/[packages]/updates/5/fontforge/current/SOURCES/0005-parsettf.c-Fix-buffer-overflow-condition-when-readin.patch
ViewVC logotype

Contents of /updates/5/fontforge/current/SOURCES/0005-parsettf.c-Fix-buffer-overflow-condition-when-readin.patch

Parent Directory Parent Directory | Revision Log Revision Log


Revision 1186904 - (show annotations) (download)
Fri Dec 29 01:10:44 2017 UTC (17 months, 2 weeks ago) by luigiwalser
File size: 1200 byte(s)
add patches from debian to fix CVE-2017-1156[89] and CVE-2017-1157[124567]
1 From 5a0c6522682b0788fc478dd159dd6168cb5fa38b Mon Sep 17 00:00:00 2001
2 From: Jeremy Tan <jtanx@outlook.com>
3 Date: Sun, 30 Jul 2017 11:42:26 +0800
4 Subject: [PATCH 5/6] parsettf.c: Fix buffer overflow condition when reading
5 CFF top dictionary
6
7 Closes #3087
8 ---
9 fontforge/parsettf.c | 11 ++++++++++-
10 1 file changed, 10 insertions(+), 1 deletion(-)
11
12 --- a/fontforge/parsettf.c
13 +++ b/fontforge/parsettf.c
14 @@ -2773,6 +2773,15 @@
15 pt = buffer;
16 do {
17 ch = getc(ttf);
18 + // Space for at least 2 bytes is required
19 + if ((pt-buffer) > (sizeof(buffer) - 2)) {
20 + // The buffer is completely full; null-terminate truncate it
21 + if ((pt-buffer) == sizeof(buffer)) {
22 + pt--;
23 + }
24 + *pt++ = '\0';
25 + break;
26 + }
27 if ( pt<buffer+44 || (ch&0xf)==0xf || (ch&0xf0)==0xf0 ) {
28 pt = addnibble(pt,ch>>4);
29 pt = addnibble(pt,ch&0xf);
30 @@ -2996,7 +3005,7 @@
31
32 /* Multiple master fonts can have Type2 operators here, particularly */
33 /* blend operators. We're ignoring that */
34 - while ( ftell(ttf)<base+len ) {
35 + while ( !feof(ttf) && ftell(ttf)<base+len ) {
36 sp = 0;
37 while ( (ret=readcffthing(ttf,&ival,&stack[sp],&oval,info))!=3 && ftell(ttf)<base+len ) {
38 if ( ret==1 )

  ViewVC Help
Powered by ViewVC 1.1.26