
 
57
+      }
 
58
     }
 
59
 
 
60
     if ( error )