Date: Fri, 18 May 2007 13:28:42 -0700 (PDT) From: Nick Barkas <snb@threerings.net> To: FreeBSD-gnats-submit@FreeBSD.org Cc: gnome@FreeBSD.org Subject: ports/112769: [patch] [security] print/freetype2 fix for heap overflow Message-ID: <20070518202842.5E65461E4E@smtp.earth.threerings.net> Resent-Message-ID: <200705182030.l4IKU4mf004078@freefall.freebsd.org>
next in thread | raw e-mail | index | archive | help
>Number: 112769 >Category: ports >Synopsis: [patch] [security] print/freetype2 fix for heap overflow >Confidential: no >Severity: critical >Priority: high >Responsible: freebsd-ports-bugs >State: open >Quarter: >Keywords: >Date-Required: >Class: update >Submitter-Id: current-users >Arrival-Date: Fri May 18 20:30:03 GMT 2007 >Closed-Date: >Last-Modified: >Originator: Nick Barkas >Release: FreeBSD 6.1-RELEASE-p6 i386 >Organization: Three Rings Design >Environment: FreeBSD lab1.earth.threerings.net 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #5: Wed Sep 13 17:45:32 PDT 2006 root@lab1.earth.threerings.net:/usr/obj/usr/src/sys/SMP i386 >Description: See http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2754 "Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier might allow remote attackers to execute arbitrary code via a crafted TTF image with a negative n_points value, which leads to an integer overflow and heap-based buffer overflow." This bug can allow remote code execution, so this should probably be added to the VuXML. Maintainer has been CC'd. >How-To-Repeat: >Fix: The latest release of FreeType does not seem to include a fix for this, but this patch should fix the problem. I put it in the port's files directory, incremented portrevision, and portupgrade took care of updating the port for me. --- patch-src_truetype_ttgload.c begins here --- --- src/truetype/ttgload.c.orig Tue Feb 14 12:44:56 2006 +++ src/truetype/ttgload.c Fri May 18 13:05:34 2007 @@ -269,7 +269,11 @@ n_points = 0; if ( n_contours > 0 ) + { n_points = cont[-1] + 1; + if ( n_points < 0 ) + goto Invalid_Outline; + } /* note that we will add four phantom points later */ error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 ); @@ -677,7 +681,7 @@ FT_GlyphLoader gloader = loader->gloader; FT_Error error = TT_Err_Ok; FT_Outline* outline; - FT_UInt n_points; + FT_Int n_points; outline = &gloader->current.outline; @@ -704,7 +708,7 @@ /* Deltas apply to the unscaled data. */ FT_Vector* deltas; FT_Memory memory = loader->face->memory; - FT_UInt i; + FT_Int i; error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face), --- patch-src_truetype_ttgload.c ends here --- >Release-Note: >Audit-Trail: >Unformatted:
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20070518202842.5E65461E4E>