Login
[x]
Log in using an account from:
Fedora Account System
Red Hat Associate
Red Hat Customer
Or login using a Red Hat Bugzilla account
Forgot Password
Login:
Hide Forgot
Create an Account
Red Hat Bugzilla – Attachment 310146 Details for
Bug 452474
Latest freetype erratum does not display all fonts
[?]
New
Simple Search
Advanced Search
My Links
Browse
Requests
Reports
Current State
Search
Tabular reports
Graphical reports
Duplicates
Other Reports
User Changes
Plotly Reports
Bug Status
Bug Severity
Non-Defaults
|
Product Dashboard
Help
Page Help!
Bug Writing Guidelines
What's new
Browser Support Policy
5.0.4.rh83 Release notes
FAQ
Guides index
User guide
Web Services
Contact
Legal
This site requires JavaScript to be enabled to function correctly, please enable it.
[patch]
Corrected freetype-2.3.5-CVEs.patch for EL4
freetype-2.3.5-CVEs.patch (text/plain), 5.58 KB, created by
Tomas Hoger
on 2008-06-24 14:06:17 UTC
(
hide
)
Description:
Corrected freetype-2.3.5-CVEs.patch for EL4
Filename:
MIME Type:
Creator:
Tomas Hoger
Created:
2008-06-24 14:06:17 UTC
Size:
5.58 KB
patch
obsolete
>diff -pruN freetype-2.1.9-orig/src/base/ftstream.c freetype-2.1.9/src/base/ftstream.c >--- freetype-2.1.9-orig/src/base/ftstream.c 2004-06-23 17:44:03.000000000 +0200 >+++ freetype-2.1.9/src/base/ftstream.c 2008-06-24 15:16:25.000000000 +0200 >@@ -92,6 +92,9 @@ > FT_Stream_Skip( FT_Stream stream, > FT_Long distance ) > { >+ if ( distance < 0 ) >+ return FT_Err_Invalid_Stream_Operation; >+ > return FT_Stream_Seek( stream, (FT_ULong)( stream->pos + distance ) ); > } > >diff -pruN freetype-2.1.9-orig/src/psaux/psobjs.c freetype-2.1.9/src/psaux/psobjs.c >--- freetype-2.1.9-orig/src/psaux/psobjs.c 2004-05-13 14:59:59.000000000 +0200 >+++ freetype-2.1.9/src/psaux/psobjs.c 2008-06-24 15:16:25.000000000 +0200 >@@ -158,7 +158,7 @@ > void* object, > FT_PtrDist length ) > { >- if ( idx < 0 || idx > table->max_elems ) >+ if ( idx < 0 || idx >= table->max_elems ) > { > FT_ERROR(( "ps_table_add: invalid index\n" )); > return PSaux_Err_Invalid_Argument; >diff -pruN freetype-2.1.9-orig/src/sfnt/ttload.c freetype-2.1.9/src/sfnt/ttload.c >--- freetype-2.1.9-orig/src/sfnt/ttload.c 2004-06-24 08:56:06.000000000 +0200 >+++ freetype-2.1.9/src/sfnt/ttload.c 2008-06-24 15:16:25.000000000 +0200 >@@ -753,6 +753,15 @@ > if ( maxProfile->maxFunctionDefs == 0 ) > maxProfile->maxFunctionDefs = 64; > >+ /* we add 4 phantom points later */ >+ if ( maxProfile->maxTwilightPoints > ( 0xFFFFU - 4 ) ) >+ { >+ FT_ERROR(( "Too much twilight points in `maxp' table;\n" )); >+ FT_ERROR(( " some glyphs might be rendered incorrectly.\n" )); >+ >+ maxProfile->maxTwilightPoints = 0xFFFFU - 4; >+ } >+ > face->root.internal->max_points = > (FT_UShort)FT_MAX( maxProfile->maxCompositePoints, > maxProfile->maxPoints ); >diff -pruN freetype-2.1.9-orig/src/truetype/ttinterp.c freetype-2.1.9/src/truetype/ttinterp.c >--- freetype-2.1.9-orig/src/truetype/ttinterp.c 2004-03-05 10:26:22.000000000 +0100 >+++ freetype-2.1.9/src/truetype/ttinterp.c 2008-06-24 15:16:25.000000000 +0200 >@@ -5438,7 +5438,7 @@ > > /* XXX: this is probably wrong... at least it prevents memory */ > /* corruption when zp2 is the twilight zone */ >- if ( last_point > CUR.zp2.n_points ) >+ if ( BOUNDS( last_point, CUR.zp2.n_points ) ) > { > if ( CUR.zp2.n_points > 0 ) > last_point = (FT_UShort)(CUR.zp2.n_points - 1); >diff -pruN freetype-2.1.9-orig/src/type1/t1load.c freetype-2.1.9/src/type1/t1load.c >--- freetype-2.1.9-orig/src/type1/t1load.c 2008-06-24 15:15:48.000000000 +0200 >+++ freetype-2.1.9/src/type1/t1load.c 2008-06-24 15:16:25.000000000 +0200 >@@ -671,7 +671,7 @@ > > for ( n = 0; n < num_designs; n++ ) > { >- T1_TokenRec axis_tokens[T1_MAX_MM_DESIGNS]; >+ T1_TokenRec axis_tokens[T1_MAX_MM_AXIS]; > T1_Token token; > FT_Int axis, n_axis; > >@@ -684,6 +684,15 @@ > > if ( n == 0 ) > { >+ if ( n_axis <= 0 || n_axis > T1_MAX_MM_AXIS ) >+ { >+ FT_ERROR(( "parse_blend_design_positions:" )); >+ FT_ERROR(( " invalid number of axes: %d\n", >+ n_axis )); >+ error = T1_Err_Invalid_File_Format; >+ goto Exit; >+ } >+ > num_axis = n_axis; > error = t1_allocate_blend( face, num_designs, num_axis ); > if ( error ) >diff -pruN freetype-2.1.9-orig/src/type1/t1parse.c freetype-2.1.9/src/type1/t1parse.c >--- freetype-2.1.9-orig/src/type1/t1parse.c 2004-02-01 01:49:56.000000000 +0100 >+++ freetype-2.1.9/src/type1/t1parse.c 2008-06-24 15:17:31.000000000 +0200 >@@ -65,14 +65,16 @@ > /*************************************************************************/ > > >+ /* see Adobe Technical Note 5040.Download_Fonts.pdf */ >+ > static FT_Error > read_pfb_tag( FT_Stream stream, > FT_UShort *atag, >- FT_Long *asize ) >+ FT_ULong *asize ) > { > FT_Error error; > FT_UShort tag; >- FT_Long size; >+ FT_ULong size; > > > *atag = 0; >@@ -82,7 +84,7 @@ > { > if ( tag == 0x8001U || tag == 0x8002U ) > { >- if ( !FT_READ_LONG_LE( size ) ) >+ if ( !FT_READ_ULONG_LE( size ) ) > *asize = size; > } > >@@ -140,6 +142,9 @@ > if ( error ) > goto Exit; > >+ /* We assume that the first segment in a PFB is always encoded as */ >+ /* text. This might be wrong (and the specification doesn't insist */ >+ /* on that), but we have never seen a counterexample. */ > if ( tag != 0x8001U ) > { > /* assume that this is a PFA file for now; an error will */ >@@ -226,7 +231,7 @@ > FT_Stream stream = parser->stream; > FT_Memory memory = parser->root.memory; > FT_Error error = T1_Err_Ok; >- FT_Long size; >+ FT_ULong size; > > > if ( parser->in_pfb ) >@@ -373,7 +378,7 @@ > goto Exit; > } > >- size = (FT_Long)( parser->base_len - ( cur - parser->base_dict ) ); >+ size = parser->base_len - ( cur - parser->base_dict ); > > if ( parser->in_memory ) > { >diff -pruN freetype-2.1.9-orig/src/type1/t1parse.h freetype-2.1.9/src/type1/t1parse.h >--- freetype-2.1.9-orig/src/type1/t1parse.h 2003-10-07 07:49:41.000000000 +0200 >+++ freetype-2.1.9/src/type1/t1parse.h 2008-06-24 15:16:25.000000000 +0200 >@@ -64,10 +64,10 @@ FT_BEGIN_HEADER > FT_Stream stream; > > FT_Byte* base_dict; >- FT_Long base_len; >+ FT_ULong base_len; > > FT_Byte* private_dict; >- FT_Long private_len; >+ FT_ULong private_len; > > FT_Bool in_pfb; > FT_Bool in_memory;
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=310146">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 452474
:
310146
|
310147
|
310151