Module Name: xsrc Committed By: snj Date: Thu Jul 2 05:05:58 UTC 2009
Modified Files: xsrc/external/mit/freetype/dist/src/cff [netbsd-5-0]: cffload.c xsrc/external/mit/freetype/dist/src/lzw [netbsd-5-0]: ftzopen.c xsrc/external/mit/freetype/dist/src/sfnt [netbsd-5-0]: ttcmap.c xsrc/external/mit/freetype/dist/src/smooth [netbsd-5-0]: ftsmooth.c Log Message: Pull up following revision(s) (requested by mrg in ticket #848): external/mit/freetype/dist/src/cff/cffload.c: revision 1.2 external/mit/freetype/dist/src/lzw/ftzopen.c: revision 1.2 external/mit/freetype/dist/src/sfnt/ttcmap.c: revision 1.2 external/mit/freetype/dist/src/smooth/ftsmooth.c: revision 1.2 apply fixes from CVE-2009-0946 To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/cff/cffload.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files.
Modified files: Index: xsrc/external/mit/freetype/dist/src/cff/cffload.c diff -u xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1 Wed Jul 30 02:36:07 2008 +++ xsrc/external/mit/freetype/dist/src/cff/cffload.c Thu Jul 2 05:05:58 2009 @@ -841,7 +841,20 @@ goto Exit; for ( j = 1; j < num_glyphs; j++ ) - charset->sids[j] = FT_GET_USHORT(); + { + FT_UShort sid = FT_GET_USHORT(); + + + /* this constant is given in the CFF specification */ + if ( sid < 65000 ) + charset->sids[j] = sid; + else + { + FT_ERROR(( "cff_charset_load:" + " invalid SID value %d set to zero\n", sid )); + charset->sids[j] = 0; + } + } FT_FRAME_EXIT(); } @@ -874,6 +887,20 @@ goto Exit; } + /* check whether the range contains at least one valid glyph; */ + /* the constant is given in the CFF specification */ + if ( glyph_sid >= 65000 ) { + FT_ERROR(( "cff_charset_load: invalid SID range\n" )); + error = CFF_Err_Invalid_File_Format; + goto Exit; + } + + /* try to rescue some of the SIDs if `nleft' is too large */ + if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { + FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); + nleft = 65000 - 1 - glyph_sid; + } + /* Fill in the range of sids -- `nleft + 1' glyphs. */ for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) charset->sids[j] = glyph_sid; Index: xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c diff -u xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1 Wed Jul 30 02:36:13 2008 +++ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c Thu Jul 2 05:05:58 2009 @@ -332,6 +332,9 @@ while ( code >= 256U ) { + if ( !state->prefix ) + goto Eof; + FTLZW_STACK_PUSH( state->suffix[code - 256] ); code = state->prefix[code - 256]; } Index: xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c diff -u xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1 Wed Jul 30 02:36:16 2008 +++ xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c Thu Jul 2 05:05:58 2009 @@ -1571,7 +1571,7 @@ FT_INVALID_TOO_SHORT; length = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 8208 ) + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) FT_INVALID_TOO_SHORT; is32 = table + 12; @@ -1799,7 +1799,8 @@ p = table + 16; count = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 20 + count * 2 ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 20 + count * 2 ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -1984,7 +1985,8 @@ p = table + 12; num_groups = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 16 + 12 * num_groups ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 16 + 12 * num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2365,7 +2367,8 @@ FT_ULong num_selectors = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 10 + 11 * num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2427,7 +2430,7 @@ FT_ULong i, lastUni = 0; - if ( ndp + numMappings * 4 > valid->limit ) + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) Index: xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c diff -u xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c:1.1.1.1 Wed Jul 30 02:36:12 2008 +++ xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c Thu Jul 2 05:05:58 2009 @@ -153,7 +153,7 @@ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; } - /* allocate new one, depends on pixel format */ + /* allocate new one */ pitch = width; if ( hmul ) { @@ -194,6 +194,13 @@ #endif + if ( pitch > 0xFFFF || height > 0xFFFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", + width, height )); + return Smooth_Err_Raster_Overflow; + } + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; bitmap->num_grays = 256; bitmap->width = width;