1 files changed, 27 insertions, 0 deletions

diff --git a/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch b/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch
new file mode 100644
index 000000000000..8e9811540cd6
--- /dev/null
+++ b/app-text/cuneiform/files/cuneiform-1.1.0-fix_buffer_overflow.patch
@@ -0,0 +1,27 @@
+Description: Fix buffer overflow during crash when using user supplied image.
+Author: Sławomir Nizio
+Forwarded: no
+Last-Update: 2017-04-05
+
+--- a/cuneiform_src/Kern/rstr/src/acc_tabs.c	
++++ b/cuneiform_src/Kern/rstr/src/acc_tabs.c	
+@@ -1233,7 +1233,7 @@ if(is_cen_language(language))
+ 
+     strcpy(decode_ASCII_to_[(uchar)liga_i      ],   "_i_");
+     strcpy(decode_ASCII_to_[(uchar)liga_exm    ],   "_!_");
+-    strcpy(decode_ASCII_to_[(uchar)liga_inv_exm],   "_!!_");
++    strcpy(decode_ASCII_to_[(uchar)liga_inv_exm],   "_!_");
+     strcpy(decode_ASCII_to_[(uchar)right_quocket],  "\xbb");
+ 	strcpy(decode_ASCII_to_[(uchar)liga_CC     ],   "\xa9");
+ 	strcpy(decode_ASCII_to_[(uchar)liga_CR     ],   "\xae");
+--- a/cuneiform_src/Kern/rstr/src/match_wd.c	
++++ b/cuneiform_src/Kern/rstr/src/match_wd.c
+@@ -484,7 +484,7 @@
+   str_raster->w=(int32_t)(right-left);
+   str_raster->h=(int32_t)(bottom-top);
+ 
+-  if (str_raster->w > LINE_WIDTH || str_raster->h > LINE_HEIGHT)
++  if ((str_raster->w+7) > LINE_WIDTH || str_raster->h > LINE_HEIGHT)
+     return FALSE;
+ 
+   memset(&str_raster->pict,0,(str_raster->w+7)/8*str_raster->h);