rpms/freetype1/F-11 cve-2006-1861.patch, NONE, 1.1 cve-2007-2754.patch, NONE, 1.1

Adam Jackson ajax at fedoraproject.org
Tue May 26 20:29:58 UTC 2009


Author: ajax

Update of /cvs/pkgs/rpms/freetype1/F-11
In directory cvs1.fedora.phx.redhat.com:/tmp/cvs-serv29730

Added Files:
	cve-2006-1861.patch cve-2007-2754.patch 
Log Message:
* Tue May 26 2009 Adam Jackson <ajax at redhat.com> 1.4-0.8.pre
- cve-2006-1861.patch, cve-2007-2754.patch: Port of freetype2 fixes. (#502565)


cve-2006-1861.patch:

--- NEW FILE cve-2006-1861.patch ---
diff -up freetype-pre1.4/lib/ttgload.c.freetype-pre1.4-CVE-2006-1861-null-pointer freetype-pre1.4/lib/ttgload.c
--- freetype-pre1.4/lib/ttgload.c.freetype-pre1.4-CVE-2006-1861-null-pointer	2009-05-12 19:40:52.000000000 -0400
+++ freetype-pre1.4/lib/ttgload.c	2009-05-12 19:41:03.000000000 -0400
@@ -270,6 +270,10 @@
     j    = 0;
     flag = exec->pts.touch;
 
+    /* CVE-2006-1861 */ 
+    if ( flag == NULL ) 
+	  return TT_Err_Invalid_Composite; /* for lack of a better err code */
+
     while ( j < n_points )
     {
       Byte  c, cnt;

cve-2007-2754.patch:

--- NEW FILE cve-2007-2754.patch ---
diff -up freetype-pre1.4/lib/ttgload.c.ttf-overflow freetype-pre1.4/lib/ttgload.c
--- freetype-pre1.4/lib/ttgload.c.ttf-overflow	2009-05-12 19:25:25.000000000 -0400
+++ freetype-pre1.4/lib/ttgload.c	2009-05-12 19:28:15.000000000 -0400
@@ -236,7 +236,7 @@
 
     FORGET_Frame();
 
-    if ( n_points > left_points )
+    if ( n_points < 0  || n_points > left_points )
     {
       PTRACE0(( "ERROR: Too many points in glyph %ld\n", subg->index ));
       return TT_Err_Too_Many_Points;




More information about the Fedora-fonts-bugs-list mailing list