File pango-CVE-2011-0020.patch of Package pango

Overview Repositories Revisions Requests Users Attributes Meta

File pango-CVE-2011-0020.patch of Package pango

From 4e6248d76f55c6184f28afe614d7d76b6fa3d455 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@behdad.org>
Date: Thu, 17 Feb 2011 16:19:48 +0000
Subject: Bug 639882 - Heap corruption in font parsing with FreeType2 backend

---
Index: pango-1.26.2/pango/pangoft2-render.c
===================================================================
--- pango-1.26.2.orig/pango/pangoft2-render.c
+++ pango-1.26.2/pango/pangoft2-render.c
@@ -99,6 +99,20 @@ pango_ft2_free_rendered_glyph (PangoFT2R
   g_slice_free (PangoFT2RenderedGlyph, rendered);
 }
 
+#define SIZE_OVERFLOWS(a,b) (G_UNLIKELY ((b) > 0 && (a) > G_MAXSIZE / (b)))
+static gpointer
+pango_g_malloc0_n (gsize n_blocks,
+                   gsize n_block_bytes)
+{
+  if (SIZE_OVERFLOWS (n_blocks, n_block_bytes))
+    {
+      g_error ("%s: overflow allocating %"G_GSIZE_FORMAT"*%"G_GSIZE_FORMAT" bytes",
+               G_STRLOC, n_blocks, n_block_bytes);
+    }
+
+  return g_malloc0 (n_blocks * n_block_bytes);
+}
+
 static PangoFT2RenderedGlyph *
 pango_ft2_font_render_box_glyph (int      width,
 				 int      height,
@@ -121,9 +135,14 @@ pango_ft2_font_render_box_glyph (int
 
   box->bitmap.width = width;
   box->bitmap.rows = height;
-  box->bitmap.pitch = height;
+  box->bitmap.pitch = width;
 
-  box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch);
+  box->bitmap.buffer = pango_g_malloc0_n (box->bitmap.rows, box->bitmap.pitch);
+
+  if (G_UNLIKELY (!box->bitmap.buffer)) {
+    g_slice_free (PangoFT2RenderedGlyph, box);
+    return NULL;
+  }
 
   /* draw the box */
   for (j = 0; j < line_width; j++)
@@ -226,6 +245,11 @@ pango_ft2_font_render_glyph (PangoFont *
       rendered->bitmap_left = face->glyph->bitmap_left;
       rendered->bitmap_top = face->glyph->bitmap_top;
 
+      if (G_UNLIKELY (!rendered->bitmap.buffer)) {
+        g_slice_free (PangoFT2RenderedGlyph, rendered);
+	return NULL;
+      }
+
       return rendered;
     }
   else
@@ -276,6 +300,8 @@ pango_ft2_renderer_draw_glyph (PangoRend
   if (rendered_glyph == NULL)
     {
       rendered_glyph = pango_ft2_font_render_glyph (font, glyph);
+      if (rendered_glyph == NULL)
+        return;
       add_glyph_to_cache = TRUE;
     }

Places

File pango-CVE-2011-0020.patch of Package pango

Places