blob: e66400ddb1b3238f5c4e2fc6ec2cb1e187df0c08 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
|
From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Thu, 17 Mar 2022 19:24:16 +0100
Subject: [PATCH] [sfnt] Avoid invalid face index.
Fixes #1138.
* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
Check `face_index` before decrementing.
CVE: CVE-2022-27404
Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
---
src/sfnt/sfobjs.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
index f9d4d3858..9771c35df 100644
--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
@@ -566,7 +566,7 @@
face_index = FT_ABS( face_instance_index ) & 0xFFFF;
/* value -(N+1) requests information on index N */
- if ( face_instance_index < 0 )
+ if ( face_instance_index < 0 && face_index > 0 )
face_index--;
if ( face_index >= face->ttc_header.count )
--
GitLab
|
