57 lines
2.0 KiB
Diff
57 lines
2.0 KiB
Diff
Fix CVE-2017-8105:
|
|
|
|
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
|
|
|
|
Patch copied from upstream source repository:
|
|
|
|
https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791
|
|
|
|
From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
|
|
From: Werner Lemberg <wl@gnu.org>
|
|
Date: Fri, 24 Mar 2017 09:15:10 +0100
|
|
Subject: [PATCH] [psaux] Better protect `flex' handling.
|
|
|
|
Reported as
|
|
|
|
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
|
|
|
|
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
|
|
<callothersubr>: Since there is not a single flex operator but a
|
|
series of subroutine calls, malformed fonts can call arbitrary other
|
|
operators after the start of a flex, possibly adding points. For
|
|
this reason we have to check the available number of points before
|
|
inserting a point.
|
|
---
|
|
ChangeLog | 15 +++++++++++++++
|
|
src/psaux/t1decode.c | 9 +++++++++
|
|
2 files changed, 24 insertions(+)
|
|
|
|
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
|
|
index af7b465e..7dd45135 100644
|
|
--- a/src/psaux/t1decode.c
|
|
+++ b/src/psaux/t1decode.c
|
|
@@ -780,10 +780,19 @@
|
|
/* point without adding any point to the outline */
|
|
idx = decoder->num_flex_vectors++;
|
|
if ( idx > 0 && idx < 7 )
|
|
+ {
|
|
+ /* in malformed fonts it is possible to have other */
|
|
+ /* opcodes in the middle of a flex (which don't */
|
|
+ /* increase `num_flex_vectors'); we thus have to */
|
|
+ /* check whether we can add a point */
|
|
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
|
|
+ goto Syntax_Error;
|
|
+
|
|
t1_builder_add_point( builder,
|
|
x,
|
|
y,
|
|
(FT_Byte)( idx == 3 || idx == 6 ) );
|
|
+ }
|
|
}
|
|
break;
|
|
|
|
--
|
|
2.12.2
|
|
|