/[packages]/updates/5/fontforge/current/SOURCES/0003-Fix-out-of-bounds-read-condition-and-buffer-overflow.patch
ViewVC logotype

Contents of /updates/5/fontforge/current/SOURCES/0003-Fix-out-of-bounds-read-condition-and-buffer-overflow.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1186904 - (show annotations) (download)
Fri Dec 29 01:10:44 2017 UTC (19 months, 3 weeks ago) by luigiwalser
File size: 1875 byte(s)
add patches from debian to fix CVE-2017-1156[89] and CVE-2017-1157[124567]
1 From 4de0c58a01e5e30610c200e9aea98bc7db12c7ac Mon Sep 17 00:00:00 2001
2 From: Jeremy Tan <jtanx@outlook.com>
3 Date: Sun, 30 Jul 2017 10:20:48 +0800
4 Subject: [PATCH 3/6] Fix out of bounds read condition and buffer overflow
5 condition
6
7 * parsettf.c: Reading past the end of the fontnames array
8 * psread.c: Reading more data than is available in type1
9 * tottf.c: Use snprintf instead of sprintf
10
11 Closes #3096
12 ---
13 fontforge/parsettf.c | 4 ++++
14 fontforge/psread.c | 5 +++++
15 fontforge/tottf.c | 2 +-
16 3 files changed, 10 insertions(+), 1 deletion(-)
17
18 --- a/fontforge/parsettf.c
19 +++ b/fontforge/parsettf.c
20 @@ -3301,6 +3301,10 @@
21 offsets[i] = getoffset(ttf,offsize);
22 dicts = galloc((count+1)*sizeof(struct topdicts *));
23 for ( i=0; i<count; ++i ) {
24 + if (fontnames != NULL && fontnames[i] == NULL) {
25 + LogError(_("Number of CFF font names is less than dict size: %d < %d"), i, count);
26 + break;
27 + }
28 dicts[i] = readcfftopdict(ttf,fontnames!=NULL?fontnames[i]:NULL,
29 offsets[i+1]-offsets[i], info);
30 if ( parent_dict!=NULL && parent_dict->fontmatrix_set ) {
31 --- a/fontforge/psread.c
32 +++ b/fontforge/psread.c
33 @@ -3702,6 +3702,11 @@
34 stack[sp++] = -(v-251)*256 - *type1++ - 108;
35 --len;
36 } else {
37 + if (len < 4) {
38 + LogError(_("Not enough data: %d < 4"), len);
39 + len = 0;
40 + break;
41 + }
42 int val = (*type1<<24) | (type1[1]<<16) | (type1[2]<<8) | type1[3];
43 stack[sp++] = val;
44 type1 += 4;
45 --- a/fontforge/tottf.c
46 +++ b/fontforge/tottf.c
47 @@ -3890,7 +3890,7 @@
48 if ( dummy->names[ttf_uniqueid]==NULL || *dummy->names[ttf_uniqueid]=='\0' ) {
49 time(&now);
50 tm = localtime(&now);
51 - sprintf( buffer, "%s : %s : %d-%d-%d",
52 + snprintf( buffer, sizeof(buffer), "%s : %s : %d-%d-%d",
53 BDFFoundry?BDFFoundry:TTFFoundry?TTFFoundry:"FontForge 2.0",
54 sf->fullname!=NULL?sf->fullname:sf->fontname,
55 tm->tm_mday, tm->tm_mon+1, tm->tm_year+1900 );

  ViewVC Help
Powered by ViewVC 1.1.26