rpms / fontforge

Clone
Source Code
GIT

Blame SOURCES/fontforge-20120731-b-cve-2020-5395.patch

c4 c5 c5-plus c6 c6-plus c7 c7-beta c8 c8-beta c8s c9 c9-beta
  1.   8fe6ef01506209c47452504db61a68d2ff80f1c3
  2.   SOURCES
  3.   fontforge-20120731-b-cve-2020-5395.patch
Blob History Raw
8fe6ef 
diff -urN fontforge-20120731-b.old/fontforge/sfd1.c fontforge-20120731-b/fontforge/sfd1.c
8fe6ef 
--- fontforge-20120731-b.old/fontforge/sfd1.c	2012-08-02 20:39:09.000000000 +0530
8fe6ef 
+++ fontforge-20120731-b/fontforge/sfd1.c	2020-04-08 14:15:27.262285908 +0530
8fe6ef 
@@ -667,7 +667,7 @@
8fe6ef
8fe6ef 
     /* Fix up some gunk from really old versions of the sfd format */
8fe6ef 
     SFDCleanupAnchorClasses(&sf->sf);
8fe6ef 
-    if ( sf->sf.uni_interp==ui_unset )
8fe6ef 
+    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
8fe6ef 
 	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
8fe6ef
8fe6ef 
     /* Fixup for an old bug */
8fe6ef 
diff -urN fontforge-20120731-b.old/fontforge/sfd.c fontforge-20120731-b/fontforge/sfd.c
8fe6ef 
--- fontforge-20120731-b.old/fontforge/sfd.c	2012-08-02 20:39:09.000000000 +0530
8fe6ef 
+++ fontforge-20120731-b/fontforge/sfd.c	2020-04-08 14:16:37.448996390 +0530
8fe6ef 
@@ -3333,13 +3333,16 @@
8fe6ef 
     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
8fe6ef 
 	if ( cur!=NULL ) {
8fe6ef 
 	    if ( cur->spiro_cnt>=cur->spiro_max )
8fe6ef 
-		cur->spiros = grealloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
8fe6ef 
+		cur->spiros = realloc(cur->spiros,
8fe6ef 
+		                      (cur->spiro_max+=10)*sizeof(spiro_cp));
8fe6ef 
 	    cur->spiros[cur->spiro_cnt++] = cp;
8fe6ef 
 	}
8fe6ef 
     }
8fe6ef 
-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
8fe6ef 
+    if (    cur!=NULL && cur->spiro_cnt>0
8fe6ef 
+         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
8fe6ef 
 	if ( cur->spiro_cnt>=cur->spiro_max )
8fe6ef 
-	    cur->spiros = grealloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
8fe6ef 
+	    cur->spiros = realloc(cur->spiros,
8fe6ef 
+	                          (cur->spiro_max+=1)*sizeof(spiro_cp));
8fe6ef 
 	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
8fe6ef 
 	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
8fe6ef 
     }
8fe6ef 
@@ -6611,8 +6614,10 @@
8fe6ef 
 	    sf->grid.order2 = o2;
8fe6ef 
 	} else if ( strmatch(tok,"LayerCount:")==0 ) {
8fe6ef 
 	    had_layer_cnt = true;
8fe6ef 
-	    getint(sfd,&sf->layer_cnt);
8fe6ef 
-	    if ( sf->layer_cnt>2 ) {
8fe6ef 
+	    int layer_cnt_tmp;
8fe6ef 
+	    getint(sfd,&layer_cnt_tmp);
8fe6ef 
+	    if ( layer_cnt_tmp>2 ) {
8fe6ef 
+	        sf->layer_cnt = layer_cnt_tmp;
8fe6ef 
 		sf->layers = grealloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
8fe6ef 
 		memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
8fe6ef 
 	    }
8fe6ef 
@@ -7227,6 +7232,10 @@
8fe6ef 
 	}
8fe6ef 
     }
8fe6ef
8fe6ef 
+    // Many downstream functions assume this isn't NULL (use strlen, etc.)
8fe6ef 
+    if ( sf->fontname==NULL)
8fe6ef 
+	sf->fontname = copy("");
8fe6ef 
+
8fe6ef 
     if ( fromdir )
8fe6ef 
 	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
8fe6ef 
     else if ( sf->subfontcnt!=0 ) {

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation