Fix CVE-2010-3855

Add freetype-2.4.3-CVE-2010-3855.patch
  (Protect against invalid `runcnt' values.)
Resolves: #651764
This commit is contained in:
Marek Kasik 2010-11-15 10:31:46 +01:00
parent 098778f43b
commit 4548e1aa04
2 changed files with 28 additions and 1 deletions

View File

@ -0,0 +1,20 @@
--- freetype-2.4.3/src/truetype/ttgxvar.c 2010-07-12 21:03:49.000000000 +0200
+++ freetype-2.4.3/src/truetype/ttgxvar.c 2010-11-15 10:23:43.856348141 +0100
@@ -154,7 +154,7 @@
runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
first = points[i++] = FT_GET_USHORT();
- if ( runcnt < 1 )
+ if ( runcnt < 1 || i + runcnt >= n )
goto Exit;
/* first point not included in runcount */
@@ -165,7 +165,7 @@
{
first = points[i++] = FT_GET_BYTE();
- if ( runcnt < 1 )
+ if ( runcnt < 1 || i + runcnt >= n )
goto Exit;
for ( j = 0; j < runcnt; ++j )

View File

@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.3
Release: 1%{?dist}
Release: 2%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@ -27,6 +27,7 @@ Patch47: freetype-2.3.11-more-demos.patch
Patch88: freetype-multilib.patch
Patch89: freetype-2.4.2-CVE-2010-3311.patch
Patch90: freetype-2.4.3-CVE-2010-3855.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@ -94,6 +95,7 @@ popd
%patch88 -p1 -b .multilib
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .CVE-2010-3855
%build
@ -226,6 +228,11 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
* Mon Nov 15 2010 Marek Kasik <mkasik@redhat.com> 2.4.3-2
- Add freetype-2.4.3-CVE-2010-3855.patch
(Protect against invalid `runcnt' values.)
- Resolves: #651764
* Tue Oct 26 2010 Marek Kasik <mkasik@redhat.com> 2.4.3-1
- Update to 2.4.3
- Resolves: #639906