File: freetype.CVE-2006-3467.patch

package info (click to toggle)
freetype 2.2.1-5
  • links: PTS
  • area: main
  • in suites: etch-m68k
  • size: 1,608 kB
  • ctags: 32
  • sloc: makefile: 172
file content (60 lines) | stat: -rw-r--r-- 2,222 bytes parent folder | download 
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
 
diff -u freetype-2.2.1/debian/patches-freetype/series freetype-2.2.1/debian/patches-freetype/series
--- freetype-2.2.1/debian/patches-freetype/series
+++ freetype-2.2.1/debian/patches-freetype/series
@@ -6,0 +7 @@
+pcf-strlen.patch
diff -u freetype-2.2.1/debian/changelog freetype-2.2.1/debian/changelog
--- freetype-2.2.1/debian/changelog
+++ freetype-2.2.1/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.2.1-2ubuntu1) edgy; urgency=low
+
+  * SECURITY UPDATE: Arbitrary code execution and DoS with crafted font files.
+  * Add debian/patches-freetype/pcf-strlen.patch:
+    - src/pcf/pcfread.c: Detect invalid string lengths.
+    - CVE-2006-3467
+
+ -- Martin Pitt <martin.pitt@ubuntu.com>  Wed, 26 Jul 2006 13:01:04 +0200
+
 freetype (2.2.1-2) unstable; urgency=low
   * Enable full bytecode interpreter instead of just the
     "non-patented portions".
only in patch2:
unchanged:
--- freetype-2.2.1.orig/debian/patches-freetype/pcf-strlen.patch
+++ freetype-2.2.1/debian/patches-freetype/pcf-strlen.patch
@@ -0,0 +1,34 @@
+Index: freetype-2.2.1/src/pcf/pcfread.c
+===================================================================
+--- freetype-2.2.1.orig/src/pcf/pcfread.c	2006-07-26 12:59:30.000000000 +0200
++++ freetype-2.2.1/src/pcf/pcfread.c	2006-07-26 12:59:46.000000000 +0200
+@@ -439,6 +439,14 @@
+ 
+     for ( i = 0; i < nprops; i++ )
+     {
++      /* 2006:0500 (mbarnes) - Detect invalid string length.
++       * XXX Is this is best error code to return? */
++      if ( props[i].name < 0 )
++      {
++        error = FT_Err_Invalid_File_Format;
++        goto Bail;
++      }
++
+       /* XXX: make atom */
+       if ( FT_NEW_ARRAY( properties[i].name,
+                          ft_strlen( strings + props[i].name ) + 1 ) )
+@@ -451,6 +459,14 @@
+ 
+       if ( props[i].isString )
+       {
++	/* 2006:0500 (mbarnes) - Detect invalid string length.
++         * XXX Is this the best error code to return? */
++        if ( props[i].value < 0 )
++        {
++          error = FT_Err_Invalid_File_Format;
++          goto Bail;
++        }
++
+         if ( FT_NEW_ARRAY( properties[i].value.atom,
+                            ft_strlen( strings + props[i].value ) + 1 ) )
+           goto Bail;