April 2012 - rpmfusion-commits

rpms/bombono-dvd/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1

by Nicolas Chauvet

Author: kwizart Update of /cvs/free/rpms/bombono-dvd/devel In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd/devel Added Files: .cvsignore Makefile sources Log Message: Setup of module bombono-dvd --- NEW FILE .cvsignore --- --- NEW FILE Makefile --- # Makefile for source rpm: bombono-dvd # $Id: Makefile,v 1.1 2012/04/02 10:11:27 kwizart Exp $ NAME := bombono-dvd SPECFILE = $(firstword $(wildcard *.spec)) define find-makefile-common for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done endef MAKEFILE_COMMON := $(shell $(find-makefile-common)) ifeq ($(MAKEFILE_COMMON),) # attept a checkout define checkout-makefile-common test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2 endef MAKEFILE_COMMON := $(shell $(checkout-makefile-common)) endif include $(MAKEFILE_COMMON) --- NEW FILE sources ---

12 years, 7 months

1
0
0 / 0

rpms/bombono-dvd Makefile, NONE, 1.1 import.log, NONE, 1.1 pkg.acl, NONE, 1.1

by Nicolas Chauvet

Author: kwizart Update of /cvs/free/rpms/bombono-dvd In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd Added Files: Makefile import.log pkg.acl Log Message: Setup of module bombono-dvd --- NEW FILE Makefile --- # Top level Makefile for module bombono-dvd all : CVS/Root common-update @cvs update common-update : common @cd common && cvs update common : CVS/Root @cvs checkout common CVS/Root : @echo "ERROR: This does not look like a CVS checkout" && exit 1 clean : @find . -type f -name *~ -exec rm -fv {} \; --- NEW FILE import.log --- --- NEW FILE pkg.acl ---

12 years, 7 months

1
0
0 / 0

rpms/bombono-dvd/devel - New directory

by Nicolas Chauvet

Author: kwizart Update of /cvs/free/rpms/bombono-dvd/devel In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd/devel Log Message: Directory /cvs/free/rpms/bombono-dvd/devel added to the repository

12 years, 7 months

1
0
0 / 0

rpms/bombono-dvd - New directory

by Nicolas Chauvet

Author: kwizart Update of /cvs/free/rpms/bombono-dvd In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd Log Message: Directory /cvs/free/rpms/bombono-dvd added to the repository

12 years, 7 months

1
0
0 / 0

rpms/get-flash-videos/F-16 README.fedora, NONE, 1.1 get-flash-videos.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2

by Alec Leamas

Author: leamas Update of /cvs/free/rpms/get-flash-videos/F-16 In directory se02.es.rpmfusion.net:/tmp/cvs-serv3580/F-16 Modified Files: .cvsignore sources Added Files: README.fedora get-flash-videos.spec Log Message: Initial commit --- NEW FILE README.fedora --- Currently, the search function is broken, see e. g.: http://code.google.com/p/get-flash-videos/issues/detail?id=341 http://code.google.com/p/get-flash-videos/issues/detail?id=332 http://code.google.com/p/get-flash-videos/issues/detail?id=351 Licensing: - lib/FlashVideo/JSON.pm is in Public Domain - lib/FlashVideo/Site/Zshare.pm is GPLv3+ - All other files are ASL 2.0 --- NEW FILE get-flash-videos.spec --- %global rel_tag 3.20120329git8abc6c6 Name: get-flash-videos Version: 1.24 Release: %{?rel_tag}%{?dist} Summary: CLI tool to download flash video from websites Group: Applications/Communications # License breakdown in README.fedora License: ASL 2.0 and GPLv3+ URL: http://code.google.com/p/get-flash-videos/ # rel_tag=1.20120329git8abc6c6; # srcdir=get-flash-videos # git clone git://github.com/monsieurvideo/get-flash-videos.git $srcdir # cd $srcdir; git reset --hard ${rel_tag##*git}; cd .. # tar czf $srcdir-$rel_tag.tar.gz --exclude .git $srcdir Source0: get-flash-videos-%{version}-%{rel_tag}.tar.gz Source1: README.fedora BuildArch: noarch BuildRequires: perl(ExtUtils::MakeMaker) BuildRequires: perl(Compress::Zlib) BuildRequires: perl(Crypt::Rijndael) BuildRequires: perl(XML::Parser::PerlSAX) BuildRequires: perl(LWP::UserAgent::Determined) Buildrequires: perl(Test::Simple) BuildRequires: perl(Tie::IxHash) BuildRequires: perl(WWW::Mechanize) BuildRequires: perl(XML::Simple) Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version)) Requires: perl(Compress::Zlib) Requires: perl(Crypt::Rijndael) Requires: perl(Data::AMF) Requires: perl(LWP::UserAgent::Determined) Requires: perl(Tie::IxHash) Requires: perl(XML::Simple) Requires: rtmpdump %{?perl_default_filter} %description Download videos from various Flash-based video hosting sites, without having to use the Flash player. Handy for saving videos for watching offline, and means you don't have to keep upgrading Flash for sites that insist on a newer version of the player. %prep %setup -q -n get-flash-videos cp %{SOURCE1} . %build %{__perl} Makefile.PL INSTALLDIRS=vendor make %{?_smp_mflags} # Search is currently broken, see README.fedora rm t/google_video_search.t %install make pure_install DESTDIR=$RPM_BUILD_ROOT find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';' find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null ';' %{_fixperms} $RPM_BUILD_ROOT/* %check make test %files %doc README README.fedora %{perl_vendorlib}/* %{_bindir}/get_flash_videos %{_mandir}/man1/*.1* %changelog * Thu Mar 29 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120329git8abc6c6 - Updating license break-down * Fri Feb 24 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120224git8abc6c6 - Re-enabling Require: perl(:MODULE_COMPAT_...) - Resolving naming mess, illegal name of spec, bad name of source. * Tue Feb 21 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120205git8abc6c6 - Rewriting deps using Perl(Module) syntax. - Removing auto-detected Requires. - Updating Requires: from upstream website. * Sun Feb 05 2012 Alec Leamas <alec(a)nowhere.com> 1.24-2.20120205git8abc6c6 - Moving to latest git * Sat Jan 31 2012 Alec Leamas <alec(a)nowhere.com> 1.24-1 - Intial packaging Index: .cvsignore =================================================================== RCS file: /cvs/free/rpms/get-flash-videos/F-16/.cvsignore,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- .cvsignore 30 Mar 2012 10:16:16 -0000 1.1 +++ .cvsignore 2 Apr 2012 09:21:37 -0000 1.2 @@ -0,0 +1 @@ +get-flash-videos-1.24-3.20120329git8abc6c6.tar.gz Index: sources =================================================================== RCS file: /cvs/free/rpms/get-flash-videos/F-16/sources,v retrieving revision 1.1 retrieving revision 1.2 diff -u -r1.1 -r1.2 --- sources 30 Mar 2012 10:16:16 -0000 1.1 +++ sources 2 Apr 2012 09:21:37 -0000 1.2 @@ -0,0 +1 @@ +1cd7ff89cfa44aa647b96670533a43dc get-flash-videos-1.24-3.20120329git8abc6c6.tar.gz

12 years, 7 months

1
0
0 / 0

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-16 In directory se02.es.rpmfusion.net:/tmp/cvs-serv29418/F-16 Modified Files: freetype-freeworld.spec Added Files: freetype-2.4.6-CVE-2012-1126.patch freetype-2.4.6-CVE-2012-1127.patch freetype-2.4.6-CVE-2012-1128.patch freetype-2.4.6-CVE-2012-1130.patch freetype-2.4.6-CVE-2012-1131.patch freetype-2.4.6-CVE-2012-1132.patch freetype-2.4.6-CVE-2012-1133.patch freetype-2.4.6-CVE-2012-1134.patch freetype-2.4.6-CVE-2012-1135.patch freetype-2.4.6-CVE-2012-1136.patch freetype-2.4.6-CVE-2012-1137.patch freetype-2.4.6-CVE-2012-1138.patch freetype-2.4.6-CVE-2012-1139.patch freetype-2.4.6-CVE-2012-1140.patch freetype-2.4.6-CVE-2012-1141.patch freetype-2.4.6-CVE-2012-1142.patch freetype-2.4.6-CVE-2012-1143.patch freetype-2.4.6-CVE-2012-1144.patch freetype-2.4.6-bdf-overflow.patch Log Message: * Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-5 - Add security patches from Fedora freetype-2.4.6-5 (rh#806270) freetype-2.4.6-CVE-2012-1126.patch: bdflib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1126.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1,6 +1,6 @@ /* * Copyright 2000 Computing Research Labs, New Mexico State University - * Copyright 2001-2011 + * Copyright 2001-2012 * Francesco Zappa Nardelli * * Permission is hereby granted, free of charge, to any person obtaining a @@ -1254,7 +1254,8 @@ ep = line + linelen; /* Trim the leading whitespace if it exists. */ - *sp++ = 0; + if ( *sp ) + *sp++ = 0; while ( *sp && ( *sp == ' ' || *sp == '\t' ) ) sp++; freetype-2.4.6-CVE-2012-1127.patch: bdflib.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1127.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -188,6 +188,7 @@ #define ACMSG13 "Glyph %ld extra rows removed.\n" #define ACMSG14 "Glyph %ld extra columns removed.\n" #define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n" +#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n" /* Error messages. */ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" @@ -1725,18 +1726,31 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; + if ( !c ) + break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) *++bp = 0; } + /* If any line has not enough columns, */ + /* indicate they have been padded with zero bits. */ + if ( i < nibbles && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + { + FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding )); + p->flags |= _BDF_GLYPH_WIDTH_CHECK; + font->modified = 1; + } + /* Remove possible garbage at the right. */ mask_index = ( glyph->bbx.width * p->font->bpp ) & 7; if ( glyph->bbx.width ) *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && + if ( i == nibbles && + ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); freetype-2.4.6-CVE-2012-1128.patch: ttinterp.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1128.patch --- --- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100 +++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200 @@ -5788,7 +5788,7 @@ FT_F26Dot6 dx, dy; - FT_UShort last_point, i; + FT_UShort limit, i; if ( BOUNDS( args[0], 2 ) ) @@ -5805,24 +5805,15 @@ /* Twilight zone has no contours, so use `n_points'. */ /* Normal zone's `n_points' includes phantoms, so must */ /* use end of last contour. */ - if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) - last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); + if ( CUR.GS.gep2 == 0 ) + limit = (FT_UShort)CUR.zp2.n_points; else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) - { - last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); - - if ( BOUNDS( last_point, CUR.zp2.n_points ) ) - { - if ( CUR.pedantic_hinting ) - CUR.error = TT_Err_Invalid_Reference; - return; - } - } + limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 ); else - last_point = 0; + limit = 0; /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */ - for ( i = 0; i <= last_point; i++ ) + for ( i = 0; i < limit; i++ ) { if ( zp.cur != CUR.zp2.cur || refp != i ) MOVE_Zp2_Point( i, dx, dy, FALSE ); freetype-2.4.6-CVE-2012-1130.patch: pcfread.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1130.patch --- --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,8 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, - 2010 by + Copyright 2000-2010, 2012 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -496,7 +495,8 @@ THE SOFTWARE. goto Bail; } - if ( FT_NEW_ARRAY( strings, string_size ) ) + /* allocate one more byte so that we have a final null byte */ + if ( FT_NEW_ARRAY( strings, string_size + 1 ) ) goto Bail; error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size ); freetype-2.4.6-CVE-2012-1131.patch: ftsmooth.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1131.patch --- --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -4,7 +4,7 @@ /* */ /* Anti-aliasing renderer interface (body). */ /* */ -/* Copyright 2000-2006, 2009-2011 by */ +/* Copyright 2000-2006, 2009-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -105,9 +105,9 @@ FT_Error error; FT_Outline* outline = NULL; FT_BBox cbox; - FT_UInt width, height, pitch; + FT_Pos width, height, pitch; #ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING - FT_UInt height_org, width_org; + FT_Pos height_org, width_org; #endif FT_Bitmap* bitmap; FT_Memory memory; @@ -151,7 +151,7 @@ return Smooth_Err_Raster_Overflow; } else - width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); + width = ( cbox.xMax - cbox.xMin ) >> 6; if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin ) { @@ -161,7 +161,7 @@ return Smooth_Err_Raster_Overflow; } else - height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + height = ( cbox.yMax - cbox.yMin ) >> 6; bitmap = &slot->bitmap; memory = render->root.memory; @@ -223,7 +223,7 @@ /* Required check is ( pitch * height < FT_ULONG_MAX ), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0x7FFFU || height > 0x7FFFU ) + if ( width > 0x7FFF || height > 0x7FFF ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n", width, height )); freetype-2.4.6-CVE-2012-1132.patch: psaux/psobjs.c | 4 ++-- type1/t1load.c | 39 ++++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1132.patch --- --- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200 +++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* Auxiliary functions for PostScript fonts (body). */ /* */ -/* Copyright 1996-2011 by */ +/* Copyright 1996-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -589,7 +589,7 @@ } Exit: - if ( cur == parser->cursor ) + if ( cur < limit && cur == parser->cursor ) { FT_ERROR(( "ps_parser_skip_PS_token:" " current token is `%c' which is self-delimiting\n" --- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200 +++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200 @@ -71,6 +71,13 @@ #include "t1errors.h" +#ifdef FT_CONFIG_OPTION_INCREMENTAL +#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 ) +#else +#define IS_INCREMENTAL 0 +#endif + + /*************************************************************************/ /* */ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ @@ -1030,7 +1037,8 @@ static int read_binary_data( T1_Parser parser, FT_Long* size, - FT_Byte** base ) + FT_Byte** base, + FT_Bool incremental ) { FT_Byte* cur; FT_Byte* limit = parser->root.limit; @@ -1065,8 +1073,12 @@ } } - FT_ERROR(( "read_binary_data: invalid size field\n" )); - parser->root.error = T1_Err_Invalid_File_Format; + if( !incremental ) + { + FT_ERROR(( "read_binary_data: invalid size field\n" )); + parser->root.error = T1_Err_Invalid_File_Format; + } + return 0; } @@ -1387,15 +1399,17 @@ FT_Byte* base; - /* If the next token isn't `dup' we are done. */ - if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) + /* If we are out of data, or if the next token isn't `dup', */ + /* we are done. */ + if ( parser->root.cursor + 4 >= parser->root.limit || + ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) break; T1_Skip_PS_Token( parser ); /* `dup' */ idx = T1_ToInt( parser ); - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* The binary string is followed by one token, e.g. `NP' */ @@ -1407,7 +1421,8 @@ return; T1_Skip_Spaces ( parser ); - if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) + if ( parser->root.cursor + 4 < parser->root.limit && + ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) { T1_Skip_PS_Token( parser ); /* skip `put' */ T1_Skip_Spaces ( parser ); @@ -1580,7 +1595,7 @@ cur++; /* skip `/' */ len = parser->root.cursor - cur; - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* for some non-standard fonts like `Optima' which provides */ @@ -1869,7 +1884,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -1882,7 +1897,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -2158,9 +2173,7 @@ type1->subrs_len = loader.subrs.lengths; } -#ifdef FT_CONFIG_OPTION_INCREMENTAL - if ( !face->root.internal->incremental_interface ) -#endif + if ( !IS_INCREMENTAL ) if ( !loader.charstrings.init ) { FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" )); freetype-2.4.6-CVE-2012-1133.patch: bdflib.c | 5 +++++ 1 file changed, 5 insertions(+) --- NEW FILE freetype-2.4.6-CVE-2012-1133.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200 @@ -1587,6 +1587,11 @@ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + /* Normalize negative encoding values. The specification only */ + /* allows -1, but we can be more generous here. */ + if ( p->glyph_enc < -1 ) + p->glyph_enc = -1; + /* Check that the encoding is in the range [0,65536] because */ /* otherwise p->have (a bitmap with static size) overflows. */ if ( p->glyph_enc > 0 && freetype-2.4.6-CVE-2012-1134.patch: t1parse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1134.patch --- --- a/src/type1/t1parse.c +++ b/src/type1/t1parse.c @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */ +/* Copyright 1996-2005, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -467,6 +467,14 @@ /* we now decrypt the encoded binary private dictionary */ psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U ); + if ( parser->private_len < 4 ) + { + FT_ERROR(( "T1_Get_Private_Dict:" + " invalid private dictionary section\n" )); + error = T1_Err_Invalid_File_Format; + goto Fail; + } + /* replace the four random bytes at the beginning with whitespace */ parser->private_dict[0] = ' '; parser->private_dict[1] = ' '; freetype-2.4.6-CVE-2012-1135.patch: ttinterp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1135.patch --- --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -4477,7 +4477,7 @@ CUR.length = opcode_length[CUR.opcode]; if ( CUR.length < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto Fail_Overflow; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; } @@ -7544,7 +7544,7 @@ if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto LErrorCodeOverflow_; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; freetype-2.4.6-CVE-2012-1136.patch: bdflib.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1136.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200 @@ -1749,12 +1749,7 @@ if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) - { - /* Missing ENCODING field. */ - FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); - error = BDF_Err_Missing_Encoding_Field; - goto Exit; - } + goto Missing_Encoding; error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -1769,6 +1764,9 @@ /* Expect the DWIDTH (scalable width) field next. */ if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1794,6 +1792,9 @@ /* Expect the BBX field next. */ if ( ft_memcmp( line, "BBX", 3 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1893,6 +1894,12 @@ } error = BDF_Err_Invalid_File_Format; + goto Exit; + + Missing_Encoding: + /* Missing ENCODING field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); + error = BDF_Err_Missing_Encoding_Field; Exit: if ( error && ( p->flags & _BDF_GLYPH ) ) freetype-2.4.6-CVE-2012-1137.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1137.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -462,7 +462,7 @@ if ( num_items > list->size ) { unsigned long oldsize = list->size; /* same as _bdf_list_t.size */ - unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4; + unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5; unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) ); FT_Memory memory = list->memory; freetype-2.4.6-CVE-2012-1138.patch: ttinterp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1138.patch --- --- a/src/truetype/ttinterp.c 2012-03-28 13:16:19.000000000 +0200 +++ b/src/truetype/ttinterp.c 2012-03-28 13:19:39.000000000 +0200 @@ -6223,7 +6223,7 @@ TT_MulFix14( (FT_UInt32)cvt_dist, CUR.GS.freeVector.y ); - CUR.zp1.cur[point] = CUR.zp0.cur[point]; + CUR.zp1.cur[point] = CUR.zp1.org[point]; } org_dist = CUR_Func_dualproj( &CUR.zp1.org[point], freetype-2.4.6-CVE-2012-1139.patch: bdflib.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1139.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 @@ -791,7 +791,7 @@ }; -#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) +#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) /* Routine to convert an ASCII string into an unsigned long integer. */ @@ -1709,7 +1709,7 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; - if ( !c ) + if ( !isdigok( hdigits, c ) ) break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) @@ -1732,9 +1732,9 @@ *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( i == nibbles && - ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && - !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + if ( i == nibbles && + isdigok( hdigits, line[nibbles] ) && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); p->flags |= _BDF_GLYPH_WIDTH_CHECK; freetype-2.4.6-CVE-2012-1140.patch: psconv.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1140.patch --- --- a/src/psaux/psconv.c +++ b/src/psaux/psconv.c @@ -4,7 +4,7 @@ /* */ /* Some convenience conversions (body). */ /* */ -/* Copyright 2006, 2008, 2009 by */ +/* Copyright 2006, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -79,7 +79,7 @@ FT_Bool sign = 0; - if ( p == limit || base < 2 || base > 36 ) + if ( p >= limit || base < 2 || base > 36 ) return 0; if ( *p == '-' || *p == '+' ) @@ -150,7 +150,7 @@ FT_Bool sign = 0; - if ( p == limit ) + if ( p >= limit ) return 0; if ( *p == '-' || *p == '+' ) @@ -346,7 +346,11 @@ #if 1 - p = *cursor; + p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)( limit - p ) ) n = (FT_UInt)( limit - p ); @@ -434,6 +438,10 @@ #if 1 p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)(limit - p) ) n = (FT_UInt)(limit - p); freetype-2.4.6-CVE-2012-1141.patch: bdflib.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- NEW FILE freetype-2.4.6-CVE-2012-1141.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 @@ -521,6 +521,14 @@ /* Initialize the list. */ list->used = 0; + if ( list->size ) + { + list->field[0] = (char*)empty; + list->field[1] = (char*)empty; + list->field[2] = (char*)empty; + list->field[3] = (char*)empty; + list->field[4] = (char*)empty; + } /* If the line is empty, then simply return. */ if ( linelen == 0 || line[0] == 0 ) freetype-2.4.6-CVE-2012-1142.patch: winfnt.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1142.patch --- --- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200 +++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType font driver for Windows FNT/FON files */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 1996-2004, 2006-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* Copyright 2003 Huw D M Davies for Codeweavers */ /* Copyright 2007 Dmitry Timoshkov for Codeweavers */ @@ -827,7 +827,14 @@ root->charmap = root->charmaps[0]; } - /* setup remaining flags */ + /* set up remaining flags */ + + if ( font->header.last_char < font->header.first_char ) + { + FT_TRACE2(( "invalid number of glyphs\n" )); + error = FNT_Err_Invalid_File_Format; + goto Fail; + } /* reserve one slot for the .notdef glyph at index 0 */ root->num_glyphs = font->header.last_char - freetype-2.4.6-CVE-2012-1143.patch: ftcalc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1143.patch --- --- a/src/base/ftcalc.c +++ b/src/base/ftcalc.c @@ -4,7 +4,7 @@ /* */ /* Arithmetic computations (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */ +/* Copyright 1996-2006, 2008, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -307,7 +307,7 @@ q <<= 1; r |= lo >> 31; - if ( r >= (FT_UInt32)y ) + if ( r >= y ) { r -= y; q |= 1; @@ -373,7 +373,7 @@ if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 ) a = ( a * b + ( c >> 1 ) ) / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp, temp2; @@ -412,7 +412,7 @@ if ( a <= 46340L && b <= 46340L && c > 0 ) a = a * b / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp; @@ -544,7 +544,7 @@ s = (FT_Int32)a; a = FT_ABS( a ); s ^= (FT_Int32)b; b = FT_ABS( b ); - if ( b == 0 ) + if ( (FT_UInt32)b == 0 ) { /* check for division by 0 */ q = (FT_UInt32)0x7FFFFFFFL; @@ -552,15 +552,16 @@ else if ( ( a >> 16 ) == 0 ) { /* compute result directly */ - q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b; + q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b; } else { /* we need more bits; we have to do it by hand */ FT_Int64 temp, temp2; - temp.hi = (FT_Int32) (a >> 16); - temp.lo = (FT_UInt32)(a << 16); + + temp.hi = (FT_Int32) ( a >> 16 ); + temp.lo = (FT_UInt32)( a << 16 ); temp2.hi = 0; temp2.lo = (FT_UInt32)( b >> 1 ); FT_Add64( &temp, &temp2, &temp ); freetype-2.4.6-CVE-2012-1144.patch: ttgload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1144.patch --- --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -362,14 +362,17 @@ if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit ) goto Invalid_Outline; - prev_cont = FT_NEXT_USHORT( p ); + prev_cont = FT_NEXT_SHORT( p ); if ( n_contours > 0 ) cont[0] = prev_cont; + if ( prev_cont < 0 ) + goto Invalid_Outline; + for ( cont++; cont < cont_limit; cont++ ) { - cont[0] = FT_NEXT_USHORT( p ); + cont[0] = FT_NEXT_SHORT( p ); if ( cont[0] <= prev_cont ) { /* unordered contours: this is invalid */ freetype-2.4.6-bdf-overflow.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-bdf-overflow.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1912,7 +1912,7 @@ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; bitmap_size = glyph->bpr * glyph->bbx.height; - if ( bitmap_size > 0xFFFFU ) + if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); error = BDF_Err_Bbx_Too_Big; Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-16/freetype-freeworld.spec,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- freetype-freeworld.spec 17 Nov 2011 17:13:05 -0000 1.20 +++ freetype-freeworld.spec 2 Apr 2012 00:38:09 -0000 1.21 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.4.6 -Release: 4%{?dist} +Release: 5%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -16,6 +16,25 @@ Patch89: freetype-2.4.2-CVE-2010-3311.patch Patch90: freetype-2.4.6-CVE-2011-3256.patch Patch91: freetype-2.4.6-CVE-2011-3439.patch +Patch92: freetype-2.4.6-CVE-2012-1126.patch +Patch93: freetype-2.4.6-CVE-2012-1127.patch +Patch94: freetype-2.4.6-CVE-2012-1128.patch +Patch95: freetype-2.4.6-CVE-2012-1130.patch +Patch96: freetype-2.4.6-CVE-2012-1131.patch +Patch97: freetype-2.4.6-CVE-2012-1132.patch +Patch98: freetype-2.4.6-CVE-2012-1133.patch +Patch99: freetype-2.4.6-CVE-2012-1134.patch +Patch100: freetype-2.4.6-CVE-2012-1135.patch +Patch101: freetype-2.4.6-CVE-2012-1136.patch +Patch102: freetype-2.4.6-CVE-2012-1137.patch +Patch103: freetype-2.4.6-CVE-2012-1138.patch +Patch104: freetype-2.4.6-CVE-2012-1139.patch +Patch105: freetype-2.4.6-CVE-2012-1140.patch +Patch106: freetype-2.4.6-CVE-2012-1141.patch +Patch107: freetype-2.4.6-CVE-2012-1142.patch +Patch108: freetype-2.4.6-CVE-2012-1143.patch +Patch109: freetype-2.4.6-CVE-2012-1144.patch +Patch110: freetype-2.4.6-bdf-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -47,6 +66,25 @@ %patch89 -p1 -b .CVE-2010-3311 %patch90 -p1 -b .CVE-2011-3256 %patch91 -p1 -b .CVE-2011-3439 +%patch92 -p1 -b .CVE-2012-1126 +%patch93 -p1 -b .CVE-2012-1127 +%patch94 -p1 -b .CVE-2012-1128 +%patch95 -p1 -b .CVE-2012-1130 +%patch96 -p1 -b .CVE-2012-1131 +%patch97 -p1 -b .CVE-2012-1132 +%patch98 -p1 -b .CVE-2012-1133 +%patch99 -p1 -b .CVE-2012-1134 +%patch100 -p1 -b .CVE-2012-1135 +%patch101 -p1 -b .CVE-2012-1136 +%patch102 -p1 -b .CVE-2012-1137 +%patch103 -p1 -b .CVE-2012-1138 +%patch104 -p1 -b .CVE-2012-1139 +%patch105 -p1 -b .CVE-2012-1140 +%patch106 -p1 -b .CVE-2012-1141 +%patch107 -p1 -b .CVE-2012-1142 +%patch108 -p1 -b .CVE-2012-1143 +%patch109 -p1 -b .CVE-2012-1144 +%patch110 -p1 -b .bdf-overflow %build @@ -91,6 +129,9 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-5 +- Add security patches from Fedora freetype-2.4.6-5 (rh#806270) + * Thu Nov 17 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-4 - Add freetype-2.4.6-CVE-2011-3439.patch from Fedora freetype (rh#753837)

12 years, 7 months

1
0
0 / 0

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-17 In directory se02.es.rpmfusion.net:/tmp/cvs-serv28535/F-17 Modified Files: freetype-freeworld.spec Added Files: freetype-2.4.8-CVE-2012-1126.patch freetype-2.4.8-CVE-2012-1127.patch freetype-2.4.8-CVE-2012-1128.patch freetype-2.4.8-CVE-2012-1130.patch freetype-2.4.8-CVE-2012-1131.patch freetype-2.4.8-CVE-2012-1132.patch freetype-2.4.8-CVE-2012-1133.patch freetype-2.4.8-CVE-2012-1134.patch freetype-2.4.8-CVE-2012-1135.patch freetype-2.4.8-CVE-2012-1136.patch freetype-2.4.8-CVE-2012-1137.patch freetype-2.4.8-CVE-2012-1138.patch freetype-2.4.8-CVE-2012-1139.patch freetype-2.4.8-CVE-2012-1140.patch freetype-2.4.8-CVE-2012-1141.patch freetype-2.4.8-CVE-2012-1142.patch freetype-2.4.8-CVE-2012-1143.patch freetype-2.4.8-CVE-2012-1144.patch freetype-2.4.8-bdf-overflow.patch Log Message: * Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3 - Add security patches from Fedora freetype-2.4.8-3 (rh#806270) freetype-2.4.8-CVE-2012-1126.patch: bdflib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1126.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1,6 +1,6 @@ /* * Copyright 2000 Computing Research Labs, New Mexico State University - * Copyright 2001-2011 + * Copyright 2001-2012 * Francesco Zappa Nardelli * * Permission is hereby granted, free of charge, to any person obtaining a @@ -1254,7 +1254,8 @@ ep = line + linelen; /* Trim the leading whitespace if it exists. */ - *sp++ = 0; + if ( *sp ) + *sp++ = 0; while ( *sp && ( *sp == ' ' || *sp == '\t' ) ) sp++; freetype-2.4.8-CVE-2012-1127.patch: bdflib.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.8-CVE-2012-1127.patch --- --- a/src/bdf/bdflib.c 2012-03-30 13:06:25.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-30 13:08:00.000000000 +0200 @@ -1098,6 +1098,7 @@ #define ACMSG13 "Glyph %ld extra rows removed.\n" #define ACMSG14 "Glyph %ld extra columns removed.\n" #define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n" +#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n" /* Error messages. */ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" @@ -1703,18 +1704,31 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; + if ( !c ) + break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) *++bp = 0; } + /* If any line has not enough columns, */ + /* indicate they have been padded with zero bits. */ + if ( i < nibbles && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + { + FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding )); + p->flags |= _BDF_GLYPH_WIDTH_CHECK; + font->modified = 1; + } + /* Remove possible garbage at the right. */ mask_index = ( glyph->bbx.width * p->font->bpp ) & 7; if ( glyph->bbx.width ) *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && + if ( i == nibbles && + ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); freetype-2.4.8-CVE-2012-1128.patch: ttinterp.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1128.patch --- --- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100 +++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200 @@ -5788,7 +5788,7 @@ FT_F26Dot6 dx, dy; - FT_UShort last_point, i; + FT_UShort limit, i; if ( BOUNDS( args[0], 2 ) ) @@ -5805,24 +5805,15 @@ /* Twilight zone has no contours, so use `n_points'. */ /* Normal zone's `n_points' includes phantoms, so must */ /* use end of last contour. */ - if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) - last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); + if ( CUR.GS.gep2 == 0 ) + limit = (FT_UShort)CUR.zp2.n_points; else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) - { - last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); - - if ( BOUNDS( last_point, CUR.zp2.n_points ) ) - { - if ( CUR.pedantic_hinting ) - CUR.error = TT_Err_Invalid_Reference; - return; - } - } + limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 ); else - last_point = 0; + limit = 0; /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */ - for ( i = 0; i <= last_point; i++ ) + for ( i = 0; i < limit; i++ ) { if ( zp.cur != CUR.zp2.cur || refp != i ) MOVE_Zp2_Point( i, dx, dy, FALSE ); freetype-2.4.8-CVE-2012-1130.patch: pcfread.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1130.patch --- --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,8 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, - 2010 by + Copyright 2000-2010, 2012 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -496,7 +495,8 @@ THE SOFTWARE. goto Bail; } - if ( FT_NEW_ARRAY( strings, string_size ) ) + /* allocate one more byte so that we have a final null byte */ + if ( FT_NEW_ARRAY( strings, string_size + 1 ) ) goto Bail; error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size ); freetype-2.4.8-CVE-2012-1131.patch: ftsmooth.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1131.patch --- --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -4,7 +4,7 @@ /* */ /* Anti-aliasing renderer interface (body). */ /* */ -/* Copyright 2000-2006, 2009-2011 by */ +/* Copyright 2000-2006, 2009-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -105,9 +105,9 @@ FT_Error error; FT_Outline* outline = NULL; FT_BBox cbox; - FT_UInt width, height, pitch; + FT_Pos width, height, pitch; #ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING - FT_UInt height_org, width_org; + FT_Pos height_org, width_org; #endif FT_Bitmap* bitmap; FT_Memory memory; @@ -151,7 +151,7 @@ return Smooth_Err_Raster_Overflow; } else - width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); + width = ( cbox.xMax - cbox.xMin ) >> 6; if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin ) { @@ -161,7 +161,7 @@ return Smooth_Err_Raster_Overflow; } else - height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + height = ( cbox.yMax - cbox.yMin ) >> 6; bitmap = &slot->bitmap; memory = render->root.memory; @@ -223,7 +223,7 @@ /* Required check is ( pitch * height < FT_ULONG_MAX ), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0x7FFFU || height > 0x7FFFU ) + if ( width > 0x7FFF || height > 0x7FFF ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n", width, height )); freetype-2.4.8-CVE-2012-1132.patch: psaux/psobjs.c | 4 ++-- type1/t1load.c | 39 ++++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1132.patch --- --- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200 +++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* Auxiliary functions for PostScript fonts (body). */ /* */ -/* Copyright 1996-2011 by */ +/* Copyright 1996-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -589,7 +589,7 @@ } Exit: - if ( cur == parser->cursor ) + if ( cur < limit && cur == parser->cursor ) { FT_ERROR(( "ps_parser_skip_PS_token:" " current token is `%c' which is self-delimiting\n" --- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200 +++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200 @@ -71,6 +71,13 @@ #include "t1errors.h" +#ifdef FT_CONFIG_OPTION_INCREMENTAL +#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 ) +#else +#define IS_INCREMENTAL 0 +#endif + + /*************************************************************************/ /* */ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ @@ -1030,7 +1037,8 @@ static int read_binary_data( T1_Parser parser, FT_Long* size, - FT_Byte** base ) + FT_Byte** base, + FT_Bool incremental ) { FT_Byte* cur; FT_Byte* limit = parser->root.limit; @@ -1065,8 +1073,12 @@ } } - FT_ERROR(( "read_binary_data: invalid size field\n" )); - parser->root.error = T1_Err_Invalid_File_Format; + if( !incremental ) + { + FT_ERROR(( "read_binary_data: invalid size field\n" )); + parser->root.error = T1_Err_Invalid_File_Format; + } + return 0; } @@ -1387,15 +1399,17 @@ FT_Byte* base; - /* If the next token isn't `dup' we are done. */ - if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) + /* If we are out of data, or if the next token isn't `dup', */ + /* we are done. */ + if ( parser->root.cursor + 4 >= parser->root.limit || + ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) break; T1_Skip_PS_Token( parser ); /* `dup' */ idx = T1_ToInt( parser ); - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* The binary string is followed by one token, e.g. `NP' */ @@ -1407,7 +1421,8 @@ return; T1_Skip_Spaces ( parser ); - if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) + if ( parser->root.cursor + 4 < parser->root.limit && + ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) { T1_Skip_PS_Token( parser ); /* skip `put' */ T1_Skip_Spaces ( parser ); @@ -1580,7 +1595,7 @@ cur++; /* skip `/' */ len = parser->root.cursor - cur; - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* for some non-standard fonts like `Optima' which provides */ @@ -1869,7 +1884,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -1882,7 +1897,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -2158,9 +2173,7 @@ type1->subrs_len = loader.subrs.lengths; } -#ifdef FT_CONFIG_OPTION_INCREMENTAL - if ( !face->root.internal->incremental_interface ) -#endif + if ( !IS_INCREMENTAL ) if ( !loader.charstrings.init ) { FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" )); freetype-2.4.8-CVE-2012-1133.patch: bdflib.c | 5 +++++ 1 file changed, 5 insertions(+) --- NEW FILE freetype-2.4.8-CVE-2012-1133.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200 @@ -1587,6 +1587,11 @@ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + /* Normalize negative encoding values. The specification only */ + /* allows -1, but we can be more generous here. */ + if ( p->glyph_enc < -1 ) + p->glyph_enc = -1; + /* Check that the encoding is in the range [0,65536] because */ /* otherwise p->have (a bitmap with static size) overflows. */ if ( p->glyph_enc > 0 && freetype-2.4.8-CVE-2012-1134.patch: t1parse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.8-CVE-2012-1134.patch --- --- a/src/type1/t1parse.c +++ b/src/type1/t1parse.c @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */ +/* Copyright 1996-2005, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -467,6 +467,14 @@ /* we now decrypt the encoded binary private dictionary */ psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U ); + if ( parser->private_len < 4 ) + { + FT_ERROR(( "T1_Get_Private_Dict:" + " invalid private dictionary section\n" )); + error = T1_Err_Invalid_File_Format; + goto Fail; + } + /* replace the four random bytes at the beginning with whitespace */ parser->private_dict[0] = ' '; parser->private_dict[1] = ' '; freetype-2.4.8-CVE-2012-1135.patch: ttinterp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1135.patch --- --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -4477,7 +4477,7 @@ CUR.length = opcode_length[CUR.opcode]; if ( CUR.length < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto Fail_Overflow; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; } @@ -7544,7 +7544,7 @@ if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto LErrorCodeOverflow_; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; freetype-2.4.8-CVE-2012-1136.patch: bdflib.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1136.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200 @@ -1749,12 +1749,7 @@ if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) - { - /* Missing ENCODING field. */ - FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); - error = BDF_Err_Missing_Encoding_Field; - goto Exit; - } + goto Missing_Encoding; error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -1769,6 +1764,9 @@ /* Expect the DWIDTH (scalable width) field next. */ if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1794,6 +1792,9 @@ /* Expect the BBX field next. */ if ( ft_memcmp( line, "BBX", 3 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1893,6 +1894,12 @@ } error = BDF_Err_Invalid_File_Format; + goto Exit; + + Missing_Encoding: + /* Missing ENCODING field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); + error = BDF_Err_Missing_Encoding_Field; Exit: if ( error && ( p->flags & _BDF_GLYPH ) ) freetype-2.4.8-CVE-2012-1137.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.8-CVE-2012-1137.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -462,7 +462,7 @@ if ( num_items > list->size ) { unsigned long oldsize = list->size; /* same as _bdf_list_t.size */ - unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4; + unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5; unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) ); FT_Memory memory = list->memory; freetype-2.4.8-CVE-2012-1138.patch: ttinterp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.8-CVE-2012-1138.patch --- --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -6264,7 +6264,7 @@ CUR.zp1.org[point].y = CUR.zp0.org[CUR.GS.rp0].y + TT_MulFix14( (FT_UInt32)cvt_dist, CUR.GS.freeVector.y ); - CUR.zp1.cur[point] = CUR.zp0.cur[point]; + CUR.zp1.cur[point] = CUR.zp1.org[point]; } org_dist = CUR_Func_dualproj( &CUR.zp1.org[point], freetype-2.4.8-CVE-2012-1139.patch: bdflib.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1139.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 @@ -791,7 +791,7 @@ }; -#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) +#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) /* Routine to convert an ASCII string into an unsigned long integer. */ @@ -1709,7 +1709,7 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; - if ( !c ) + if ( !isdigok( hdigits, c ) ) break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) @@ -1732,9 +1732,9 @@ *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( i == nibbles && - ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && - !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + if ( i == nibbles && + isdigok( hdigits, line[nibbles] ) && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); p->flags |= _BDF_GLYPH_WIDTH_CHECK; freetype-2.4.8-CVE-2012-1140.patch: psconv.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1140.patch --- --- a/src/psaux/psconv.c +++ b/src/psaux/psconv.c @@ -4,7 +4,7 @@ /* */ /* Some convenience conversions (body). */ /* */ -/* Copyright 2006, 2008, 2009 by */ +/* Copyright 2006, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -79,7 +79,7 @@ FT_Bool sign = 0; - if ( p == limit || base < 2 || base > 36 ) + if ( p >= limit || base < 2 || base > 36 ) return 0; if ( *p == '-' || *p == '+' ) @@ -150,7 +150,7 @@ FT_Bool sign = 0; - if ( p == limit ) + if ( p >= limit ) return 0; if ( *p == '-' || *p == '+' ) @@ -346,7 +346,11 @@ #if 1 - p = *cursor; + p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)( limit - p ) ) n = (FT_UInt)( limit - p ); @@ -434,6 +438,10 @@ #if 1 p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)(limit - p) ) n = (FT_UInt)(limit - p); freetype-2.4.8-CVE-2012-1141.patch: bdflib.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- NEW FILE freetype-2.4.8-CVE-2012-1141.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 @@ -521,6 +521,14 @@ /* Initialize the list. */ list->used = 0; + if ( list->size ) + { + list->field[0] = (char*)empty; + list->field[1] = (char*)empty; + list->field[2] = (char*)empty; + list->field[3] = (char*)empty; + list->field[4] = (char*)empty; + } /* If the line is empty, then simply return. */ if ( linelen == 0 || line[0] == 0 ) freetype-2.4.8-CVE-2012-1142.patch: winfnt.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1142.patch --- --- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200 +++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType font driver for Windows FNT/FON files */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 1996-2004, 2006-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* Copyright 2003 Huw D M Davies for Codeweavers */ /* Copyright 2007 Dmitry Timoshkov for Codeweavers */ @@ -827,7 +827,14 @@ root->charmap = root->charmaps[0]; } - /* setup remaining flags */ + /* set up remaining flags */ + + if ( font->header.last_char < font->header.first_char ) + { + FT_TRACE2(( "invalid number of glyphs\n" )); + error = FNT_Err_Invalid_File_Format; + goto Fail; + } /* reserve one slot for the .notdef glyph at index 0 */ root->num_glyphs = font->header.last_char - freetype-2.4.8-CVE-2012-1143.patch: ftcalc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1143.patch --- --- a/src/base/ftcalc.c +++ b/src/base/ftcalc.c @@ -4,7 +4,7 @@ /* */ /* Arithmetic computations (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */ +/* Copyright 1996-2006, 2008, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -307,7 +307,7 @@ q <<= 1; r |= lo >> 31; - if ( r >= (FT_UInt32)y ) + if ( r >= y ) { r -= y; q |= 1; @@ -373,7 +373,7 @@ if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 ) a = ( a * b + ( c >> 1 ) ) / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp, temp2; @@ -412,7 +412,7 @@ if ( a <= 46340L && b <= 46340L && c > 0 ) a = a * b / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp; @@ -544,7 +544,7 @@ s = (FT_Int32)a; a = FT_ABS( a ); s ^= (FT_Int32)b; b = FT_ABS( b ); - if ( b == 0 ) + if ( (FT_UInt32)b == 0 ) { /* check for division by 0 */ q = (FT_UInt32)0x7FFFFFFFL; @@ -552,15 +552,16 @@ else if ( ( a >> 16 ) == 0 ) { /* compute result directly */ - q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b; + q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b; } else { /* we need more bits; we have to do it by hand */ FT_Int64 temp, temp2; - temp.hi = (FT_Int32) (a >> 16); - temp.lo = (FT_UInt32)(a << 16); + + temp.hi = (FT_Int32) ( a >> 16 ); + temp.lo = (FT_UInt32)( a << 16 ); temp2.hi = 0; temp2.lo = (FT_UInt32)( b >> 1 ); FT_Add64( &temp, &temp2, &temp ); freetype-2.4.8-CVE-2012-1144.patch: ttgload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.8-CVE-2012-1144.patch --- --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -362,14 +362,17 @@ if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit ) goto Invalid_Outline; - prev_cont = FT_NEXT_USHORT( p ); + prev_cont = FT_NEXT_SHORT( p ); if ( n_contours > 0 ) cont[0] = prev_cont; + if ( prev_cont < 0 ) + goto Invalid_Outline; + for ( cont++; cont < cont_limit; cont++ ) { - cont[0] = FT_NEXT_USHORT( p ); + cont[0] = FT_NEXT_SHORT( p ); if ( cont[0] <= prev_cont ) { /* unordered contours: this is invalid */ freetype-2.4.8-bdf-overflow.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.8-bdf-overflow.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1912,7 +1912,7 @@ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; bitmap_size = glyph->bpr * glyph->bbx.height; - if ( bitmap_size > 0xFFFFU ) + if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); error = BDF_Err_Bbx_Too_Big; Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-17/freetype-freeworld.spec,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23 +++ freetype-freeworld.spec 2 Apr 2012 00:32:55 -0000 1.24 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.4.8 -Release: 2%{?dist} +Release: 3%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -12,6 +12,27 @@ # Enable otvalid and gxvalid modules Patch46: freetype-2.2.1-enable-valid.patch +# Security patches +Patch89: freetype-2.4.8-CVE-2012-1126.patch +Patch90: freetype-2.4.8-CVE-2012-1127.patch +Patch91: freetype-2.4.8-CVE-2012-1128.patch +Patch92: freetype-2.4.8-CVE-2012-1130.patch +Patch93: freetype-2.4.8-CVE-2012-1131.patch +Patch94: freetype-2.4.8-CVE-2012-1132.patch +Patch95: freetype-2.4.8-CVE-2012-1133.patch +Patch96: freetype-2.4.8-CVE-2012-1134.patch +Patch97: freetype-2.4.8-CVE-2012-1135.patch +Patch98: freetype-2.4.8-CVE-2012-1136.patch +Patch99: freetype-2.4.8-CVE-2012-1137.patch +Patch100: freetype-2.4.8-CVE-2012-1138.patch +Patch101: freetype-2.4.8-CVE-2012-1139.patch +Patch102: freetype-2.4.8-CVE-2012-1140.patch +Patch103: freetype-2.4.8-CVE-2012-1141.patch +Patch104: freetype-2.4.8-CVE-2012-1142.patch +Patch105: freetype-2.4.8-CVE-2012-1143.patch +Patch106: freetype-2.4.8-CVE-2012-1144.patch +Patch107: freetype-2.4.8-bdf-overflow.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) Provides: freetype-bytecode @@ -39,6 +60,26 @@ %patch46 -p1 -b .enable-valid +%patch89 -p1 -b .CVE-2012-1126 +%patch90 -p1 -b .CVE-2012-1127 +%patch91 -p1 -b .CVE-2012-1128 +%patch92 -p1 -b .CVE-2012-1130 +%patch93 -p1 -b .CVE-2012-1131 +%patch94 -p1 -b .CVE-2012-1132 +%patch95 -p1 -b .CVE-2012-1133 +%patch96 -p1 -b .CVE-2012-1134 +%patch97 -p1 -b .CVE-2012-1135 +%patch98 -p1 -b .CVE-2012-1136 +%patch99 -p1 -b .CVE-2012-1137 +%patch100 -p1 -b .CVE-2012-1138 +%patch101 -p1 -b .CVE-2012-1139 +%patch102 -p1 -b .CVE-2012-1140 +%patch103 -p1 -b .CVE-2012-1141 +%patch104 -p1 -b .CVE-2012-1142 +%patch105 -p1 -b .CVE-2012-1143 +%patch106 -p1 -b .CVE-2012-1144 +%patch107 -p1 -b .bdf-overflow + %build %configure --disable-static @@ -82,6 +123,9 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3 +- Add security patches from Fedora freetype-2.4.8-3 (rh#806270) + * Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2 - Rebuild for #2031

12 years, 7 months

1
0
0 / 0

rpms/freetype-freeworld/devel freetype-2.4.9-CVE-2012-1139.patch, NONE, 1.1 freetype-2.4.9-CVE-2012-1141.patch, NONE, 1.1 freetype-2.4.9-incremental-interface.patch, NONE, 1.1 freetype-2.4.9-loop-exit-condition.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 freetype-freeworld.spec, 1.23, 1.24 sources, 1.12, 1.13

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/devel In directory se02.es.rpmfusion.net:/tmp/cvs-serv27697/devel Modified Files: .cvsignore freetype-freeworld.spec sources Added Files: freetype-2.4.9-CVE-2012-1139.patch freetype-2.4.9-CVE-2012-1141.patch freetype-2.4.9-incremental-interface.patch freetype-2.4.9-loop-exit-condition.patch Log Message: * Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1 - Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270)) - Add additional security and bugfix patches from Fedora freetype-2.4.9-1 freetype-2.4.9-CVE-2012-1139.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.9-CVE-2012-1139.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -842,7 +842,7 @@ }; -#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) +#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) /* Routine to convert an ASCII string into an unsigned long integer. */ freetype-2.4.9-CVE-2012-1141.patch: bdflib.c | 1 + 1 file changed, 1 insertion(+) --- NEW FILE freetype-2.4.9-CVE-2012-1141.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -569,6 +569,7 @@ list->field[1] = (char*)empty; list->field[2] = (char*)empty; list->field[3] = (char*)empty; + list->field[4] = (char*)empty; } /* If the line is empty, then simply return. */ freetype-2.4.9-incremental-interface.patch: t1load.c | 30 ++++++++++++++++++++---------- 1 file changed, 20 insertions(+), 10 deletions(-) --- NEW FILE freetype-2.4.9-incremental-interface.patch --- --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -71,6 +71,13 @@ #include "t1errors.h" +#ifdef FT_CONFIG_OPTION_INCREMENTAL +#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 ) +#else +#define IS_INCREMENTAL 0 +#endif + + /*************************************************************************/ /* */ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ @@ -1030,7 +1037,8 @@ static int read_binary_data( T1_Parser parser, FT_Long* size, - FT_Byte** base ) + FT_Byte** base, + FT_Bool incremental ) { FT_Byte* cur; FT_Byte* limit = parser->root.limit; @@ -1065,8 +1073,12 @@ } } - FT_ERROR(( "read_binary_data: invalid size field\n" )); - parser->root.error = T1_Err_Invalid_File_Format; + if( !incremental ) + { + FT_ERROR(( "read_binary_data: invalid size field\n" )); + parser->root.error = T1_Err_Invalid_File_Format; + } + return 0; } @@ -1396,7 +1408,7 @@ idx = T1_ToInt( parser ); - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* The binary string is followed by one token, e.g. `NP' */ @@ -1582,7 +1594,7 @@ cur++; /* skip `/' */ len = parser->root.cursor - cur; - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* for some non-standard fonts like `Optima' which provides */ @@ -1871,7 +1883,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -1884,7 +1896,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -2160,9 +2172,7 @@ type1->subrs_len = loader.subrs.lengths; } -#ifdef FT_CONFIG_OPTION_INCREMENTAL - if ( !face->root.internal->incremental_interface ) -#endif + if ( !IS_INCREMENTAL ) if ( !loader.charstrings.init ) { FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" )); freetype-2.4.9-loop-exit-condition.patch: t1load.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.4.9-loop-exit-condition.patch --- --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1399,9 +1399,10 @@ FT_Byte* base; - /* If the next token isn't `dup' we are done. */ - if ( parser->root.cursor + 4 < parser->root.limit && - ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) + /* If we are out of data, or if the next token isn't `dup', */ + /* we are done. */ + if ( parser->root.cursor + 4 >= parser->root.limit || + ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) break; T1_Skip_PS_Token( parser ); /* `dup' */ Index: .cvsignore =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/.cvsignore,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- .cvsignore 17 Nov 2011 16:56:37 -0000 1.12 +++ .cvsignore 2 Apr 2012 00:27:37 -0000 1.13 @@ -1 +1 @@ -freetype-2.4.8.tar.bz2 +freetype-2.4.9.tar.bz2 Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v retrieving revision 1.23 retrieving revision 1.24 diff -u -r1.23 -r1.24 --- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23 +++ freetype-freeworld.spec 2 Apr 2012 00:27:37 -0000 1.24 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld -Version: 2.4.8 -Release: 2%{?dist} +Version: 2.4.9 +Release: 1%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -12,6 +12,16 @@ # Enable otvalid and gxvalid modules Patch46: freetype-2.2.1-enable-valid.patch +# Security patches +Patch89: freetype-2.4.9-CVE-2012-1139.patch +Patch90: freetype-2.4.9-CVE-2012-1141.patch + +# https://savannah.nongnu.org/bugs/?35833 +Patch91: freetype-2.4.9-loop-exit-condition.patch + +# https://savannah.nongnu.org/bugs/?35847 +Patch92: freetype-2.4.9-incremental-interface.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) Provides: freetype-bytecode @@ -39,6 +49,12 @@ %patch46 -p1 -b .enable-valid +%patch89 -p1 -b .CVE-2012-1139 +%patch90 -p1 -b .CVE-2012-1141 +%patch91 -p1 -b .loop-exit-condition +%patch92 -p1 -b .incremental-interface + + %build %configure --disable-static @@ -82,6 +98,10 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1 +- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270)) +- Add additional security and bugfix patches from Fedora freetype-2.4.9-1 + * Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2 - Rebuild for #2031 Index: sources =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/sources,v retrieving revision 1.12 retrieving revision 1.13 diff -u -r1.12 -r1.13 --- sources 17 Nov 2011 16:56:37 -0000 1.12 +++ sources 2 Apr 2012 00:27:37 -0000 1.13 @@ -1 +1 @@ -dbf2caca1d3afd410a29217a9809d397 freetype-2.4.8.tar.bz2 +77a893dae81fd5b896632715ca041179 freetype-2.4.9.tar.bz2

12 years, 7 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

rpmfusion-commits April 2012