diff options
Diffstat (limited to 'media-gfx')
-rw-r--r-- | media-gfx/fontforge/files/CVE-2020-5395.patch | 78 |
1 files changed, 0 insertions, 78 deletions
diff --git a/media-gfx/fontforge/files/CVE-2020-5395.patch b/media-gfx/fontforge/files/CVE-2020-5395.patch deleted file mode 100644 index 51b524503764..000000000000 --- a/media-gfx/fontforge/files/CVE-2020-5395.patch +++ /dev/null @@ -1,78 +0,0 @@ -From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001 -From: Skef Iterum <unknown> -Date: Mon, 6 Jan 2020 03:05:06 -0800 -Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the - SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the - SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the - SFD_AssignLookups() function Add empty sf->fontname string if it isn't set, - fixing #4089 #4090 and many other potential issues (many downstream calls - to strlen() on the value). - ---- - fontforge/sfd.c | 19 ++++++++++++++----- - fontforge/sfd1.c | 2 +- - 2 files changed, 15 insertions(+), 6 deletions(-) - -diff --git a/fontforge/sfd.c b/fontforge/sfd.c -index 731be201e0..e8ca39ba83 100644 ---- a/fontforge/sfd.c -+++ b/fontforge/sfd.c -@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) { - while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { - if ( cur!=NULL ) { - if ( cur->spiro_cnt>=cur->spiro_max ) -- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp)); -+ cur->spiros = realloc(cur->spiros, -+ (cur->spiro_max+=10)*sizeof(spiro_cp)); - cur->spiros[cur->spiro_cnt++] = cp; - } - } -- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { -+ if ( cur!=NULL && cur->spiro_cnt>0 -+ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { - if ( cur->spiro_cnt>=cur->spiro_max ) -- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp)); -+ cur->spiros = realloc(cur->spiros, -+ (cur->spiro_max+=1)*sizeof(spiro_cp)); - memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); - cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; - } -@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd, - else if ( strmatch(tok,"LayerCount:")==0 ) - { - d->had_layer_cnt = true; -- getint(sfd,&sf->layer_cnt); -- if ( sf->layer_cnt>2 ) { -+ int layer_cnt_tmp; -+ getint(sfd,&layer_cnt_tmp); -+ if ( layer_cnt_tmp>2 ) { - sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); - memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); -+ sf->layer_cnt = layer_cnt_tmp; - } - } - else if ( strmatch(tok,"Layer:")==0 ) -@@ -8948,6 +8953,10 @@ exit( 1 ); - } - } - -+ // Many downstream functions assume this isn't NULL (use strlen, etc.) -+ if ( sf->fontname==NULL) -+ sf->fontname = copy(""); -+ - if ( fromdir ) - sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); - else if ( sf->subfontcnt!=0 ) { -diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c -index cf931059d0..b42f832678 100644 ---- a/fontforge/sfd1.c -+++ b/fontforge/sfd1.c -@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) { - - /* Fix up some gunk from really old versions of the sfd format */ - SFDCleanupAnchorClasses(&sf->sf); -- if ( sf->sf.uni_interp==ui_unset ) -+ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL ) - sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); - - /* Fixup for an old bug */ |