forked from rpms/freetype
4548e1aa04
Add freetype-2.4.3-CVE-2010-3855.patch (Protect against invalid `runcnt' values.) Resolves: #651764
21 lines
645 B
Diff
21 lines
645 B
Diff
--- freetype-2.4.3/src/truetype/ttgxvar.c 2010-07-12 21:03:49.000000000 +0200
|
|
+++ freetype-2.4.3/src/truetype/ttgxvar.c 2010-11-15 10:23:43.856348141 +0100
|
|
@@ -154,7 +154,7 @@
|
|
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
|
|
first = points[i++] = FT_GET_USHORT();
|
|
|
|
- if ( runcnt < 1 )
|
|
+ if ( runcnt < 1 || i + runcnt >= n )
|
|
goto Exit;
|
|
|
|
/* first point not included in runcount */
|
|
@@ -165,7 +165,7 @@
|
|
{
|
|
first = points[i++] = FT_GET_BYTE();
|
|
|
|
- if ( runcnt < 1 )
|
|
+ if ( runcnt < 1 || i + runcnt >= n )
|
|
goto Exit;
|
|
|
|
for ( j = 0; j < runcnt; ++j )
|