Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
graphite2.6849
graphite2-CVE-2016-152x.patch
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File graphite2-CVE-2016-152x.patch of Package graphite2.6849
Index: src/Code.cpp =================================================================== --- src/Code.cpp.orig 2015-08-31 06:42:03.000000000 +0200 +++ src/Code.cpp 2016-03-03 15:35:23.281426722 +0100 @@ -120,6 +120,7 @@ analysis _analysis; enum passtype _passtype; int _stack_depth; + bool _in_ctxt_item; }; @@ -139,7 +140,8 @@ _pre_context(code._constraint ? 0 : lims.pre_context), _rule_length(code._constraint ? 1 : lims.rule_length), _instr(code._code), _data(code._data), _max(lims), _passtype(pt), - _stack_depth(0) + _stack_depth(0), + _in_ctxt_item(false) { } @@ -356,8 +358,8 @@ break; case CNTXT_ITEM : valid_upto(_max.rule_length, _max.pre_context + int8(bc[0])); - if (bc + 2 + bc[1] >= _max.bytecode) failure(jump_past_end); - if (_pre_context != 0) failure(nested_context_item); + if (bc + 2 + bc[1] >= _max.bytecode) failure(jump_past_end); + if (_in_ctxt_item) failure(nested_context_item); break; case ATTR_SET : case ATTR_ADD : @@ -574,6 +576,7 @@ if (opc == CNTXT_ITEM) { assert(_pre_context == 0); + _in_ctxt_item = true; _pre_context = _max.pre_context + int8(_data[-2]); _rule_length = _max.rule_length; @@ -592,6 +595,7 @@ _rule_length = 1; _pre_context = 0; + _in_ctxt_item = false; } else return false; Index: src/SegCacheEntry.cpp =================================================================== --- src/SegCacheEntry.cpp.orig 2015-08-31 06:42:03.000000000 +0200 +++ src/SegCacheEntry.cpp 2016-03-03 15:34:29.193427244 +0100 @@ -61,7 +61,8 @@ } const Slot * slot = seg->first(); m_glyph = new Slot[glyphCount]; - m_attr = gralloc<int16>(glyphCount * seg->numAttrs()); + int attrSize = seg->numAttrs() + (seg->hasCollisionInfo() ? (sizeof(SlotCollision) + 1) / 2 : 0); + m_attr = gralloc<int16>(glyphCount * attrSize); if (!m_glyph || (!m_attr && seg->numAttrs())) return; m_glyphLength = glyphCount; Slot * slotCopy = m_glyph; @@ -70,9 +71,9 @@ uint16 pos = 0; while (slot) { - slotCopy->userAttrs(m_attr + pos * seg->numAttrs()); + slotCopy->userAttrs(m_attr + pos * attrSize); slotCopy->m_justs = m_justs ? reinterpret_cast<SlotJustify *>(m_justs + justs_pos++ * sizeof_sjust) : 0; - slotCopy->set(*slot, -static_cast<int32>(charOffset), seg->numAttrs(), seg->silf()->numJustLevels(), length); + slotCopy->set(*slot, -static_cast<int32>(charOffset), attrSize, seg->silf()->numJustLevels(), length); slotCopy->index(pos); if (slot->firstChild()) slotCopy->m_child = m_glyph + slot->firstChild()->index(); Index: src/TtfUtil.cpp =================================================================== --- src/TtfUtil.cpp.orig 2015-08-31 06:42:03.000000000 +0200 +++ src/TtfUtil.cpp 2016-03-03 15:34:29.193427244 +0100 @@ -1208,7 +1208,7 @@ // CheckTable verifies the index_to_loc_format is valid if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::ShortIndexLocFormat) { // loca entries are two bytes and have been divided by two - if (nGlyphId < (lLocaSize >> 1) - 1) // allow sentinel value to be accessed + if (lLocaSize > 1 && nGlyphId + 1u < lLocaSize >> 1) // allow sentinel value to be accessed { const uint16 * pShortTable = reinterpret_cast<const uint16 *>(pLoca); res = be::peek<uint16>(pShortTable + nGlyphId) << 1; @@ -1218,7 +1218,7 @@ } else if (be::swap(pTable->index_to_loc_format) == Sfnt::FontHeader::LongIndexLocFormat) { // loca entries are four bytes - if (nGlyphId < (lLocaSize >> 2) - 1) + if (lLocaSize > 3 && nGlyphId + 1u < lLocaSize >> 2) { const uint32 * pLongTable = reinterpret_cast<const uint32 *>(pLoca); res = be::peek<uint32>(pLongTable + nGlyphId);
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor
