File bnc647375_CVE-2010-3814.diff of Package ft2demos

Overview Repositories Revisions Requests Users Attributes Meta

File bnc647375_CVE-2010-3814.diff of Package ft2demos

commit 0edf0986f3be570f5bf90ff245a85c1675f5c9a4
Author: Werner Lemberg <wl@gnu.org>
Date:   Wed Oct 6 11:52:27 2010 +0200

[truetype] Improve error handling of `SHZ' bytecode instruction.
    Problem reported by Chris Evans <scarybeasts@gmail.com>.
    
    * src/truetype/ttinterp.c (Ins_SHZ): Check `last_point'.

Index: freetype-2.3.9/src/truetype/ttinterp.c
===================================================================
--- freetype-2.3.9.orig/src/truetype/ttinterp.c
+++ freetype-2.3.9/src/truetype/ttinterp.c
@@ -5494,7 +5494,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;

Places

File bnc647375_CVE-2010-3814.diff of Package ft2demos

Places