summarylogtreecommitdiffstats
path: root/freetype-2.4.11-CVE-2014-9663.patch
diff options
context:
space:
mode:
Diffstat (limited to 'freetype-2.4.11-CVE-2014-9663.patch')
-rw-r--r--freetype-2.4.11-CVE-2014-9663.patch34
1 files changed, 34 insertions, 0 deletions
diff --git a/freetype-2.4.11-CVE-2014-9663.patch b/freetype-2.4.11-CVE-2014-9663.patch
new file mode 100644
index 000000000000..9e2496a4a59c
--- /dev/null
+++ b/freetype-2.4.11-CVE-2014-9663.patch
@@ -0,0 +1,34 @@
+From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 05:24:45 +0000
+Subject: [sfnt] Fix Savannah bug #43656.
+
+* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
+tests.
+---
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 712bd4f..fb863c3 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -823,9 +823,6 @@
+ FT_Error error = SFNT_Err_Ok;
+
+
+- if ( length < 16 )
+- FT_INVALID_TOO_SHORT;
+-
+ /* in certain fonts, the `length' field is invalid and goes */
+ /* out of bound. We try to correct this here... */
+ if ( table + length > valid->limit )
+@@ -836,6 +833,9 @@
+ length = (FT_UInt)( valid->limit - table );
+ }
+
++ if ( length < 16 )
++ FT_INVALID_TOO_SHORT;
++
+ p = table + 6;
+ num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
+
+--
+cgit v0.9.0.2