Steve Langasek wrote:
> On Fri, Jul 07, 2006 at 08:42:59PM +0200, Martin Schulze wrote:
>
> > Steve Langasek wrote:
> > > As mentioned earlier this month, a regression was found in the freetype
> > > 2.1.7-2.5 package uploaded for DSA-1095 which caused applications to crash
> > > with division-by-zero errors. I've prepared a maintainer upload to fix
> > > this regression using the patch from bug #373581, which can be found at
> > > <http://people.debian.org/~vorlon/freetype-DSA/>.
>
> > Are you sure this is the proper fix?
>
> > -+ if ((FT_ULong)pitch > LONG_MAX/height)
> > ++ if (height != 0 && (FT_ULong)pitch > LONG_MAX/height)
>
> It appears to be a correct fix for the regression that has been reported.
>
> > I'd rather make it read:
>
> > if (height <= 0 || (FT_ULong)pitch > LONG_MAX/height)
>
> > because later we have "pitch * height" which will result in a malloc
> > of zero.
s/of zero/of less than zero/ it should have read, i.e. a negative malloc
which is general a bad thing.
> This 'pitch * height' is pre-existing code in 2.1.7-2.4 and users report no
> problems with OOo running against that version of freetype. I have not
> traced the code to determine whether changing the returned error in the case
> of a height of 0 has any side effects; given that there are no previous
> complaints about height==0, I don't think this is a change that needs to be
> made in a security update.
Yeah, height==0 is evil, but height<0 is evil as well and will result
in "interesting" results, hence, should be avoided as well.
I still see
--- freetype-2.1.7.orig/--variant=buildd/debootstrap/debootstrap.log
+++ freetype-2.1.7/--variant=buildd/debootstrap/debootstrap.log
@@ -0,0 +1,2 @@
+/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a
directory
+/usr/sbin/debootstrap: line 349: .: /chroots/sarge-i386-pristine: is a
directory
which ought not to be there. Please build the source package before
building the binary package and review the change with interdiff -z.
Regards,
Joey
--
Long noun chains don't automatically imply security. -- Bruce Schneier
Please always Cc to me when replying to me on the lists.
--
To UNSUBSCRIBE, email to [EMAIL PROTECTED]
with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]
