CVE-2011-1552, CVE-2011-1553 and CVE-2011-1554 Author: Jaroslav Škarvada Origin: http://bugzilla.redhat.com/show_bug.cgi?id=692909 --- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600 +++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600 @@ -67,6 +67,10 @@ None. */ +#define BITS (sizeof(LONG)*8) +#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */ +#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy)) + /* :h2.StepLine() - Produces Run Ends for a Line After Checks @@ -84,6 +88,9 @@ IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n", x1, y1, x2, y2); + if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2)) + abort("Lines this big not supported", 49); + dy = y2 - y1; /* Index: t1lib-5.1.2/lib/type1/objects.c =================================================================== --- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600 +++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600 @@ -1137,12 +1137,13 @@ "Context: out of them", /* 46 */ "MatrixInvert: can't", /* 47 */ "xiStub called", /* 48 */ - "Illegal access type1 abort() message" /* 49 */ + "Lines this big not supported", /* 49 */ + "Illegal access type1 abort() message" /* 50 */ }; - /* no is valid from 1 to 48 */ - if ( (number<1)||(number>48)) - number=49; + /* no is valid from 1 to 49 */ + if ( (number<1)||(number>49)) + number=50; return( err_msgs[number-1]); } Index: t1lib-5.1.2/lib/type1/type1.c =================================================================== --- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600 +++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600 @@ -1012,6 +1012,7 @@ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */ + if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n"); /* setup default hinted position */ ppoints[numppoints-1].ax = ppoints[numppoints-1].x; @@ -1289,7 +1290,7 @@ static int DoRead(CodeP) int *CodeP; { - if (strindex >= CharStringP->len) return(FALSE); /* end of string */ + if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */ /* We handle the non-documented Adobe convention to use lenIV=-1 to suppress charstring encryption. */ if (blues->lenIV==-1) { @@ -1700,7 +1701,7 @@ long pindex = 0; /* compute hinting for previous segment! */ - if (ppoints == NULL) Error0i("RLineTo: No previous point!\n"); + if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); /* Allocate a new path point and pre-setup data */ @@ -1729,7 +1730,7 @@ long pindex = 0; /* compute hinting for previous point! */ - if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n"); + if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n"); FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); /* Allocate three new path points and pre-setup data */ @@ -1788,7 +1789,9 @@ long tmpind; double deltax = 0.0; double deltay = 0.0; - + + if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!"); + /* If this ClosePath command together with the starting point of this path completes to a segment aligned to a stem, we would miss hinting for this point. --> Check and explicitly care for this! */ @@ -1803,6 +1806,7 @@ deltax = ppoints[i].x - ppoints[numppoints-1].x; deltay = ppoints[i].y - ppoints[numppoints-1].y; + if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!"); /* save nummppoints and reset to move point */ tmpind = numppoints; numppoints = i + 1; @@ -1905,7 +1909,7 @@ FindStems( currx, curry, 0, 0, dx, dy); } else { - if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n"); + if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n"); FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy); } @@ -2155,6 +2159,7 @@ DOUBLE cx, cy; DOUBLE ex, ey; + if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!"); /* Our PPOINT list now contains 7 moveto commands which are about to be consumed by the Flex mechanism. --> Remove these @@ -2324,6 +2329,7 @@ /* Returns currentpoint on stack */ static void FlxProc2() { + if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!"); /* Push CurrentPoint on fake PostScript stack */ PSFakePush( ppoints[numppoints-1].x); PSFakePush( ppoints[numppoints-1].y);