1
From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001
2
From: Werner Lemberg <wl@gnu.org>
3
Date: Mon, 08 Dec 2014 15:01:50 +0000
4
Subject: [pcf] Fix Savannah bug #43774.
6
Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
7
functions. Since the PCF format doesn't have an official
8
specification, we have to exactly follow these functions' behaviour.
10
The problem was unveiled with a patch from 2014-11-06, fixing issue #43547.
12
* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
13
element. Instead, assign real size.
15
Index: freetype-2.5.2/src/pcf/pcfread.c
16
===================================================================
17
--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:28:18.044663213 -0500
18
+++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:28:18.040663186 -0500
21
FT_FRAME_ULONG_LE( type ),
22
FT_FRAME_ULONG_LE( format ),
23
- FT_FRAME_ULONG_LE( size ),
24
+ FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */
25
FT_FRAME_ULONG_LE( offset ),
29
FT_Memory memory = FT_FACE( face )->memory;
34
- if ( FT_STREAM_SEEK ( 0 ) ||
35
- FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) )
37
+ if ( FT_STREAM_SEEK( 0 ) ||
38
+ FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
39
return FT_THROW( Cannot_Open_Resource );
41
if ( toc->version != PCF_FILE_VERSION ||
46
- /* we now check whether the `size' and `offset' values are reasonable: */
47
- /* `offset' + `size' must not exceed the stream size */
49
+ * We now check whether the `size' and `offset' values are reasonable:
50
+ * `offset' + `size' must not exceed the stream size.
52
+ * Note, however, that X11's `pcfWriteFont' routine (used by the
53
+ * `bdftopcf' program to create PDF font files) has two special
56
+ * - It always assigns the accelerator table a size of 100 bytes in the
57
+ * TOC, regardless of its real size, which can vary between 34 and 72
60
+ * - Due to the way the routine is designed, it ships out the last font
61
+ * table with its real size, ignoring the TOC's size value. Since
62
+ * the TOC size values are always rounded up to a multiple of 4, the
63
+ * difference can be up to three bytes for all tables except the
64
+ * accelerator table, for which the difference can be as large as 66
69
tables = face->toc.tables;
70
- for ( n = 0; n < toc->count; n++ )
71
+ size = stream->size;
73
+ for ( n = 0; n < toc->count - 1; n++ )
75
/* we need two checks to avoid overflow */
76
- if ( ( tables->size > stream->size ) ||
77
- ( tables->offset > stream->size - tables->size ) )
78
+ if ( ( tables->size > size ) ||
79
+ ( tables->offset > size - tables->size ) )
81
error = FT_THROW( Invalid_Table );
87
+ /* no check of `tables->size' for last table element ... */
88
+ if ( ( tables->offset > size ) )
90
+ error = FT_THROW( Invalid_Table );
93
+ /* ... instead, we adjust `tables->size' to the real value */
94
+ tables->size = size - tables->offset;
96
#ifdef FT_DEBUG_LEVEL_TRACE
101
FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps ));
103
- /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */
104
- if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics )
105
+ /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */
106
+ if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics )
107
return FT_THROW( Invalid_File_Format );
109
if ( FT_NEW_ARRAY( offsets, nbitmaps ) )
added
removed
debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-2.patch
