rpms/bombono-dvd/devel .cvsignore, NONE, 1.1 Makefile, NONE, 1.1 sources, NONE, 1.1
by Nicolas Chauvet
Author: kwizart
Update of /cvs/free/rpms/bombono-dvd/devel
In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd/devel
Added Files:
.cvsignore Makefile sources
Log Message:
Setup of module bombono-dvd
--- NEW FILE .cvsignore ---
--- NEW FILE Makefile ---
# Makefile for source rpm: bombono-dvd
# $Id: Makefile,v 1.1 2012/04/02 10:11:27 kwizart Exp $
NAME := bombono-dvd
SPECFILE = $(firstword $(wildcard *.spec))
define find-makefile-common
for d in common ../common ../../common ; do if [ -f $$d/Makefile.common ] ; then if [ -f $$d/CVS/Root -a -w $$/Makefile.common ] ; then cd $$d ; cvs -Q update ; fi ; echo "$$d/Makefile.common" ; break ; fi ; done
endef
MAKEFILE_COMMON := $(shell $(find-makefile-common))
ifeq ($(MAKEFILE_COMMON),)
# attept a checkout
define checkout-makefile-common
test -f CVS/Root && { cvs -Q -d $$(cat CVS/Root) checkout common && echo "common/Makefile.common" ; } || { echo "ERROR: I can't figure out how to checkout the 'common' module." ; exit -1 ; } >&2
endef
MAKEFILE_COMMON := $(shell $(checkout-makefile-common))
endif
include $(MAKEFILE_COMMON)
--- NEW FILE sources ---
12 years
- 1
- 0
rpms/bombono-dvd Makefile, NONE, 1.1 import.log, NONE, 1.1 pkg.acl, NONE, 1.1
by Nicolas Chauvet
Author: kwizart
Update of /cvs/free/rpms/bombono-dvd
In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd
Added Files:
Makefile import.log pkg.acl
Log Message:
Setup of module bombono-dvd
--- NEW FILE Makefile ---
# Top level Makefile for module bombono-dvd
all : CVS/Root common-update
@cvs update
common-update : common
@cd common && cvs update
common : CVS/Root
@cvs checkout common
CVS/Root :
@echo "ERROR: This does not look like a CVS checkout" && exit 1
clean :
@find . -type f -name *~ -exec rm -fv {} \;
--- NEW FILE import.log ---
--- NEW FILE pkg.acl ---
12 years
- 1
- 0
rpms/bombono-dvd/devel - New directory
by Nicolas Chauvet
Author: kwizart
Update of /cvs/free/rpms/bombono-dvd/devel
In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd/devel
Log Message:
Directory /cvs/free/rpms/bombono-dvd/devel added to the repository
12 years
- 1
- 0
rpms/bombono-dvd - New directory
by Nicolas Chauvet
Author: kwizart
Update of /cvs/free/rpms/bombono-dvd
In directory se02.es.rpmfusion.net:/home/rpmfusion/kwizart/free/owners/tmpcvsvI9795/rpms/bombono-dvd
Log Message:
Directory /cvs/free/rpms/bombono-dvd added to the repository
12 years
- 1
- 0
rpms/get-flash-videos/F-16 README.fedora, NONE, 1.1 get-flash-videos.spec, NONE, 1.1 .cvsignore, 1.1, 1.2 sources, 1.1, 1.2
by Alec Leamas
Author: leamas
Update of /cvs/free/rpms/get-flash-videos/F-16
In directory se02.es.rpmfusion.net:/tmp/cvs-serv3580/F-16
Modified Files:
.cvsignore sources
Added Files:
README.fedora get-flash-videos.spec
Log Message:
Initial commit
--- NEW FILE README.fedora ---
Currently, the search function is broken, see e. g.:
http://code.google.com/p/get-flash-videos/issues/detail?id=341
http://code.google.com/p/get-flash-videos/issues/detail?id=332
http://code.google.com/p/get-flash-videos/issues/detail?id=351
Licensing:
- lib/FlashVideo/JSON.pm is in Public Domain
- lib/FlashVideo/Site/Zshare.pm is GPLv3+
- All other files are ASL 2.0
--- NEW FILE get-flash-videos.spec ---
%global rel_tag 3.20120329git8abc6c6
Name: get-flash-videos
Version: 1.24
Release: %{?rel_tag}%{?dist}
Summary: CLI tool to download flash video from websites
Group: Applications/Communications
# License breakdown in README.fedora
License: ASL 2.0 and GPLv3+
URL: http://code.google.com/p/get-flash-videos/
# rel_tag=1.20120329git8abc6c6;
# srcdir=get-flash-videos
# git clone git://github.com/monsieurvideo/get-flash-videos.git $srcdir
# cd $srcdir; git reset --hard ${rel_tag##*git}; cd ..
# tar czf $srcdir-$rel_tag.tar.gz --exclude .git $srcdir
Source0: get-flash-videos-%{version}-%{rel_tag}.tar.gz
Source1: README.fedora
BuildArch: noarch
BuildRequires: perl(ExtUtils::MakeMaker)
BuildRequires: perl(Compress::Zlib)
BuildRequires: perl(Crypt::Rijndael)
BuildRequires: perl(XML::Parser::PerlSAX)
BuildRequires: perl(LWP::UserAgent::Determined)
Buildrequires: perl(Test::Simple)
BuildRequires: perl(Tie::IxHash)
BuildRequires: perl(WWW::Mechanize)
BuildRequires: perl(XML::Simple)
Requires: perl(:MODULE_COMPAT_%(eval "`%{__perl} -V:version`"; echo $version))
Requires: perl(Compress::Zlib)
Requires: perl(Crypt::Rijndael)
Requires: perl(Data::AMF)
Requires: perl(LWP::UserAgent::Determined)
Requires: perl(Tie::IxHash)
Requires: perl(XML::Simple)
Requires: rtmpdump
%{?perl_default_filter}
%description
Download videos from various Flash-based video hosting sites, without
having to use the Flash player. Handy for saving videos for watching
offline, and means you don't have to keep upgrading Flash for sites that
insist on a newer version of the player.
%prep
%setup -q -n get-flash-videos
cp %{SOURCE1} .
%build
%{__perl} Makefile.PL INSTALLDIRS=vendor
make %{?_smp_mflags}
# Search is currently broken, see README.fedora
rm t/google_video_search.t
%install
make pure_install DESTDIR=$RPM_BUILD_ROOT
find $RPM_BUILD_ROOT -type f -name .packlist -exec rm -f {} ';'
find $RPM_BUILD_ROOT -depth -type d -exec rmdir {} 2>/dev/null ';'
%{_fixperms} $RPM_BUILD_ROOT/*
%check
make test
%files
%doc README README.fedora
%{perl_vendorlib}/*
%{_bindir}/get_flash_videos
%{_mandir}/man1/*.1*
%changelog
* Thu Mar 29 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120329git8abc6c6
- Updating license break-down
* Fri Feb 24 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120224git8abc6c6
- Re-enabling Require: perl(:MODULE_COMPAT_...)
- Resolving naming mess, illegal name of spec, bad name of source.
* Tue Feb 21 2012 Alec Leamas <alec(a)nowhere.com> 1.24-3.20120205git8abc6c6
- Rewriting deps using Perl(Module) syntax.
- Removing auto-detected Requires.
- Updating Requires: from upstream website.
* Sun Feb 05 2012 Alec Leamas <alec(a)nowhere.com> 1.24-2.20120205git8abc6c6
- Moving to latest git
* Sat Jan 31 2012 Alec Leamas <alec(a)nowhere.com> 1.24-1
- Intial packaging
Index: .cvsignore
===================================================================
RCS file: /cvs/free/rpms/get-flash-videos/F-16/.cvsignore,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- .cvsignore 30 Mar 2012 10:16:16 -0000 1.1
+++ .cvsignore 2 Apr 2012 09:21:37 -0000 1.2
@@ -0,0 +1 @@
+get-flash-videos-1.24-3.20120329git8abc6c6.tar.gz
Index: sources
===================================================================
RCS file: /cvs/free/rpms/get-flash-videos/F-16/sources,v
retrieving revision 1.1
retrieving revision 1.2
diff -u -r1.1 -r1.2
--- sources 30 Mar 2012 10:16:16 -0000 1.1
+++ sources 2 Apr 2012 09:21:37 -0000 1.2
@@ -0,0 +1 @@
+1cd7ff89cfa44aa647b96670533a43dc get-flash-videos-1.24-3.20120329git8abc6c6.tar.gz
12 years
- 1
- 0
rpms/freetype-freeworld/F-16 freetype-2.4.6-CVE-2012-1126.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1127.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1128.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1130.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1131.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1132.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1133.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1134.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1135.patch, NONE, 1.1 freetype-2.4.6-CVE-2012-1136.patch, NONE, 1.1 freetype-2.4.6-CVE-2012
by Kevin Kofler
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/F-16
In directory se02.es.rpmfusion.net:/tmp/cvs-serv29418/F-16
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.4.6-CVE-2012-1126.patch
freetype-2.4.6-CVE-2012-1127.patch
freetype-2.4.6-CVE-2012-1128.patch
freetype-2.4.6-CVE-2012-1130.patch
freetype-2.4.6-CVE-2012-1131.patch
freetype-2.4.6-CVE-2012-1132.patch
freetype-2.4.6-CVE-2012-1133.patch
freetype-2.4.6-CVE-2012-1134.patch
freetype-2.4.6-CVE-2012-1135.patch
freetype-2.4.6-CVE-2012-1136.patch
freetype-2.4.6-CVE-2012-1137.patch
freetype-2.4.6-CVE-2012-1138.patch
freetype-2.4.6-CVE-2012-1139.patch
freetype-2.4.6-CVE-2012-1140.patch
freetype-2.4.6-CVE-2012-1141.patch
freetype-2.4.6-CVE-2012-1142.patch
freetype-2.4.6-CVE-2012-1143.patch
freetype-2.4.6-CVE-2012-1144.patch
freetype-2.4.6-bdf-overflow.patch
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-5
- Add security patches from Fedora freetype-2.4.6-5 (rh#806270)
freetype-2.4.6-CVE-2012-1126.patch:
bdflib.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1126.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1,6 +1,6 @@
/*
* Copyright 2000 Computing Research Labs, New Mexico State University
- * Copyright 2001-2011
+ * Copyright 2001-2012
* Francesco Zappa Nardelli
*
* Permission is hereby granted, free of charge, to any person obtaining a
@@ -1254,7 +1254,8 @@
ep = line + linelen;
/* Trim the leading whitespace if it exists. */
- *sp++ = 0;
+ if ( *sp )
+ *sp++ = 0;
while ( *sp &&
( *sp == ' ' || *sp == '\t' ) )
sp++;
freetype-2.4.6-CVE-2012-1127.patch:
bdflib.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1127.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -188,6 +188,7 @@
#define ACMSG13 "Glyph %ld extra rows removed.\n"
#define ACMSG14 "Glyph %ld extra columns removed.\n"
#define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n"
+#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n"
/* Error messages. */
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
@@ -1725,18 +1726,31 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
+ if ( !c )
+ break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
*++bp = 0;
}
+ /* If any line has not enough columns, */
+ /* indicate they have been padded with zero bits. */
+ if ( i < nibbles &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ {
+ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding ));
+ p->flags |= _BDF_GLYPH_WIDTH_CHECK;
+ font->modified = 1;
+ }
+
/* Remove possible garbage at the right. */
mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
if ( glyph->bbx.width )
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+ if ( i == nibbles &&
+ ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
!( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
freetype-2.4.6-CVE-2012-1128.patch:
ttinterp.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1128.patch ---
--- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100
+++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200
@@ -5788,7 +5788,7 @@
FT_F26Dot6 dx,
dy;
- FT_UShort last_point, i;
+ FT_UShort limit, i;
if ( BOUNDS( args[0], 2 ) )
@@ -5805,24 +5805,15 @@
/* Twilight zone has no contours, so use `n_points'. */
/* Normal zone's `n_points' includes phantoms, so must */
/* use end of last contour. */
- if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
- last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
+ if ( CUR.GS.gep2 == 0 )
+ limit = (FT_UShort)CUR.zp2.n_points;
else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
- {
- last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
-
- if ( BOUNDS( last_point, CUR.zp2.n_points ) )
- {
- if ( CUR.pedantic_hinting )
- CUR.error = TT_Err_Invalid_Reference;
- return;
- }
- }
+ limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
else
- last_point = 0;
+ limit = 0;
/* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
- for ( i = 0; i <= last_point; i++ )
+ for ( i = 0; i < limit; i++ )
{
if ( zp.cur != CUR.zp2.cur || refp != i )
MOVE_Zp2_Point( i, dx, dy, FALSE );
freetype-2.4.6-CVE-2012-1130.patch:
pcfread.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1130.patch ---
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -2,8 +2,7 @@
FreeType font driver for pcf fonts
- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
- 2010 by
+ Copyright 2000-2010, 2012 by
Francesco Zappa Nardelli
Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -496,7 +495,8 @@ THE SOFTWARE.
goto Bail;
}
- if ( FT_NEW_ARRAY( strings, string_size ) )
+ /* allocate one more byte so that we have a final null byte */
+ if ( FT_NEW_ARRAY( strings, string_size + 1 ) )
goto Bail;
error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size );
freetype-2.4.6-CVE-2012-1131.patch:
ftsmooth.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1131.patch ---
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -4,7 +4,7 @@
/* */
/* Anti-aliasing renderer interface (body). */
/* */
-/* Copyright 2000-2006, 2009-2011 by */
+/* Copyright 2000-2006, 2009-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -105,9 +105,9 @@
FT_Error error;
FT_Outline* outline = NULL;
FT_BBox cbox;
- FT_UInt width, height, pitch;
+ FT_Pos width, height, pitch;
#ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING
- FT_UInt height_org, width_org;
+ FT_Pos height_org, width_org;
#endif
FT_Bitmap* bitmap;
FT_Memory memory;
@@ -151,7 +151,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
+ width = ( cbox.xMax - cbox.xMin ) >> 6;
if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
{
@@ -161,7 +161,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+ height = ( cbox.yMax - cbox.yMin ) >> 6;
bitmap = &slot->bitmap;
memory = render->root.memory;
@@ -223,7 +223,7 @@
/* Required check is ( pitch * height < FT_ULONG_MAX ), */
/* but we care realistic cases only. Always pitch <= width. */
- if ( width > 0x7FFFU || height > 0x7FFFU )
+ if ( width > 0x7FFF || height > 0x7FFF )
{
FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
width, height ));
freetype-2.4.6-CVE-2012-1132.patch:
psaux/psobjs.c | 4 ++--
type1/t1load.c | 39 ++++++++++++++++++++++++++-------------
2 files changed, 28 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1132.patch ---
--- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200
+++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* Auxiliary functions for PostScript fonts (body). */
/* */
-/* Copyright 1996-2011 by */
+/* Copyright 1996-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -589,7 +589,7 @@
}
Exit:
- if ( cur == parser->cursor )
+ if ( cur < limit && cur == parser->cursor )
{
FT_ERROR(( "ps_parser_skip_PS_token:"
" current token is `%c' which is self-delimiting\n"
--- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200
+++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1387,15 +1399,17 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1407,7 +1421,8 @@
return;
T1_Skip_Spaces ( parser );
- if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
+ if ( parser->root.cursor + 4 < parser->root.limit &&
+ ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
{
T1_Skip_PS_Token( parser ); /* skip `put' */
T1_Skip_Spaces ( parser );
@@ -1580,7 +1595,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1869,7 +1884,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1882,7 +1897,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2158,9 +2173,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
freetype-2.4.6-CVE-2012-1133.patch:
bdflib.c | 5 +++++
1 file changed, 5 insertions(+)
--- NEW FILE freetype-2.4.6-CVE-2012-1133.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200
@@ -1587,6 +1587,11 @@
p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ /* Normalize negative encoding values. The specification only */
+ /* allows -1, but we can be more generous here. */
+ if ( p->glyph_enc < -1 )
+ p->glyph_enc = -1;
+
/* Check that the encoding is in the range [0,65536] because */
/* otherwise p->have (a bitmap with static size) overflows. */
if ( p->glyph_enc > 0 &&
freetype-2.4.6-CVE-2012-1134.patch:
t1parse.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1134.patch ---
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -467,6 +467,14 @@
/* we now decrypt the encoded binary private dictionary */
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+ if ( parser->private_len < 4 )
+ {
+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " invalid private dictionary section\n" ));
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* replace the four random bytes at the beginning with whitespace */
parser->private_dict[0] = ' ';
parser->private_dict[1] = ' ';
freetype-2.4.6-CVE-2012-1135.patch:
ttinterp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1135.patch ---
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4477,7 +4477,7 @@
CUR.length = opcode_length[CUR.opcode];
if ( CUR.length < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto Fail_Overflow;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
}
@@ -7544,7 +7544,7 @@
if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto LErrorCodeOverflow_;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
freetype-2.4.6-CVE-2012-1136.patch:
bdflib.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1136.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200
@@ -1749,12 +1749,7 @@
if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
- {
- /* Missing ENCODING field. */
- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
- error = BDF_Err_Missing_Encoding_Field;
- goto Exit;
- }
+ goto Missing_Encoding;
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -1769,6 +1764,9 @@
/* Expect the DWIDTH (scalable width) field next. */
if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1794,6 +1792,9 @@
/* Expect the BBX field next. */
if ( ft_memcmp( line, "BBX", 3 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1893,6 +1894,12 @@
}
error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+
+ Missing_Encoding:
+ /* Missing ENCODING field. */
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
+ error = BDF_Err_Missing_Encoding_Field;
Exit:
if ( error && ( p->flags & _BDF_GLYPH ) )
freetype-2.4.6-CVE-2012-1137.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1137.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -462,7 +462,7 @@
if ( num_items > list->size )
{
unsigned long oldsize = list->size; /* same as _bdf_list_t.size */
- unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4;
+ unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5;
unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) );
FT_Memory memory = list->memory;
freetype-2.4.6-CVE-2012-1138.patch:
ttinterp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1138.patch ---
--- a/src/truetype/ttinterp.c 2012-03-28 13:16:19.000000000 +0200
+++ b/src/truetype/ttinterp.c 2012-03-28 13:19:39.000000000 +0200
@@ -6223,7 +6223,7 @@
TT_MulFix14( (FT_UInt32)cvt_dist,
CUR.GS.freeVector.y );
- CUR.zp1.cur[point] = CUR.zp0.cur[point];
+ CUR.zp1.cur[point] = CUR.zp1.org[point];
}
org_dist = CUR_Func_dualproj( &CUR.zp1.org[point],
freetype-2.4.6-CVE-2012-1139.patch:
bdflib.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
@@ -791,7 +791,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */
@@ -1709,7 +1709,7 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
- if ( !c )
+ if ( !isdigok( hdigits, c ) )
break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
@@ -1732,9 +1732,9 @@
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( i == nibbles &&
- ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
- !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ if ( i == nibbles &&
+ isdigok( hdigits, line[nibbles] ) &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
p->flags |= _BDF_GLYPH_WIDTH_CHECK;
freetype-2.4.6-CVE-2012-1140.patch:
psconv.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1140.patch ---
--- a/src/psaux/psconv.c
+++ b/src/psaux/psconv.c
@@ -4,7 +4,7 @@
/* */
/* Some convenience conversions (body). */
/* */
-/* Copyright 2006, 2008, 2009 by */
+/* Copyright 2006, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -79,7 +79,7 @@
FT_Bool sign = 0;
- if ( p == limit || base < 2 || base > 36 )
+ if ( p >= limit || base < 2 || base > 36 )
return 0;
if ( *p == '-' || *p == '+' )
@@ -150,7 +150,7 @@
FT_Bool sign = 0;
- if ( p == limit )
+ if ( p >= limit )
return 0;
if ( *p == '-' || *p == '+' )
@@ -346,7 +346,11 @@
#if 1
- p = *cursor;
+ p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)( limit - p ) )
n = (FT_UInt)( limit - p );
@@ -434,6 +438,10 @@
#if 1
p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)(limit - p) )
n = (FT_UInt)(limit - p);
freetype-2.4.6-CVE-2012-1141.patch:
bdflib.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- NEW FILE freetype-2.4.6-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
@@ -521,6 +521,14 @@
/* Initialize the list. */
list->used = 0;
+ if ( list->size )
+ {
+ list->field[0] = (char*)empty;
+ list->field[1] = (char*)empty;
+ list->field[2] = (char*)empty;
+ list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
+ }
/* If the line is empty, then simply return. */
if ( linelen == 0 || line[0] == 0 )
freetype-2.4.6-CVE-2012-1142.patch:
winfnt.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1142.patch ---
--- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200
+++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* FreeType font driver for Windows FNT/FON files */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */
+/* Copyright 1996-2004, 2006-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* Copyright 2003 Huw D M Davies for Codeweavers */
/* Copyright 2007 Dmitry Timoshkov for Codeweavers */
@@ -827,7 +827,14 @@
root->charmap = root->charmaps[0];
}
- /* setup remaining flags */
+ /* set up remaining flags */
+
+ if ( font->header.last_char < font->header.first_char )
+ {
+ FT_TRACE2(( "invalid number of glyphs\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Fail;
+ }
/* reserve one slot for the .notdef glyph at index 0 */
root->num_glyphs = font->header.last_char -
freetype-2.4.6-CVE-2012-1143.patch:
ftcalc.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1143.patch ---
--- a/src/base/ftcalc.c
+++ b/src/base/ftcalc.c
@@ -4,7 +4,7 @@
/* */
/* Arithmetic computations (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */
+/* Copyright 1996-2006, 2008, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -307,7 +307,7 @@
q <<= 1;
r |= lo >> 31;
- if ( r >= (FT_UInt32)y )
+ if ( r >= y )
{
r -= y;
q |= 1;
@@ -373,7 +373,7 @@
if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 )
a = ( a * b + ( c >> 1 ) ) / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp, temp2;
@@ -412,7 +412,7 @@
if ( a <= 46340L && b <= 46340L && c > 0 )
a = a * b / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp;
@@ -544,7 +544,7 @@
s = (FT_Int32)a; a = FT_ABS( a );
s ^= (FT_Int32)b; b = FT_ABS( b );
- if ( b == 0 )
+ if ( (FT_UInt32)b == 0 )
{
/* check for division by 0 */
q = (FT_UInt32)0x7FFFFFFFL;
@@ -552,15 +552,16 @@
else if ( ( a >> 16 ) == 0 )
{
/* compute result directly */
- q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b;
+ q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b;
}
else
{
/* we need more bits; we have to do it by hand */
FT_Int64 temp, temp2;
- temp.hi = (FT_Int32) (a >> 16);
- temp.lo = (FT_UInt32)(a << 16);
+
+ temp.hi = (FT_Int32) ( a >> 16 );
+ temp.lo = (FT_UInt32)( a << 16 );
temp2.hi = 0;
temp2.lo = (FT_UInt32)( b >> 1 );
FT_Add64( &temp, &temp2, &temp );
freetype-2.4.6-CVE-2012-1144.patch:
ttgload.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.6-CVE-2012-1144.patch ---
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -362,14 +362,17 @@
if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit )
goto Invalid_Outline;
- prev_cont = FT_NEXT_USHORT( p );
+ prev_cont = FT_NEXT_SHORT( p );
if ( n_contours > 0 )
cont[0] = prev_cont;
+ if ( prev_cont < 0 )
+ goto Invalid_Outline;
+
for ( cont++; cont < cont_limit; cont++ )
{
- cont[0] = FT_NEXT_USHORT( p );
+ cont[0] = FT_NEXT_SHORT( p );
if ( cont[0] <= prev_cont )
{
/* unordered contours: this is invalid */
freetype-2.4.6-bdf-overflow.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.6-bdf-overflow.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1912,7 +1912,7 @@
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
bitmap_size = glyph->bpr * glyph->bbx.height;
- if ( bitmap_size > 0xFFFFU )
+ if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
error = BDF_Err_Bbx_Too_Big;
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-16/freetype-freeworld.spec,v
retrieving revision 1.20
retrieving revision 1.21
diff -u -r1.20 -r1.21
--- freetype-freeworld.spec 17 Nov 2011 17:13:05 -0000 1.20
+++ freetype-freeworld.spec 2 Apr 2012 00:38:09 -0000 1.21
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -16,6 +16,25 @@
Patch89: freetype-2.4.2-CVE-2010-3311.patch
Patch90: freetype-2.4.6-CVE-2011-3256.patch
Patch91: freetype-2.4.6-CVE-2011-3439.patch
+Patch92: freetype-2.4.6-CVE-2012-1126.patch
+Patch93: freetype-2.4.6-CVE-2012-1127.patch
+Patch94: freetype-2.4.6-CVE-2012-1128.patch
+Patch95: freetype-2.4.6-CVE-2012-1130.patch
+Patch96: freetype-2.4.6-CVE-2012-1131.patch
+Patch97: freetype-2.4.6-CVE-2012-1132.patch
+Patch98: freetype-2.4.6-CVE-2012-1133.patch
+Patch99: freetype-2.4.6-CVE-2012-1134.patch
+Patch100: freetype-2.4.6-CVE-2012-1135.patch
+Patch101: freetype-2.4.6-CVE-2012-1136.patch
+Patch102: freetype-2.4.6-CVE-2012-1137.patch
+Patch103: freetype-2.4.6-CVE-2012-1138.patch
+Patch104: freetype-2.4.6-CVE-2012-1139.patch
+Patch105: freetype-2.4.6-CVE-2012-1140.patch
+Patch106: freetype-2.4.6-CVE-2012-1141.patch
+Patch107: freetype-2.4.6-CVE-2012-1142.patch
+Patch108: freetype-2.4.6-CVE-2012-1143.patch
+Patch109: freetype-2.4.6-CVE-2012-1144.patch
+Patch110: freetype-2.4.6-bdf-overflow.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -47,6 +66,25 @@
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .CVE-2011-3256
%patch91 -p1 -b .CVE-2011-3439
+%patch92 -p1 -b .CVE-2012-1126
+%patch93 -p1 -b .CVE-2012-1127
+%patch94 -p1 -b .CVE-2012-1128
+%patch95 -p1 -b .CVE-2012-1130
+%patch96 -p1 -b .CVE-2012-1131
+%patch97 -p1 -b .CVE-2012-1132
+%patch98 -p1 -b .CVE-2012-1133
+%patch99 -p1 -b .CVE-2012-1134
+%patch100 -p1 -b .CVE-2012-1135
+%patch101 -p1 -b .CVE-2012-1136
+%patch102 -p1 -b .CVE-2012-1137
+%patch103 -p1 -b .CVE-2012-1138
+%patch104 -p1 -b .CVE-2012-1139
+%patch105 -p1 -b .CVE-2012-1140
+%patch106 -p1 -b .CVE-2012-1141
+%patch107 -p1 -b .CVE-2012-1142
+%patch108 -p1 -b .CVE-2012-1143
+%patch109 -p1 -b .CVE-2012-1144
+%patch110 -p1 -b .bdf-overflow
%build
@@ -91,6 +129,9 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-5
+- Add security patches from Fedora freetype-2.4.6-5 (rh#806270)
+
* Thu Nov 17 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.6-4
- Add freetype-2.4.6-CVE-2011-3439.patch from Fedora freetype (rh#753837)
12 years
- 1
- 0
rpms/freetype-freeworld/F-17 freetype-2.4.8-CVE-2012-1126.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1127.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1128.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1130.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1131.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1132.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1133.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1134.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1135.patch, NONE, 1.1 freetype-2.4.8-CVE-2012-1136.patch, NONE, 1.1 freetype-2.4.8-CVE-2012
by Kevin Kofler
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/F-17
In directory se02.es.rpmfusion.net:/tmp/cvs-serv28535/F-17
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.4.8-CVE-2012-1126.patch
freetype-2.4.8-CVE-2012-1127.patch
freetype-2.4.8-CVE-2012-1128.patch
freetype-2.4.8-CVE-2012-1130.patch
freetype-2.4.8-CVE-2012-1131.patch
freetype-2.4.8-CVE-2012-1132.patch
freetype-2.4.8-CVE-2012-1133.patch
freetype-2.4.8-CVE-2012-1134.patch
freetype-2.4.8-CVE-2012-1135.patch
freetype-2.4.8-CVE-2012-1136.patch
freetype-2.4.8-CVE-2012-1137.patch
freetype-2.4.8-CVE-2012-1138.patch
freetype-2.4.8-CVE-2012-1139.patch
freetype-2.4.8-CVE-2012-1140.patch
freetype-2.4.8-CVE-2012-1141.patch
freetype-2.4.8-CVE-2012-1142.patch
freetype-2.4.8-CVE-2012-1143.patch
freetype-2.4.8-CVE-2012-1144.patch
freetype-2.4.8-bdf-overflow.patch
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3
- Add security patches from Fedora freetype-2.4.8-3 (rh#806270)
freetype-2.4.8-CVE-2012-1126.patch:
bdflib.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1126.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1,6 +1,6 @@
/*
* Copyright 2000 Computing Research Labs, New Mexico State University
- * Copyright 2001-2011
+ * Copyright 2001-2012
* Francesco Zappa Nardelli
*
* Permission is hereby granted, free of charge, to any person obtaining a
@@ -1254,7 +1254,8 @@
ep = line + linelen;
/* Trim the leading whitespace if it exists. */
- *sp++ = 0;
+ if ( *sp )
+ *sp++ = 0;
while ( *sp &&
( *sp == ' ' || *sp == '\t' ) )
sp++;
freetype-2.4.8-CVE-2012-1127.patch:
bdflib.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1127.patch ---
--- a/src/bdf/bdflib.c 2012-03-30 13:06:25.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-30 13:08:00.000000000 +0200
@@ -1098,6 +1098,7 @@
#define ACMSG13 "Glyph %ld extra rows removed.\n"
#define ACMSG14 "Glyph %ld extra columns removed.\n"
#define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n"
+#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n"
/* Error messages. */
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
@@ -1703,18 +1704,31 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
+ if ( !c )
+ break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
*++bp = 0;
}
+ /* If any line has not enough columns, */
+ /* indicate they have been padded with zero bits. */
+ if ( i < nibbles &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ {
+ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding ));
+ p->flags |= _BDF_GLYPH_WIDTH_CHECK;
+ font->modified = 1;
+ }
+
/* Remove possible garbage at the right. */
mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
if ( glyph->bbx.width )
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+ if ( i == nibbles &&
+ ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
!( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
freetype-2.4.8-CVE-2012-1128.patch:
ttinterp.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1128.patch ---
--- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100
+++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200
@@ -5788,7 +5788,7 @@
FT_F26Dot6 dx,
dy;
- FT_UShort last_point, i;
+ FT_UShort limit, i;
if ( BOUNDS( args[0], 2 ) )
@@ -5805,24 +5805,15 @@
/* Twilight zone has no contours, so use `n_points'. */
/* Normal zone's `n_points' includes phantoms, so must */
/* use end of last contour. */
- if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
- last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
+ if ( CUR.GS.gep2 == 0 )
+ limit = (FT_UShort)CUR.zp2.n_points;
else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
- {
- last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
-
- if ( BOUNDS( last_point, CUR.zp2.n_points ) )
- {
- if ( CUR.pedantic_hinting )
- CUR.error = TT_Err_Invalid_Reference;
- return;
- }
- }
+ limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
else
- last_point = 0;
+ limit = 0;
/* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
- for ( i = 0; i <= last_point; i++ )
+ for ( i = 0; i < limit; i++ )
{
if ( zp.cur != CUR.zp2.cur || refp != i )
MOVE_Zp2_Point( i, dx, dy, FALSE );
freetype-2.4.8-CVE-2012-1130.patch:
pcfread.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1130.patch ---
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -2,8 +2,7 @@
FreeType font driver for pcf fonts
- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
- 2010 by
+ Copyright 2000-2010, 2012 by
Francesco Zappa Nardelli
Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -496,7 +495,8 @@ THE SOFTWARE.
goto Bail;
}
- if ( FT_NEW_ARRAY( strings, string_size ) )
+ /* allocate one more byte so that we have a final null byte */
+ if ( FT_NEW_ARRAY( strings, string_size + 1 ) )
goto Bail;
error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size );
freetype-2.4.8-CVE-2012-1131.patch:
ftsmooth.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1131.patch ---
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -4,7 +4,7 @@
/* */
/* Anti-aliasing renderer interface (body). */
/* */
-/* Copyright 2000-2006, 2009-2011 by */
+/* Copyright 2000-2006, 2009-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -105,9 +105,9 @@
FT_Error error;
FT_Outline* outline = NULL;
FT_BBox cbox;
- FT_UInt width, height, pitch;
+ FT_Pos width, height, pitch;
#ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING
- FT_UInt height_org, width_org;
+ FT_Pos height_org, width_org;
#endif
FT_Bitmap* bitmap;
FT_Memory memory;
@@ -151,7 +151,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
+ width = ( cbox.xMax - cbox.xMin ) >> 6;
if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
{
@@ -161,7 +161,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+ height = ( cbox.yMax - cbox.yMin ) >> 6;
bitmap = &slot->bitmap;
memory = render->root.memory;
@@ -223,7 +223,7 @@
/* Required check is ( pitch * height < FT_ULONG_MAX ), */
/* but we care realistic cases only. Always pitch <= width. */
- if ( width > 0x7FFFU || height > 0x7FFFU )
+ if ( width > 0x7FFF || height > 0x7FFF )
{
FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
width, height ));
freetype-2.4.8-CVE-2012-1132.patch:
psaux/psobjs.c | 4 ++--
type1/t1load.c | 39 ++++++++++++++++++++++++++-------------
2 files changed, 28 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1132.patch ---
--- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200
+++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* Auxiliary functions for PostScript fonts (body). */
/* */
-/* Copyright 1996-2011 by */
+/* Copyright 1996-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -589,7 +589,7 @@
}
Exit:
- if ( cur == parser->cursor )
+ if ( cur < limit && cur == parser->cursor )
{
FT_ERROR(( "ps_parser_skip_PS_token:"
" current token is `%c' which is self-delimiting\n"
--- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200
+++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1387,15 +1399,17 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1407,7 +1421,8 @@
return;
T1_Skip_Spaces ( parser );
- if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
+ if ( parser->root.cursor + 4 < parser->root.limit &&
+ ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
{
T1_Skip_PS_Token( parser ); /* skip `put' */
T1_Skip_Spaces ( parser );
@@ -1580,7 +1595,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1869,7 +1884,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1882,7 +1897,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2158,9 +2173,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
freetype-2.4.8-CVE-2012-1133.patch:
bdflib.c | 5 +++++
1 file changed, 5 insertions(+)
--- NEW FILE freetype-2.4.8-CVE-2012-1133.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200
@@ -1587,6 +1587,11 @@
p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ /* Normalize negative encoding values. The specification only */
+ /* allows -1, but we can be more generous here. */
+ if ( p->glyph_enc < -1 )
+ p->glyph_enc = -1;
+
/* Check that the encoding is in the range [0,65536] because */
/* otherwise p->have (a bitmap with static size) overflows. */
if ( p->glyph_enc > 0 &&
freetype-2.4.8-CVE-2012-1134.patch:
t1parse.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1134.patch ---
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -467,6 +467,14 @@
/* we now decrypt the encoded binary private dictionary */
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+ if ( parser->private_len < 4 )
+ {
+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " invalid private dictionary section\n" ));
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* replace the four random bytes at the beginning with whitespace */
parser->private_dict[0] = ' ';
parser->private_dict[1] = ' ';
freetype-2.4.8-CVE-2012-1135.patch:
ttinterp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1135.patch ---
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4477,7 +4477,7 @@
CUR.length = opcode_length[CUR.opcode];
if ( CUR.length < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto Fail_Overflow;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
}
@@ -7544,7 +7544,7 @@
if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto LErrorCodeOverflow_;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
freetype-2.4.8-CVE-2012-1136.patch:
bdflib.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1136.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200
@@ -1749,12 +1749,7 @@
if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
- {
- /* Missing ENCODING field. */
- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
- error = BDF_Err_Missing_Encoding_Field;
- goto Exit;
- }
+ goto Missing_Encoding;
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -1769,6 +1764,9 @@
/* Expect the DWIDTH (scalable width) field next. */
if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1794,6 +1792,9 @@
/* Expect the BBX field next. */
if ( ft_memcmp( line, "BBX", 3 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1893,6 +1894,12 @@
}
error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+
+ Missing_Encoding:
+ /* Missing ENCODING field. */
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
+ error = BDF_Err_Missing_Encoding_Field;
Exit:
if ( error && ( p->flags & _BDF_GLYPH ) )
freetype-2.4.8-CVE-2012-1137.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1137.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -462,7 +462,7 @@
if ( num_items > list->size )
{
unsigned long oldsize = list->size; /* same as _bdf_list_t.size */
- unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4;
+ unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5;
unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) );
FT_Memory memory = list->memory;
freetype-2.4.8-CVE-2012-1138.patch:
ttinterp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1138.patch ---
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6264,7 +6264,7 @@
CUR.zp1.org[point].y = CUR.zp0.org[CUR.GS.rp0].y +
TT_MulFix14( (FT_UInt32)cvt_dist,
CUR.GS.freeVector.y );
- CUR.zp1.cur[point] = CUR.zp0.cur[point];
+ CUR.zp1.cur[point] = CUR.zp1.org[point];
}
org_dist = CUR_Func_dualproj( &CUR.zp1.org[point],
freetype-2.4.8-CVE-2012-1139.patch:
bdflib.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
@@ -791,7 +791,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */
@@ -1709,7 +1709,7 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
- if ( !c )
+ if ( !isdigok( hdigits, c ) )
break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
@@ -1732,9 +1732,9 @@
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( i == nibbles &&
- ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
- !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ if ( i == nibbles &&
+ isdigok( hdigits, line[nibbles] ) &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
p->flags |= _BDF_GLYPH_WIDTH_CHECK;
freetype-2.4.8-CVE-2012-1140.patch:
psconv.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1140.patch ---
--- a/src/psaux/psconv.c
+++ b/src/psaux/psconv.c
@@ -4,7 +4,7 @@
/* */
/* Some convenience conversions (body). */
/* */
-/* Copyright 2006, 2008, 2009 by */
+/* Copyright 2006, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -79,7 +79,7 @@
FT_Bool sign = 0;
- if ( p == limit || base < 2 || base > 36 )
+ if ( p >= limit || base < 2 || base > 36 )
return 0;
if ( *p == '-' || *p == '+' )
@@ -150,7 +150,7 @@
FT_Bool sign = 0;
- if ( p == limit )
+ if ( p >= limit )
return 0;
if ( *p == '-' || *p == '+' )
@@ -346,7 +346,11 @@
#if 1
- p = *cursor;
+ p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)( limit - p ) )
n = (FT_UInt)( limit - p );
@@ -434,6 +438,10 @@
#if 1
p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)(limit - p) )
n = (FT_UInt)(limit - p);
freetype-2.4.8-CVE-2012-1141.patch:
bdflib.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- NEW FILE freetype-2.4.8-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
@@ -521,6 +521,14 @@
/* Initialize the list. */
list->used = 0;
+ if ( list->size )
+ {
+ list->field[0] = (char*)empty;
+ list->field[1] = (char*)empty;
+ list->field[2] = (char*)empty;
+ list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
+ }
/* If the line is empty, then simply return. */
if ( linelen == 0 || line[0] == 0 )
freetype-2.4.8-CVE-2012-1142.patch:
winfnt.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1142.patch ---
--- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200
+++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* FreeType font driver for Windows FNT/FON files */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */
+/* Copyright 1996-2004, 2006-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* Copyright 2003 Huw D M Davies for Codeweavers */
/* Copyright 2007 Dmitry Timoshkov for Codeweavers */
@@ -827,7 +827,14 @@
root->charmap = root->charmaps[0];
}
- /* setup remaining flags */
+ /* set up remaining flags */
+
+ if ( font->header.last_char < font->header.first_char )
+ {
+ FT_TRACE2(( "invalid number of glyphs\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Fail;
+ }
/* reserve one slot for the .notdef glyph at index 0 */
root->num_glyphs = font->header.last_char -
freetype-2.4.8-CVE-2012-1143.patch:
ftcalc.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1143.patch ---
--- a/src/base/ftcalc.c
+++ b/src/base/ftcalc.c
@@ -4,7 +4,7 @@
/* */
/* Arithmetic computations (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */
+/* Copyright 1996-2006, 2008, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -307,7 +307,7 @@
q <<= 1;
r |= lo >> 31;
- if ( r >= (FT_UInt32)y )
+ if ( r >= y )
{
r -= y;
q |= 1;
@@ -373,7 +373,7 @@
if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 )
a = ( a * b + ( c >> 1 ) ) / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp, temp2;
@@ -412,7 +412,7 @@
if ( a <= 46340L && b <= 46340L && c > 0 )
a = a * b / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp;
@@ -544,7 +544,7 @@
s = (FT_Int32)a; a = FT_ABS( a );
s ^= (FT_Int32)b; b = FT_ABS( b );
- if ( b == 0 )
+ if ( (FT_UInt32)b == 0 )
{
/* check for division by 0 */
q = (FT_UInt32)0x7FFFFFFFL;
@@ -552,15 +552,16 @@
else if ( ( a >> 16 ) == 0 )
{
/* compute result directly */
- q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b;
+ q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b;
}
else
{
/* we need more bits; we have to do it by hand */
FT_Int64 temp, temp2;
- temp.hi = (FT_Int32) (a >> 16);
- temp.lo = (FT_UInt32)(a << 16);
+
+ temp.hi = (FT_Int32) ( a >> 16 );
+ temp.lo = (FT_UInt32)( a << 16 );
temp2.hi = 0;
temp2.lo = (FT_UInt32)( b >> 1 );
FT_Add64( &temp, &temp2, &temp );
freetype-2.4.8-CVE-2012-1144.patch:
ttgload.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1144.patch ---
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -362,14 +362,17 @@
if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit )
goto Invalid_Outline;
- prev_cont = FT_NEXT_USHORT( p );
+ prev_cont = FT_NEXT_SHORT( p );
if ( n_contours > 0 )
cont[0] = prev_cont;
+ if ( prev_cont < 0 )
+ goto Invalid_Outline;
+
for ( cont++; cont < cont_limit; cont++ )
{
- cont[0] = FT_NEXT_USHORT( p );
+ cont[0] = FT_NEXT_SHORT( p );
if ( cont[0] <= prev_cont )
{
/* unordered contours: this is invalid */
freetype-2.4.8-bdf-overflow.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-bdf-overflow.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1912,7 +1912,7 @@
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
bitmap_size = glyph->bpr * glyph->bbx.height;
- if ( bitmap_size > 0xFFFFU )
+ if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
error = BDF_Err_Bbx_Too_Big;
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-17/freetype-freeworld.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23
+++ freetype-freeworld.spec 2 Apr 2012 00:32:55 -0000 1.24
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.4.8
-Release: 2%{?dist}
+Release: 3%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -12,6 +12,27 @@
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
+# Security patches
+Patch89: freetype-2.4.8-CVE-2012-1126.patch
+Patch90: freetype-2.4.8-CVE-2012-1127.patch
+Patch91: freetype-2.4.8-CVE-2012-1128.patch
+Patch92: freetype-2.4.8-CVE-2012-1130.patch
+Patch93: freetype-2.4.8-CVE-2012-1131.patch
+Patch94: freetype-2.4.8-CVE-2012-1132.patch
+Patch95: freetype-2.4.8-CVE-2012-1133.patch
+Patch96: freetype-2.4.8-CVE-2012-1134.patch
+Patch97: freetype-2.4.8-CVE-2012-1135.patch
+Patch98: freetype-2.4.8-CVE-2012-1136.patch
+Patch99: freetype-2.4.8-CVE-2012-1137.patch
+Patch100: freetype-2.4.8-CVE-2012-1138.patch
+Patch101: freetype-2.4.8-CVE-2012-1139.patch
+Patch102: freetype-2.4.8-CVE-2012-1140.patch
+Patch103: freetype-2.4.8-CVE-2012-1141.patch
+Patch104: freetype-2.4.8-CVE-2012-1142.patch
+Patch105: freetype-2.4.8-CVE-2012-1143.patch
+Patch106: freetype-2.4.8-CVE-2012-1144.patch
+Patch107: freetype-2.4.8-bdf-overflow.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
Provides: freetype-bytecode
@@ -39,6 +60,26 @@
%patch46 -p1 -b .enable-valid
+%patch89 -p1 -b .CVE-2012-1126
+%patch90 -p1 -b .CVE-2012-1127
+%patch91 -p1 -b .CVE-2012-1128
+%patch92 -p1 -b .CVE-2012-1130
+%patch93 -p1 -b .CVE-2012-1131
+%patch94 -p1 -b .CVE-2012-1132
+%patch95 -p1 -b .CVE-2012-1133
+%patch96 -p1 -b .CVE-2012-1134
+%patch97 -p1 -b .CVE-2012-1135
+%patch98 -p1 -b .CVE-2012-1136
+%patch99 -p1 -b .CVE-2012-1137
+%patch100 -p1 -b .CVE-2012-1138
+%patch101 -p1 -b .CVE-2012-1139
+%patch102 -p1 -b .CVE-2012-1140
+%patch103 -p1 -b .CVE-2012-1141
+%patch104 -p1 -b .CVE-2012-1142
+%patch105 -p1 -b .CVE-2012-1143
+%patch106 -p1 -b .CVE-2012-1144
+%patch107 -p1 -b .bdf-overflow
+
%build
%configure --disable-static
@@ -82,6 +123,9 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3
+- Add security patches from Fedora freetype-2.4.8-3 (rh#806270)
+
* Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2
- Rebuild for #2031
12 years
- 1
- 0
rpms/freetype-freeworld/devel freetype-2.4.9-CVE-2012-1139.patch, NONE, 1.1 freetype-2.4.9-CVE-2012-1141.patch, NONE, 1.1 freetype-2.4.9-incremental-interface.patch, NONE, 1.1 freetype-2.4.9-loop-exit-condition.patch, NONE, 1.1 .cvsignore, 1.12, 1.13 freetype-freeworld.spec, 1.23, 1.24 sources, 1.12, 1.13
by Kevin Kofler
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/devel
In directory se02.es.rpmfusion.net:/tmp/cvs-serv27697/devel
Modified Files:
.cvsignore freetype-freeworld.spec sources
Added Files:
freetype-2.4.9-CVE-2012-1139.patch
freetype-2.4.9-CVE-2012-1141.patch
freetype-2.4.9-incremental-interface.patch
freetype-2.4.9-loop-exit-condition.patch
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1
- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
- Add additional security and bugfix patches from Fedora freetype-2.4.9-1
freetype-2.4.9-CVE-2012-1139.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.9-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -842,7 +842,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */
freetype-2.4.9-CVE-2012-1141.patch:
bdflib.c | 1 +
1 file changed, 1 insertion(+)
--- NEW FILE freetype-2.4.9-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -569,6 +569,7 @@
list->field[1] = (char*)empty;
list->field[2] = (char*)empty;
list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
}
/* If the line is empty, then simply return. */
freetype-2.4.9-incremental-interface.patch:
t1load.c | 30 ++++++++++++++++++++----------
1 file changed, 20 insertions(+), 10 deletions(-)
--- NEW FILE freetype-2.4.9-incremental-interface.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1396,7 +1408,7 @@
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1582,7 +1594,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1871,7 +1883,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1884,7 +1896,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2160,9 +2172,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
freetype-2.4.9-loop-exit-condition.patch:
t1load.c | 7 ++++---
1 file changed, 4 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.9-loop-exit-condition.patch ---
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1399,9 +1399,10 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( parser->root.cursor + 4 < parser->root.limit &&
- ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */
Index: .cvsignore
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/.cvsignore,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- .cvsignore 17 Nov 2011 16:56:37 -0000 1.12
+++ .cvsignore 2 Apr 2012 00:27:37 -0000 1.13
@@ -1 +1 @@
-freetype-2.4.8.tar.bz2
+freetype-2.4.9.tar.bz2
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23
+++ freetype-freeworld.spec 2 Apr 2012 00:27:37 -0000 1.24
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
-Version: 2.4.8
-Release: 2%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -12,6 +12,16 @@
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
+# Security patches
+Patch89: freetype-2.4.9-CVE-2012-1139.patch
+Patch90: freetype-2.4.9-CVE-2012-1141.patch
+
+# https://savannah.nongnu.org/bugs/?35833
+Patch91: freetype-2.4.9-loop-exit-condition.patch
+
+# https://savannah.nongnu.org/bugs/?35847
+Patch92: freetype-2.4.9-incremental-interface.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
Provides: freetype-bytecode
@@ -39,6 +49,12 @@
%patch46 -p1 -b .enable-valid
+%patch89 -p1 -b .CVE-2012-1139
+%patch90 -p1 -b .CVE-2012-1141
+%patch91 -p1 -b .loop-exit-condition
+%patch92 -p1 -b .incremental-interface
+
+
%build
%configure --disable-static
@@ -82,6 +98,10 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.9-1
+- Update to 2.4.9 (matches Fedora freetype, fixes various CVEs (rh#806270))
+- Add additional security and bugfix patches from Fedora freetype-2.4.9-1
+
* Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2
- Rebuild for #2031
Index: sources
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/devel/sources,v
retrieving revision 1.12
retrieving revision 1.13
diff -u -r1.12 -r1.13
--- sources 17 Nov 2011 16:56:37 -0000 1.12
+++ sources 2 Apr 2012 00:27:37 -0000 1.13
@@ -1 +1 @@
-dbf2caca1d3afd410a29217a9809d397 freetype-2.4.8.tar.bz2
+77a893dae81fd5b896632715ca041179 freetype-2.4.9.tar.bz2
12 years
- 1
- 0