diff options
Diffstat (limited to 'freetype-2.4.11-CVE-2014-9657.patch')
-rw-r--r-- | freetype-2.4.11-CVE-2014-9657.patch | 40 |
1 files changed, 0 insertions, 40 deletions
diff --git a/freetype-2.4.11-CVE-2014-9657.patch b/freetype-2.4.11-CVE-2014-9657.patch deleted file mode 100644 index 89544067708a..000000000000 --- a/freetype-2.4.11-CVE-2014-9657.patch +++ /dev/null @@ -1,40 +0,0 @@ -From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 -From: Werner Lemberg <wl@gnu.org> -Date: Mon, 24 Nov 2014 09:22:08 +0000 -Subject: [truetype] Fix Savannah bug #43679. - -* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of -`record_size'. ---- -diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c -index 9723a51..9991925 100644 ---- a/src/truetype/ttpload.c -+++ b/src/truetype/ttpload.c -@@ -508,9 +508,9 @@ - record_size = FT_NEXT_ULONG( p ); - - /* The maximum number of bytes in an hdmx device record is the */ -- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ -- /* the reason why `record_size' is a long (which we read as */ -- /* unsigned long for convenience). In practice, two bytes */ -+ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ -+ /* explaining why `record_size' is a long (which we read as */ -+ /* unsigned long for convenience). In practice, two bytes are */ - /* sufficient to hold the size value. */ - /* */ - /* There are at least two fonts, HANNOM-A and HANNOM-B version */ -@@ -522,8 +522,10 @@ - record_size &= 0xFFFFU; - - /* The limit for `num_records' is a heuristic value. */ -- -- if ( version != 0 || num_records > 255 || record_size > 0x10001L ) -+ if ( version != 0 || -+ num_records > 255 || -+ record_size > 0x10001L || -+ record_size < 4 ) - { - error = TT_Err_Invalid_File_Format; - goto Fail; --- -cgit v0.9.0.2 |