Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP1:GA
ft2demos.449
CVE-2014-9659.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File CVE-2014-9659.patch of Package ft2demos.449
From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001 From: Dave Arnold <darnold@adobe.com> Date: Thu, 04 Dec 2014 05:10:16 +0000 Subject: [cff] Fix Savannah bug #43661. * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM, cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after hintmask is constructed. * src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to avoid reading past end of hintmask. --- diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index 81049f4..28a892b 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -794,9 +794,12 @@ maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask ); /* use the hStem hints only, which are first in the mask */ - /* TODO: compare this to cffhintmaskGetBitCount */ bitCount = cf2_arrstack_size( hStemHintArray ); + /* Defense-in-depth. Should never return here. */ + if ( bitCount > hintMask->bitCount ) + return; + /* synthetic embox hints get highest priority */ if ( font->blues.doEmBoxHints ) { diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c index 5610917..a269606 100644 --- a/src/cff/cf2intrp.c +++ b/src/cff/cf2intrp.c @@ -4,7 +4,7 @@ /* */ /* Adobe's CFF Interpreter (body). */ /* */ -/* Copyright 2007-2013 Adobe Systems Incorporated. */ +/* Copyright 2007-2014 Adobe Systems Incorporated. */ /* */ /* This software, and all works of authorship, whether in source or */ /* object code form as indicated by the copyright notice(s) included */ @@ -593,8 +593,11 @@ /* never add hints after the mask is computed */ if ( cf2_hintmask_isValid( &hintMask ) ) + { FT_TRACE4(( "cf2_interpT2CharString:" " invalid horizontal hint mask\n" )); + break; + } cf2_doStems( font, opStack, @@ -614,8 +617,11 @@ /* never add hints after the mask is computed */ if ( cf2_hintmask_isValid( &hintMask ) ) + { FT_TRACE4(( "cf2_interpT2CharString:" " invalid vertical hint mask\n" )); + break; + } cf2_doStems( font, opStack, @@ -1141,15 +1147,16 @@ /* `cf2_hintmask_read' (which also traces the mask bytes) */ FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" )); - /* if there are arguments on the stack, there this is an */ - /* implied cf2_cmdVSTEMHM */ - if ( cf2_stack_count( opStack ) != 0 ) + /* never add hints after the mask is computed */ + if ( cf2_stack_count( opStack ) > 1 && + cf2_hintmask_isValid( &hintMask ) ) { - /* never add hints after the mask is computed */ - if ( cf2_hintmask_isValid( &hintMask ) ) - FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); + FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); + break; } + /* if there are arguments on the stack, there this is an */ + /* implied cf2_cmdVSTEMHM */ cf2_doStems( font, opStack, &vStemHintArray, -- cgit v0.9.0.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor