summaryrefslogtreecommitdiff
path: root/extra/t1lib/CVE-2011-1552_1553_1554.patch
blob: aaa31f7b935e6abeb9fed2dbaa9dc127d6c1c8cc (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
Author: Jaroslav Škarvada <jskarvad@redhat.com>
Description: Fix more crashes on oversized fonts
Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
Index: t1lib-5.1.2/lib/type1/lines.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/lines.c	2007-12-23 09:49:42.000000000 -0600
+++ t1lib-5.1.2/lib/type1/lines.c	2012-01-17 14:15:08.000000000 -0600
@@ -67,6 +67,10 @@
 None.
 */
  
+#define  BITS         (sizeof(LONG)*8)
+#define  HIGHTEST(p)  (((p)>>(BITS-2)) != 0)  /* includes sign bit */
+#define  TOOBIG(xy)   ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
+
 /*
 :h2.StepLine() - Produces Run Ends for a Line After Checks
  
@@ -84,6 +88,9 @@
        IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
                                             x1, y1, x2, y2);
  
+      if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
+              abort("Lines this big not supported", 49);
+
        dy = y2 - y1;
  
 /*
Index: t1lib-5.1.2/lib/type1/objects.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/objects.c	2007-12-23 09:49:42.000000000 -0600
+++ t1lib-5.1.2/lib/type1/objects.c	2012-01-17 14:15:08.000000000 -0600
@@ -1137,12 +1137,13 @@
     "Context:  out of them", /* 46 */
     "MatrixInvert:  can't", /* 47 */
     "xiStub called", /* 48 */
-    "Illegal access type1 abort() message" /* 49 */
+    "Lines this big not supported", /* 49 */
+    "Illegal access type1 abort() message" /* 50 */
   };
 
-  /* no is valid from 1 to 48 */
-  if ( (number<1)||(number>48))
-    number=49;
+  /* no is valid from 1 to 49 */
+  if ( (number<1)||(number>49))
+    number=50;
   return( err_msgs[number-1]);
     
 }
Index: t1lib-5.1.2/lib/type1/type1.c
===================================================================
--- t1lib-5.1.2.orig/lib/type1/type1.c	2012-01-17 14:13:28.000000000 -0600
+++ t1lib-5.1.2/lib/type1/type1.c	2012-01-17 14:19:54.000000000 -0600
@@ -1012,6 +1012,7 @@
   double nextdtana = 0.0;   /* tangent of post-delta against horizontal line */ 
   double nextdtanb = 0.0;   /* tangent of post-delta against vertical line */ 
   
+  if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
  
   /* setup default hinted position */
   ppoints[numppoints-1].ax     = ppoints[numppoints-1].x;
@@ -1289,7 +1290,7 @@
 static int DoRead(CodeP)
   int *CodeP;
 {
-  if (strindex >= CharStringP->len) return(FALSE); /* end of string */
+  if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
   /* We handle the non-documented Adobe convention to use lenIV=-1 to
      suppress charstring encryption. */
   if (blues->lenIV==-1) {
@@ -1700,7 +1701,7 @@
   long pindex = 0;
   
   /* compute hinting for previous segment! */
-  if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
+  if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
 
   /* Allocate a new path point and pre-setup data */
@@ -1729,7 +1730,7 @@
   long pindex = 0;
   
   /* compute hinting for previous point! */
-  if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
+  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
 
   /* Allocate three new path points and pre-setup data */
@@ -1788,7 +1789,9 @@
   long tmpind;
   double deltax = 0.0;
   double deltay = 0.0;
-  
+ 
+  if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
+ 
   /* If this ClosePath command together with the starting point of this
      path completes to a segment aligned to a stem, we would miss
      hinting for this point. --> Check and explicitly care for this! */
@@ -1803,6 +1806,7 @@
     deltax = ppoints[i].x - ppoints[numppoints-1].x;
     deltay = ppoints[i].y - ppoints[numppoints-1].y;
 
+    if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
     /* save nummppoints and reset to move point */
     tmpind = numppoints;
     numppoints = i + 1;
@@ -1905,7 +1909,7 @@
     FindStems( currx, curry, 0, 0, dx, dy);
   }
   else {
-    if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
+    if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
   }
   
@@ -2155,6 +2159,7 @@
   DOUBLE cx, cy;
   DOUBLE ex, ey;
 
+  if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
 
   /* Our PPOINT list now contains 7 moveto commands which
      are about to be consumed by the Flex mechanism. --> Remove these
@@ -2324,6 +2329,7 @@
 /*   Returns currentpoint on stack          */
 static void FlxProc2()
 {
+  if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
   /* Push CurrentPoint on fake PostScript stack */
   PSFakePush( ppoints[numppoints-1].x);
   PSFakePush( ppoints[numppoints-1].y);