> has anyone more information on the recent exploit for the iPhone, > reportedly caused by a problem within FreeType's > `t1_decoder_parse_charstrings'? Extracting the buggy font from > > http://www.jailbreakme.com/saffron/_/iPod_4.3.3_8J2.pdf > > and testing the current ftview (from the git repository, but rather > the same as with version 2.4.5) with valgrind on my GNU/Linux box, I > get a bunch of > > Conditional jump or move depends on uninitialised value(s) > > but nothing else (and I'll fix these problems in due course).
I've applied the fix below, rejecting negative arguments to `callothersubr'. This corrects the valgrind errors. If you think that this is a critical issue (this is, if the exploit is repeatable with FreeType 2.4.5 and my patch fixes this), I'll release 2.4.6 as soon as possible. Please test and comment. Werner ====================================================================== diff --git a/ChangeLog b/ChangeLog index 25fb10c..c58d6bf 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,10 @@ +2011-07-08 Werner Lemberg <w...@gnu.org> + + [psaux] Add better argument check for `callothersubr'. + + * src/psaux/t1decode.c (t1_decoder_parse_charstrings) + <op_callothersubr>: Reject negative arguments. + 2011-07-07 Werner Lemberg <w...@gnu.org> [sfnt] Try harder to find non-zero values for ascender and descender. diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c index ea31c51..a60ec38 100644 --- a/src/psaux/t1decode.c +++ b/src/psaux/t1decode.c @@ -4,8 +4,7 @@ /* */ /* PostScript Type 1 decoding routines (body). */ /* */ -/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 */ -/* 2010 by */ +/* Copyright 2000-2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -687,6 +686,9 @@ subr_no = (FT_Int)( top[1] >> 16 ); arg_cnt = (FT_Int)( top[0] >> 16 ); + if ( arg_cnt < 0 || subr_no < 0 ) + goto Unexpected_OtherSubr; + /***********************************************************/ /* */ /* remove all operands to callothersubr from the stack */ _______________________________________________ Freetype-devel mailing list Freetype-devel@nongnu.org https://lists.nongnu.org/mailman/listinfo/freetype-devel