File pango-bnc534701-CVE-2009-1194.patch of Package pango

Overview Repositories Revisions Requests Users Attributes Meta

File pango-bnc534701-CVE-2009-1194.patch of Package pango

From 4de30e5500eaeb49f4bf0b7a07f718e149a2ed5e Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Mon, 02 Mar 2009 08:30:52 +0000
Subject: [glyphstring] Handle overflow with very long glyphstrings

---
diff --git a/pango/glyphstring.c b/pango/glyphstring.c
index 42601d5..8fb7031 100644
--- a/pango/glyphstring.c
+++ b/pango/glyphstring.c
@@ -61,14 +61,28 @@ pango_glyph_string_set_size (PangoGlyphString *string, gint new_len)
   while (new_len > string->space)
     {
       if (string->space == 0)
-	string->space = 1;
+	{
+	  string->space = 4;
+	}
       else
-	string->space *= 2;
-
-      if (string->space < 0)
 	{
-	  g_warning ("glyph string length overflows maximum integer size, truncated");
-	  new_len = string->space = G_MAXINT - 8;
+	  const guint max_space =
+	    MIN (G_MAXINT, G_MAXSIZE / MAX (sizeof(PangoGlyphInfo), sizeof(gint)));
+
+	  guint more_space = (guint)string->space * 2;
+
+	  if (more_space > max_space)
+	    {
+	      more_space = max_space;
+
+	      if ((guint)new_len > max_space)
+		{
+		  g_error ("%s: failed to allocate glyph string of length %i\n",
+			   G_STRLOC, new_len);
+		}
+	    }
+
+	  string->space = more_space;
 	}
     }
 
--
cgit v0.8.3.1

Places

File pango-bnc534701-CVE-2009-1194.patch of Package pango

Places