Blame freetype-2.4.6-CVE-2012-1134.patch
|
|
c9e0ddd |
--- a/src/type1/t1parse.c
|
|
|
c9e0ddd |
+++ b/src/type1/t1parse.c
|
|
|
c9e0ddd |
@@ -4,7 +4,7 @@
|
|
|
c9e0ddd |
/* */
|
|
|
c9e0ddd |
/* Type 1 parser (body). */
|
|
|
c9e0ddd |
/* */
|
|
|
c9e0ddd |
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
|
|
|
c9e0ddd |
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
|
|
|
c9e0ddd |
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
|
|
|
c9e0ddd |
/* */
|
|
|
c9e0ddd |
/* This file is part of the FreeType project, and may only be used, */
|
|
|
c9e0ddd |
@@ -467,6 +467,14 @@
|
|
|
c9e0ddd |
/* we now decrypt the encoded binary private dictionary */
|
|
|
c9e0ddd |
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
|
|
|
c9e0ddd |
|
|
|
c9e0ddd |
+ if ( parser->private_len < 4 )
|
|
|
c9e0ddd |
+ {
|
|
|
c9e0ddd |
+ FT_ERROR(( "T1_Get_Private_Dict:"
|
|
|
c9e0ddd |
+ " invalid private dictionary section\n" ));
|
|
|
c9e0ddd |
+ error = T1_Err_Invalid_File_Format;
|
|
|
c9e0ddd |
+ goto Fail;
|
|
|
c9e0ddd |
+ }
|
|
|
c9e0ddd |
+
|
|
|
c9e0ddd |
/* replace the four random bytes at the beginning with whitespace */
|
|
|
c9e0ddd |
parser->private_dict[0] = ' ';
|
|
|
c9e0ddd |
parser->private_dict[1] = ' ';
|