Bug#860303: freetype: diff for NMU version 2.6.3-3.2

Salvatore Bonaccorso Sun, 23 Apr 2017 11:45:24 -0700

Control: tags 860303 + pending

Dear maintainer,


I've prepared an NMU for freetype (versioned as 2.6.3-3.2) and
uploaded it to DELAYED/2. Please feel free to tell me if I
should delay it longer.

Regards,
Salvatore

diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,10 @@
+freetype (2.6.3-3.2) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * [cff] Fix heap buffer overflow (CVE-2016-10328) (Closes: #860303)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Sun, 23 Apr 2017 20:36:54 +0200
+
 freetype (2.6.3-3.1) unstable; urgency=medium
 
   * Non-maintainer upload.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -6,0 +7 @@
+CVE-2016-10328-cff-Fix-heap-buffer-overflow-49858.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2016-10328-cff-Fix-heap-buffer-overflow-49858.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2016-10328-cff-Fix-heap-buffer-overflow-49858.patch
@@ -0,0 +1,42 @@
+From beecf80a6deecbaf5d264d4f864451bde4fe98b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <w...@gnu.org>
+Date: Fri, 16 Dec 2016 08:52:03 +0100
+Subject: [PATCH] [cff] Fix heap buffer overflow (#49858).
+
+* src/cff/cffparse.c (cff_parser_run): Add one more stack size
+check.
+
+[carnil: replace check against parser->stackSize with CFF_MAX_STACK_DEPTH]
+---
+ ChangeLog          |  7 +++++++
+ src/cff/cffparse.c | 10 +++++++---
+ 2 files changed, 14 insertions(+), 3 deletions(-)
+
+diff --git a/src/cff/cffparse.c b/src/cff/cffparse.c
+index 022c289..9b5ad72 100644
+--- a/src/cff/cffparse.c
++++ b/src/cff/cffparse.c
+@@ -1422,13 +1422,17 @@
+         /* and look for it in our current list.                            */
+ 
+         FT_UInt                   code;
+-        FT_UInt                   num_args = (FT_UInt)
+-                                             ( parser->top - parser->stack );
++        FT_UInt                   num_args;
+         const CFF_Field_Handler*  field;
+ 
+ 
++        if ( (FT_UInt)( parser->top - parser->stack ) >= CFF_MAX_STACK_DEPTH )
++          goto Stack_Overflow;
++
++        num_args     = (FT_UInt)( parser->top - parser->stack );
+         *parser->top = p;
+-        code = v;
++        code         = v;
++
+         if ( v == 12 )
+         {
+           /* two byte operator */
+-- 
+2.1.4
+

Bug#860303: freetype: diff for NMU version 2.6.3-3.2

Reply via email to