Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
openSUSE:Evergreen:11.1:kernel-2.6.32
ft2demos
bnc619562_CVE-2010-2519.diff
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File bnc619562_CVE-2010-2519.diff of Package ft2demos
From 5ef20c8c1d4de12a84b50ba497c2a358c90ec44b Mon Sep 17 00:00:00 2001 From: suzuki toshiya <sssa@flavor1.ipc.hiroshima-u.ac.jp> Date: Thu, 01 Jul 2010 09:39:04 +0000 Subject: Initial fix for Savannah bug #30306. * src/base/ftobjs.c (Mac_Read_POST_Resource): Check `rlen' the length of fragment declared in the POST fragment header and prevent an underflow in length calculation. Some fonts set the length to zero in spite of the exist of following 16bit `type'. Reported by Robert Swiecki. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 9217b87..7c2662f 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1547,7 +1547,16 @@ goto Exit; if ( FT_READ_USHORT( flags ) ) goto Exit; - rlen -= 2; /* the flags are part of the resource */ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ + if ( rlen > 2 ) + rlen -= 2; + else + rlen = 0; + if ( ( flags >> 8 ) == type ) len += rlen; else -- cgit v0.8.3.2 From b2ea64bcc6c385a8e8318f9c759450a07df58b6d Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> Date: Fri, 02 Jul 2010 09:16:02 +0000 Subject: Additional fix for Savannah bug #30306. * src/base/ftobjs.c (Mac_Read_POST_Resource): If the type of the POST fragment is 0, the segment is completely ignored. The declared length of the segment is not cared at all. According to Adobe Technical Note 5040, type 0 segment is comment only and should not be loaded for the interpreter. Reported by Robert Swiecki. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 7c2662f..11efc75 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1550,6 +1550,9 @@ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + continue; + /* the flags are part of the resource, so rlen >= 2. */ /* but some fonts declare rlen = 0 for empty fragment */ if ( rlen > 2 ) -- cgit v0.8.3.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor