summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
Diffstat (limited to 'app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch')
-rw-r--r--app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch27
1 files changed, 27 insertions, 0 deletions
diff --git a/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch b/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch
new file mode 100644
index 00000000000..8e9811540cd
--- /dev/null
+++ b/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch
@@ -0,0 +1,27 @@
+Description: Fix buffer overflow during crash when using user supplied image.
+Author: SÅ‚awomir Nizio
+Forwarded: no
+Last-Update: 2017-04-05
+
+--- a/cuneiform_src/Kern/rstr/src/acc_tabs.c
++++ b/cuneiform_src/Kern/rstr/src/acc_tabs.c
+@@ -1233,7 +1233,7 @@ if(is_cen_language(language))
+
+ strcpy(decode_ASCII_to_[(uchar)liga_i ], "_i_");
+ strcpy(decode_ASCII_to_[(uchar)liga_exm ], "_!_");
+- strcpy(decode_ASCII_to_[(uchar)liga_inv_exm], "_!!_");
++ strcpy(decode_ASCII_to_[(uchar)liga_inv_exm], "_!_");
+ strcpy(decode_ASCII_to_[(uchar)right_quocket], "\xbb");
+ strcpy(decode_ASCII_to_[(uchar)liga_CC ], "\xa9");
+ strcpy(decode_ASCII_to_[(uchar)liga_CR ], "\xae");
+--- a/cuneiform_src/Kern/rstr/src/match_wd.c
++++ b/cuneiform_src/Kern/rstr/src/match_wd.c
+@@ -484,7 +484,7 @@
+ str_raster->w=(int32_t)(right-left);
+ str_raster->h=(int32_t)(bottom-top);
+
+- if (str_raster->w > LINE_WIDTH || str_raster->h > LINE_HEIGHT)
++ if ((str_raster->w+7) > LINE_WIDTH || str_raster->h > LINE_HEIGHT)
+ return FALSE;
+
+ memset(&str_raster->pict,0,(str_raster->w+7)/8*str_raster->h);