From 67c816f1ec327a9dd8c5b9b2af1083f5ebd1fe74 Mon Sep 17 00:00:00 2001 From: David Coppa Date: Wed, 10 May 2017 08:27:51 +0000 Subject: Fixes for CVE-2017-8105 and CVE-2017-8287 out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c out-of-bounds write caused by a heap-based buffer overflow related to the t1_builder_close_contour function in psaux/psobjs.c From upstream via Arch Linux OK matthieu@ --- lib/freetype/src/psaux/psobjs.c | 8 ++++++++ lib/freetype/src/psaux/t1decode.c | 9 +++++++++ 2 files changed, 17 insertions(+) (limited to 'lib/freetype') diff --git a/lib/freetype/src/psaux/psobjs.c b/lib/freetype/src/psaux/psobjs.c index 6e528d407..475df4545 100644 --- a/lib/freetype/src/psaux/psobjs.c +++ b/lib/freetype/src/psaux/psobjs.c @@ -1718,6 +1718,14 @@ first = outline->n_contours <= 1 ? 0 : outline->contours[outline->n_contours - 2] + 1; + /* in malformed fonts it can happen that a contour was started */ + /* but no points were added */ + if ( outline->n_contours && first == outline->n_points ) + { + outline->n_contours--; + return; + } + /* We must not include the last point in the path if it */ /* is located on the first point. */ if ( outline->n_points > 1 ) diff --git a/lib/freetype/src/psaux/t1decode.c b/lib/freetype/src/psaux/t1decode.c index 1cd9d730a..bc5e3d2db 100644 --- a/lib/freetype/src/psaux/t1decode.c +++ b/lib/freetype/src/psaux/t1decode.c @@ -780,10 +780,19 @@ /* point without adding any point to the outline */ idx = decoder->num_flex_vectors++; if ( idx > 0 && idx < 7 ) + { + /* in malformed fonts it is possible to have other */ + /* opcodes in the middle of a flex (which don't */ + /* increase `num_flex_vectors'); we thus have to */ + /* check whether we can add a point */ + if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) + goto Syntax_Error; + t1_builder_add_point( builder, x, y, (FT_Byte)( idx == 3 || idx == 6 ) ); + } } break; -- cgit v1.2.3