summarylogtreecommitdiffstats
path: root/freetype-2.4.11-CVE-2014-9657.patch
diff options
context:
space:
mode:
Diffstat (limited to 'freetype-2.4.11-CVE-2014-9657.patch')
-rw-r--r--freetype-2.4.11-CVE-2014-9657.patch40
1 files changed, 0 insertions, 40 deletions
diff --git a/freetype-2.4.11-CVE-2014-9657.patch b/freetype-2.4.11-CVE-2014-9657.patch
deleted file mode 100644
index 89544067708a..000000000000
--- a/freetype-2.4.11-CVE-2014-9657.patch
+++ /dev/null
@@ -1,40 +0,0 @@
-From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
-From: Werner Lemberg <wl@gnu.org>
-Date: Mon, 24 Nov 2014 09:22:08 +0000
-Subject: [truetype] Fix Savannah bug #43679.
-
-* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
-`record_size'.
----
-diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
-index 9723a51..9991925 100644
---- a/src/truetype/ttpload.c
-+++ b/src/truetype/ttpload.c
-@@ -508,9 +508,9 @@
- record_size = FT_NEXT_ULONG( p );
-
- /* The maximum number of bytes in an hdmx device record is the */
-- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
-- /* the reason why `record_size' is a long (which we read as */
-- /* unsigned long for convenience). In practice, two bytes */
-+ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
-+ /* explaining why `record_size' is a long (which we read as */
-+ /* unsigned long for convenience). In practice, two bytes are */
- /* sufficient to hold the size value. */
- /* */
- /* There are at least two fonts, HANNOM-A and HANNOM-B version */
-@@ -522,8 +522,10 @@
- record_size &= 0xFFFFU;
-
- /* The limit for `num_records' is a heuristic value. */
--
-- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
-+ if ( version != 0 ||
-+ num_records > 255 ||
-+ record_size > 0x10001L ||
-+ record_size < 4 )
- {
- error = TT_Err_Invalid_File_Format;
- goto Fail;
---
-cgit v0.9.0.2