Pullup ticket 1686 - requested by salo

security fix for freetype2 Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747, CVE-2006-1861, and CVE-2006-2661.
author: snj <snj> 2006-06-06 07:51:29 +0000
committer: snj <snj> 2006-06-06 07:51:29 +0000
commit: d364d6c27bac764a5f51cb21266fd6ad3be73af7 (patch)
tree: b2c4e242b98b5223d598d84a8cc4137976b80fe0 /graphics/freetype2/patches/patch-ac
parent: 4f22d4aa10caf3b3d4d6f1c4be2e7749ba118841 (diff)
download: pkgsrc-d364d6c27bac764a5f51cb21266fd6ad3be73af7.tar.gz
1 files changed, 28 insertions, 0 deletions
diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac
new file mode 100644
index 00000000000..95db80bb2a1
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ac
@@ -0,0 +1,28 @@
+$NetBSD: patch-ac,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/base/ftmac.c.orig	2004-08-28 10:02:46.000000000 +0200
++++ src/base/ftmac.c	2006-06-05 23:17:29.000000000 +0200
+@@ -430,6 +430,7 @@
+     short          res_id;
+     unsigned char  *buffer, *p, *size_p = NULL;
+     FT_ULong       total_size = 0;
++    FT_ULong	   old_total_size = 0;
+     FT_ULong       post_size, pfb_chunk_size;
+     Handle         post_data;
+     char           code, last_code;
+@@ -462,6 +463,15 @@
+       last_code = code;
+     }
+ 
++    /* detect integer overflows */
++    if ( total_size < old_total_size )
++    {
++       error = FT_Err_Array_Too_Large;
++       goto Error;
++     }
++  	 
++    old_total_size = total_size;
++
+     if ( FT_ALLOC( buffer, (FT_Long)total_size ) )
+       goto Error;
+
author	snj <snj>	2006-06-06 07:51:29 +0000
committer	snj <snj>	2006-06-06 07:51:29 +0000
commit	d364d6c27bac764a5f51cb21266fd6ad3be73af7 (patch)
tree	b2c4e242b98b5223d598d84a8cc4137976b80fe0 /graphics/freetype2/patches/patch-ac
parent	4f22d4aa10caf3b3d4d6f1c4be2e7749ba118841 (diff)
download	pkgsrc-d364d6c27bac764a5f51cb21266fd6ad3be73af7.tar.gz