2 files changed, 47 insertions, 0 deletions

diff --git a/graphics/freetype2/patches/patch-ab b/graphics/freetype2/patches/patch-ab
new file mode 100644
index 00000000000..03c80f71087
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ab
@@ -0,0 +1,24 @@
+$NetBSD: patch-ab,v 1.15.2.2 2010/12/19 03:47:00 sbd Exp $
+
+CVE-2010-3855
+
+--- src/truetype/ttgxvar.c.orig	2010-07-12 19:03:49.000000000 +0000
++++ src/truetype/ttgxvar.c
+@@ -154,7 +154,7 @@
+         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
+         first  = points[i++] = FT_GET_USHORT();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         /* first point not included in runcount */
+@@ -165,7 +165,7 @@
+       {
+         first = points[i++] = FT_GET_BYTE();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         for ( j = 0; j < runcnt; ++j )
diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac
new file mode 100644
index 00000000000..bf7155e2961
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ac
@@ -0,0 +1,23 @@
+$NetBSD: patch-ac,v 1.6.2.2 2010/12/19 03:47:00 sbd Exp $
+
+CVE-2010-3814
+
+--- src/truetype/ttinterp.c.orig	2010-10-01 06:08:19.000000000 +0000
++++ src/truetype/ttinterp.c
+@@ -5795,7 +5795,16 @@
+     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
+       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
+     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
++    {
+       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
++
++      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
++      {
++        if ( CUR.pedantic_hinting )
++          CUR.error = TT_Err_Invalid_Reference;
++        return;
++      }
++    }
+     else
+       last_point = 0;
+