svn commit: r1735542 - in /openoffice/trunk/main/graphite: graphite-2.3.1-CVE-2016-1521.patch makefile.mk

Sat, 19 Mar 2016 01:54:23 -0700 

Author: truckman
Date: Fri Mar 18 07:36:15 2016
New Revision: 1735542

URL: http://svn.apache.org/viewvc?rev=1735542&view=rev
Log:
Fix equivalent to Graphite2 CVE-2016-1521. 

Added:
    openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch   (with 
props)
Modified:
    openoffice/trunk/main/graphite/makefile.mk

Added: openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch
URL: 
http://svn.apache.org/viewvc/openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch?rev=1735542&view=auto
==============================================================================
--- openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch (added)
+++ openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch Fri Mar 
18 07:36:15 2016
@@ -0,0 +1,20 @@
+--- misc/silgraphite-2.3.1/engine/src/font/TtfUtil.cpp 2009-01-29 08:33:19 UTC
++++ misc/build/silgraphite-2.3.1/engine/src/font/TtfUtil.cpp   2016-03-17 
00:06:29 UTC
+@@ -1106,7 +1106,7 @@ size_t LocaLookup(gr::gid16 nGlyphId, 
+       // CheckTable verifies the index_to_loc_format is valid
+       if (read(pTable->index_to_loc_format) == 
Sfnt::FontHeader::ShortIndexLocFormat)
+       { // loca entries are two bytes and have been divided by two
+-              if (nGlyphId <= (lLocaSize >> 1) - 1) // allow sentinel value 
to be accessed
++              if (lLocaSize >= 2 && nGlyphId <= (lLocaSize >> 1) - 1) // 
allow sentinel value to be accessed
+               {
+                       const uint16 * pTable = reinterpret_cast<const uint16 
*>(pLoca);
+                       return (read(pTable[nGlyphId]) << 1);
+@@ -1115,7 +1115,7 @@ size_t LocaLookup(gr::gid16 nGlyphId, 
+       
+       if (read(pTable->index_to_loc_format) == 
Sfnt::FontHeader::LongIndexLocFormat)
+       { // loca entries are four bytes
+-              if (nGlyphId <= (lLocaSize >> 2) - 1)
++              if (lLocaSize >= 4 && nGlyphId <= (lLocaSize >> 2) - 1)
+               {
+                       const uint32 * pTable = reinterpret_cast<const uint32 
*>(pLoca);
+                       return read(pTable[nGlyphId]);

Propchange: openoffice/trunk/main/graphite/graphite-2.3.1-CVE-2016-1521.patch
------------------------------------------------------------------------------
    svn:eol-style = native

Modified: openoffice/trunk/main/graphite/makefile.mk
URL: 
http://svn.apache.org/viewvc/openoffice/trunk/main/graphite/makefile.mk?rev=1735542&r1=1735541&r2=1735542&view=diff
==============================================================================
--- openoffice/trunk/main/graphite/makefile.mk (original)
+++ openoffice/trunk/main/graphite/makefile.mk Fri Mar 18 07:36:15 2016
@@ -50,7 +50,7 @@ all:
 
 TARFILE_NAME=silgraphite-2.3.1
 TARFILE_MD5=d35724900f6a4105550293686688bbb3
-PATCH_FILES=graphite-2.3.1.patch graphite-2.3.1_debug.patch 
graphite-2.3.1_stlportemu.patch
+PATCH_FILES=graphite-2.3.1.patch graphite-2.3.1_debug.patch 
graphite-2.3.1_stlportemu.patch graphite-2.3.1-CVE-2016-1521.patch
 
 # convert line-endings to avoid problems when patching
 CONVERTFILES=\

Reply via email to