Bug#373581: marked as done (freetype security update causes divide by zero (w/FIX))

Fri, 01 Sep 2006 03:23:32 -0700 

Your message dated Fri, 1 Sep 2006 03:17:49 -0700
with message-id <[EMAIL PROTECTED]>
and subject line Bug#372719: regression in FreeType security fix for DSA-1095
has caused the attached Bug report to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what I am
talking about this indicates a serious mail system misconfiguration
somewhere.  Please contact me immediately.)

Debian bug tracking system administrator
(administrator, Debian Bugs database)
--- Begin Message --- 
Package: libfreetype6
Version: 2.1.7-2.5
Severity: grave

My xserver crashes with a FPE after upgrading freetype.

Cause:
The very last security-releated path in freetype_2.1.7-2.5
has this patch:

--- freetype-2.1.7.orig/src/raster/ftrend1.c    2003-06-18 08:59:56.000000000 
+0200
+++ freetype-2.1.7/src/raster/ftrend1.c 2006-05-28 15:50:05.000000000 +0200
@@ -21,6 +21,7 @@
 #include FT_OUTLINE_H
 #include "ftrend1.h"
 #include "ftraster.h"
+#include <limits.h>
 
 #include "rasterrs.h"
 
@@ -175,6 +176,9 @@
     bitmap->rows  = height;
     bitmap->pitch = pitch;
 
+    if ((FT_ULong)pitch > LONG_MAX/height)
+      goto Exit;
+
     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
       goto Exit;
 
This patch needs to become sth like:

--- freetype-2.1.7.orig/src/raster/ftrend1.c    2003-06-18 08:59:56.000000000 
+0200
+++ freetype-2.1.7/src/raster/ftrend1.c 2006-05-28 15:50:05.000000000 +0200
@@ -21,6 +21,7 @@
 #include FT_OUTLINE_H
 #include "ftrend1.h"
 #include "ftraster.h"
+#include <limits.h>
 
 #include "rasterrs.h"
 
@@ -175,6 +176,9 @@
     bitmap->rows  = height;
     bitmap->pitch = pitch;
 
+    if (height != 0 && (FT_ULong)pitch > LONG_MAX/height)
+      goto Exit;
+
     if ( FT_ALLOC( bitmap->buffer, (FT_ULong)pitch * height ) )
       goto Exit;
 
Regards,
Wolfram.

--- End Message ---
--- Begin Message --- 
Version: 2.1.7-5

On Sat, Aug 19, 2006 at 04:23:50PM +0200, Martin Schulze wrote:
> Maybe it's better to fix it via proposed-updates and let the SRM team
> decide.

This has happened now, and is r3.  It's regrettable that we couldn't get it
out in a DSA update, but it's at least done for users who will upgrade from
stable.

Thanks,
-- 
Steve Langasek                   Give me a lever long enough and a Free OS
Debian Developer                   to set it on, and I can move the world.
[EMAIL PROTECTED]                                   http://www.debian.org/

--- End Message ---

Reply via email to