me/guix
Archived
1
0
Fork 0
Code Activity
This repository has been archived on 2024-08-07. You can view files and clone it, but cannot push or open issues or pull requests.
guix/gnu/packages/patches/t1lib-CVE-2011-1552+.patch
Efraim Flashner 9c2d2c13ce
gnu: t1lib: Change how patched CVEs are listed. 
* gnu/packages/fontutils.scm (t1lib)[source]: Change patch name.
[properties]: New field, register patched CVEs.
* gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch:
Rename to CVE-2011-1552+.patch.
* gnu/local.mk (dist_patch_DATA): Change patch name.
2017-12-10 21:59:08 +02:00

133 lines
5.1 KiB
Diff
Raw Blame History

Author: Jaroslav Škarvada <jskarvad@redhat.com>
Description: Fix more crashes on oversized fonts
Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
Index: t1lib-5.1.2/lib/type1/lines.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600
+++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600
@@ -67,6 +67,10 @@
None.
*/
+#define BITS (sizeof(LONG)*8)
+#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
+#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
+
/*
:h2.StepLine() - Produces Run Ends for a Line After Checks
@@ -84,6 +88,9 @@
IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
x1, y1, x2, y2);
+ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
+ abort("Lines this big not supported", 49);
+
dy = y2 - y1;
/*
Index: t1lib-5.1.2/lib/type1/objects.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600
+++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600
@@ -1137,12 +1137,13 @@
"Context: out of them", /* 46 */
"MatrixInvert: can't", /* 47 */
"xiStub called", /* 48 */
- "Illegal access type1 abort() message" /* 49 */
+ "Lines this big not supported", /* 49 */
+ "Illegal access type1 abort() message" /* 50 */
};
- /* no is valid from 1 to 48 */
- if ( (number<1)||(number>48))
- number=49;
+ /* no is valid from 1 to 49 */
+ if ( (number<1)||(number>49))
+ number=50;
return( err_msgs[number-1]);
}
Index: t1lib-5.1.2/lib/type1/type1.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600
+++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600
@@ -1012,6 +1012,7 @@
double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
/* setup default hinted position */
ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
@@ -1289,7 +1290,7 @@
static int DoRead(CodeP)
int *CodeP;
{
- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
+ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
/* We handle the non-documented Adobe convention to use lenIV=-1 to
suppress charstring encryption. */
if (blues->lenIV==-1) {
@@ -1700,7 +1701,7 @@
long pindex = 0;
/* compute hinting for previous segment! */
- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
/* Allocate a new path point and pre-setup data */
@@ -1729,7 +1730,7 @@
long pindex = 0;
/* compute hinting for previous point! */
- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
/* Allocate three new path points and pre-setup data */
@@ -1788,7 +1789,9 @@
long tmpind;
double deltax = 0.0;
double deltay = 0.0;
-
+
+ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
+
/* If this ClosePath command together with the starting point of this
path completes to a segment aligned to a stem, we would miss
hinting for this point. --> Check and explicitly care for this! */
@@ -1803,6 +1806,7 @@
deltax = ppoints[i].x - ppoints[numppoints-1].x;
deltay = ppoints[i].y - ppoints[numppoints-1].y;
+ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
/* save nummppoints and reset to move point */
tmpind = numppoints;
numppoints = i + 1;
@@ -1905,7 +1909,7 @@
FindStems( currx, curry, 0, 0, dx, dy);
}
else {
- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
}
@@ -2155,6 +2159,7 @@
DOUBLE cx, cy;
DOUBLE ex, ey;
+ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
/* Our PPOINT list now contains 7 moveto commands which
are about to be consumed by the Flex mechanism. --> Remove these
@@ -2324,6 +2329,7 @@
/* Returns currentpoint on stack */
static void FlxProc2()
{
+ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
/* Push CurrentPoint on fake PostScript stack */
PSFakePush( ppoints[numppoints-1].x);
PSFakePush( ppoints[numppoints-1].y);
View git blame Copy permalink