BTW, VUPEN lists "two vulnerabilities", but FreeType2 mentions "a vulnerability". Somebody may afraid that another vulnerability is left in genuine FreeType2. This is the difference of the modification part in Apple's patch& our patch. In Apple's patch, 2 stack checking are inserted to 2 CFF operators increasing the stack. In our patch, a stack checking is inserted after all CFF operations, aslike existing stack checking for CFF numerical objects.
Frankly, that makes the most sense. Technote 5177 on Type2 charstrings rather explicitly states the maximum allowed sizes for various aspects of charstring parsing, pretty plainly stating that the normal argument stack has max size 48, and the transient stack (for opcode programs) max size 32, so a push onto the stack should always be conditional on whether or not it's already full... wonder why Apple decided to completely ignore that fact...
- Mike _______________________________________________ Freetype mailing list [email protected] http://lists.nongnu.org/mailman/listinfo/freetype
