~ubuntu-branches/ubuntu/vivid/freetype/vivid

Viewing changes to debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-1.patch

Committer: Package Import Robot
Author(s): Marc Deslauriers
Date: 2015-02-24 11:28:03 UTC
Revision ID: package-import@ubuntu.com-20150224112803-k20pw5pv807q5jcv

Tags: 2.5.2-2ubuntu3

* SECURITY UPDATE: denial of service and possible code execution via
  multiple security issues
  - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large
    quantity of upstream commits to fix multiple security issues.
  - CVE-2014-9656
  - CVE-2014-9657
  - CVE-2014-9658
  - CVE-2014-9659
  - CVE-2014-9660
  - CVE-2014-9661
  - CVE-2014-9662
  - CVE-2014-9663
  - CVE-2014-9664
  - CVE-2014-9665
  - CVE-2014-9666
  - CVE-2014-9667
  - CVE-2014-9668
  - CVE-2014-9669
  - CVE-2014-9670
  - CVE-2014-9671
  - CVE-2014-9672
  - CVE-2014-9673
  - CVE-2014-9674
  - CVE-2014-9675

files added:
debian/patches-freetype/CVE-2014-96xx

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9656.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9657.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9658.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9660.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9662.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9663.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9666.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9667.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9668.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9669.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-3.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9672.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9673.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-2.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-3.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-4.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-1.patch

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-2.patch

files removed:
.pc

.pc/.quilt_patches

.pc/.quilt_series

.pc/.version

.pc/applied-patches

files modified:
debian/changelog

debian/patches-freetype/series

Show diffs side-by-side

added added

removed removed

debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-1.patch

From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001

From: Dave Arnold <darnold@adobe.com>

Date: Thu, 04 Dec 2014 05:10:16 +0000

Subject: [cff] Fix Savannah bug #43661.

* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,

cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after

hintmask is constructed.

* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to

avoid reading past end of hintmask.

---

diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c

index 81049f4..28a892b 100644

--- a/src/cff/cf2hints.c

+++ b/src/cff/cf2hints.c

@@ -794,9 +794,12 @@

maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask );

/* use the hStem hints only, which are first in the mask */

- /* TODO: compare this to cffhintmaskGetBitCount */

bitCount = cf2_arrstack_size( hStemHintArray );

+ /* Defense-in-depth. Should never return here. */

+ if ( bitCount > hintMask->bitCount )

+ return;

/* synthetic embox hints get highest priority */

if ( font->blues.doEmBoxHints )

{

diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c

index 5610917..a269606 100644

--- a/src/cff/cf2intrp.c

+++ b/src/cff/cf2intrp.c

@@ -593,8 +593,11 @@

/* never add hints after the mask is computed */

if ( cf2_hintmask_isValid( &hintMask ) )

+ {

FT_TRACE4(( "cf2_interpT2CharString:"

" invalid horizontal hint mask\n" ));

+ break;

+ }

cf2_doStems( font,

opStack,

@@ -614,8 +617,11 @@

/* never add hints after the mask is computed */

if ( cf2_hintmask_isValid( &hintMask ) )

+ {

FT_TRACE4(( "cf2_interpT2CharString:"

" invalid vertical hint mask\n" ));

+ break;

+ }

cf2_doStems( font,

opStack,

@@ -1141,15 +1147,16 @@

/* `cf2_hintmask_read' (which also traces the mask bytes) */

FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));

- /* if there are arguments on the stack, there this is an */

- /* implied cf2_cmdVSTEMHM */

- if ( cf2_stack_count( opStack ) != 0 )

+ /* never add hints after the mask is computed */

+ if ( cf2_stack_count( opStack ) > 1 &&

+ cf2_hintmask_isValid( &hintMask ) )

{

- /* never add hints after the mask is computed */

- if ( cf2_hintmask_isValid( &hintMask ) )

- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));

+ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));

+ break;

}

+ /* if there are arguments on the stack, there this is an */

+ /* implied cf2_cmdVSTEMHM */

cf2_doStems( font,

opStack,

&vStemHintArray,

cgit v0.9.0.2

Older »