As noted in the freetype-2.4.7 release and consists of:
Slightly improve LZW_CLEAR handling.
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=487913d9a6355b21cc1cbb73dbf93e64d081e715
Add explicit LZW decompression stack size limit.
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=83cb6c0049f6cc5ea3f27d1d90891472f288ac5e
Protect against loops in the prefix table.
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=86c3c69c15dfc46238e2e0822876982b21aa53f9
--- src/lzw/ftzopen.c 2009-07-31 16:45:18.000000000 +0000
+++ src/lzw/ftzopen.c.oden 2011-10-21 05:36:25.000000000 +0000
@@ -124,6 +124,15 @@
old_size = 0;
}
+ /* requirement of the character stack larger than 1<<LZW_MAX_BITS */
+ /* implies bug in the decompression code */
+ if ( new_size > ( 1 << LZW_MAX_BITS ) )
+ {
+ new_size = 1 << LZW_MAX_BITS;
+ if ( new_size == old_size )
+ return -1;
+ }
+
if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) )
return -1;
@@ -279,7 +288,7 @@
: state->max_free + 1;
c = ft_lzwstate_get_code( state );
- if ( c < 0 )
+ if ( c < 0 || c > 255 )
goto Eof;
old_code = old_char = (FT_UInt)c;
@@ -312,11 +321,12 @@
/* why not LZW_FIRST-256 ? */
state->free_ent = ( LZW_FIRST - 1 ) - 256;
state->buf_clear = 1;
- c = ft_lzwstate_get_code( state );
- if ( c < 0 )
- goto Eof;
- code = (FT_UInt)c;
+ /* not quite right, but at least more predictable */
+ old_code = 0;
+ old_char = 0;
+
+ goto NextCode;
}
in_code = code; /* save code for later */
@@ -326,6 +336,10 @@
/* special case for KwKwKwK */
if ( code - 256U >= state->free_ent )
{
+ /* corrupted LZW stream */
+ if ( code - 256U > state->free_ent )
+ goto Eof;
+
FTLZW_STACK_PUSH( old_char );
code = old_code;
}
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
764c577bb9f3af3549ecc920f98f8270
>
files
>
9
