On Sun, Jul 23, 2006 at 08:51:29PM +0200, Martin Schulze wrote: > Steve Langasek wrote: > > On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:
> > It appears to be a correct fix for the regression that has been reported. > > > I'd rather make it read: > > > if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height) > > > because later we have "pitch * height" which will result in a malloc > > > of zero. > s/of zero/of less than zero/ it should have read, i.e. a negative malloc > which is general a bad thing. Ok, that's fair. I think there's still the possibility of a negative malloc if pitch is negative, but that's now several steps removed from the stated vulnerability, and in the meantime we still have the crasher regression, so I've updated the patch to use the height <= 0 check. > I still see > --- freetype-2.1.7.orig/--variant=buildd/debootstrap/debootstrap.log > +++ freetype-2.1.7/--variant=buildd/debootstrap/debootstrap.log > @@ -0,0 +1,2 @@ > +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a > directory > +/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a > directory > > which ought not to be there. Well, apparently the -3 package that you said you couldn't find was on security.d.o all along, because this was *not* in the second -3 package that I uploaded; but that one was rejected because it was a duplicate. I've uploaded -4 now with the additional check. -- Steve Langasek Give me a lever long enough and a Free OS Debian Developer to set it on, and I can move the world. [EMAIL PROTECTED] http://www.debian.org/ -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
