head	1.1;
access;
symbols
	pkgsrc-2013Q2:1.1.0.36
	pkgsrc-2013Q2-base:1.1
	pkgsrc-2012Q4:1.1.0.34
	pkgsrc-2012Q4-base:1.1
	pkgsrc-2011Q4:1.1.0.32
	pkgsrc-2011Q4-base:1.1
	pkgsrc-2011Q2:1.1.0.30
	pkgsrc-2011Q2-base:1.1
	pkgsrc-2009Q4:1.1.0.28
	pkgsrc-2009Q4-base:1.1
	pkgsrc-2008Q4:1.1.0.26
	pkgsrc-2008Q4-base:1.1
	pkgsrc-2008Q3:1.1.0.24
	pkgsrc-2008Q3-base:1.1
	cube-native-xorg:1.1.0.22
	cube-native-xorg-base:1.1
	pkgsrc-2008Q2:1.1.0.20
	pkgsrc-2008Q2-base:1.1
	pkgsrc-2008Q1:1.1.0.18
	pkgsrc-2008Q1-base:1.1
	pkgsrc-2007Q4:1.1.0.16
	pkgsrc-2007Q4-base:1.1
	pkgsrc-2007Q3:1.1.0.14
	pkgsrc-2007Q3-base:1.1
	pkgsrc-2007Q2:1.1.0.12
	pkgsrc-2007Q2-base:1.1
	pkgsrc-2007Q1:1.1.0.10
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.8
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.6
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.4
	pkgsrc-2006Q2-base:1.1
	pkgsrc-2006Q1:1.1.0.2;
locks; strict;
comment	@# @;


1.1
date	2006.06.06.07.51.29;	author snj;	state dead;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2006.06.06.07.51.29;	author snj;	state Exp;
branches;
next	;


desc
@@


1.1
log
@file patch-ae was initially added on branch pkgsrc-2006Q1.
@
text
@@


1.1.2.1
log
@Pullup ticket 1686 - requested by salo
security fix for freetype2

Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747,
CVE-2006-1861, and CVE-2006-2661.
@
text
@a0 56
$NetBSD$

--- src/bdf/bdflib.c.orig	2005-05-21 19:19:52.000000000 +0200
+++ src/bdf/bdflib.c	2006-06-05 23:22:50.000000000 +0200
@@@@ -1092,7 +1092,7 @@@@
 #define ERRMSG1  "[line %ld] Missing \"%s\" line.\n"
 #define ERRMSG2  "[line %ld] Font header corrupted or missing fields.\n"
 #define ERRMSG3  "[line %ld] Font glyphs corrupted or missing fields.\n"
-
+#define ERRMSG4  "[line %ld] BBX too big.\n"
 
   static FT_Error
   _bdf_add_comment( bdf_font_t*    font,
@@@@ -1561,6 +1561,14 @@@@
 
       p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
 
+      /* Check that the encoding is in the range [0,65536] because        */
+      /* otherwise p->have (a bitmap with static size) overflows.         */
+      if ( p->glyph_enc >= sizeof(p->have)*8 )
+      {
+        error = BDF_Err_Invalid_File_Format;
+        goto Exit;
+      }
+
       /* Check to see whether this encoding has already been encountered. */
       /* If it has then change it to unencoded so it gets added if        */
       /* indicated.                                                       */
@@@@ -1805,6 +1813,9 @@@@
     /* And finally, gather up the bitmap. */
     if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
     {
+      unsigned long bitmap_size;
+
+
       if ( !( p->flags & _BDF_BBX ) )
       {
         /* Missing BBX field. */
@@@@ -1815,7 +1826,16 @@@@
 
       /* Allocate enough space for the bitmap. */
       glyph->bpr   = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
-      glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
+
+      bitmap_size = glyph->bpr * glyph->bbx.height;
+      if ( bitmap_size > 0xFFFFU )
+      {
+        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+        error = BDF_Err_Bbx_Too_Big;
+        goto Exit;
+      }
+      else
+        glyph->bytes = (unsigned short)bitmap_size;
 
       if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
         goto Exit;
@