shithub: freetype+ttf2subf

Download patch

ref: 83cb6c0049f6cc5ea3f27d1d90891472f288ac5e
parent: 86c3c69c15dfc46238e2e0822876982b21aa53f9
author: Tomas Hoger <[email protected]>
date: Sun Sep 11 05:13:45 EDT 2011

Add explicit LZW decompression stack size limit.

Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
constructed correctly.  It's even less than that, see e.g.
libarchive code comment for a better size upper bound:

  http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121

This patch adds explicit stack size limit, enforced when stack is
realloced.

An alternative is to ensure that code < state->prefix[code - 256]
when traversing prefix table.  Such check is less efficient and
should not be required if prefix table is constructed correctly in
the first place.

* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.

git/fs: mount .git/fs: mount/attach disallowed
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,25 @@
 2011-09-11  Tomas Hoger  <[email protected]>
 
+	Add explicit LZW decompression stack size limit.
+
+	Stack larger than 1<<LZW_MAX_BITS is never needed if prefix table is
+	constructed correctly.  It's even less than that, see e.g. 
+	libarchive code comment for a better size upper bound:
+
+	  http://code.google.com/p/libarchive/source/browse/trunk/libarchive/archive_read_support_filter_compress.c?r=3635#121
+
+	This patch adds explicit stack size limit, enforced when stack is
+	realloced.
+
+	An alternative is to ensure that code < state->prefix[code - 256]
+	when traversing prefix table.  Such check is less efficient and
+	should not be required if prefix table is constructed correctly in
+	the first place.
+
+	* src/lzw/ftzopen.c (ft_lzwstate_stack_grow): Implement it.
+
+2011-09-11  Tomas Hoger  <[email protected]>
+
 	Protect against loops in the prefix table.
 
 	LZW decompressor did not sufficiently check codes read from the
--- a/src/lzw/ftzopen.c
+++ b/src/lzw/ftzopen.c
@@ -124,6 +124,15 @@
         old_size     = 0;
       }
 
+      /* requirement of the character stack larger than 1<<LZW_MAX_BITS */
+      /* implies bug in the decompression code                          */
+      if ( new_size > ( 1 << LZW_MAX_BITS ) )
+      {
+        new_size = 1 << LZW_MAX_BITS;
+        if ( new_size == old_size )
+          return -1;
+      }
+
       if ( FT_RENEW_ARRAY( state->stack, old_size, new_size ) )
         return -1;