February 2015 - rpmfusion-commits

rpms/xorg-x11-drv-nvidia/devel .cvsignore, 1.73, 1.74 sources, 1.77, 1.78 xorg-x11-drv-nvidia.spec, 1.171, 1.172

by Leigh Scott

Author: leigh123linux Update of /cvs/nonfree/rpms/xorg-x11-drv-nvidia/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv21558 Modified Files: .cvsignore sources xorg-x11-drv-nvidia.spec Log Message: * Tue Feb 24 2015 Leigh Scott <leigh123linux(a)googlemail.com> - 1:346.47-1 - Update to 343.47 Index: .cvsignore =================================================================== RCS file: /cvs/nonfree/rpms/xorg-x11-drv-nvidia/devel/.cvsignore,v retrieving revision 1.73 retrieving revision 1.74 diff -u -r1.73 -r1.74 --- .cvsignore 17 Jan 2015 00:26:36 -0000 1.73 +++ .cvsignore 24 Feb 2015 17:53:01 -0000 1.74 @@ -1,3 +1,3 @@ -NVIDIA-Linux-armv7l-gnueabihf-346.35.run -NVIDIA-Linux-x86-346.35.run -NVIDIA-Linux-x86_64-346.35.run +NVIDIA-Linux-armv7l-gnueabihf-346.47.run +NVIDIA-Linux-x86-346.47.run +NVIDIA-Linux-x86_64-346.47.run Index: sources =================================================================== RCS file: /cvs/nonfree/rpms/xorg-x11-drv-nvidia/devel/sources,v retrieving revision 1.77 retrieving revision 1.78 diff -u -r1.77 -r1.78 --- sources 17 Jan 2015 00:26:37 -0000 1.77 +++ sources 24 Feb 2015 17:53:01 -0000 1.78 @@ -1,3 +1,3 @@ -fff0937cd11b22b86e37fbdcfef8556f NVIDIA-Linux-armv7l-gnueabihf-346.35.run -d2b8f7f90ef5037f03f94519f9809511 NVIDIA-Linux-x86-346.35.run -f225dd17a6b325ba6aa98c6035c62d78 NVIDIA-Linux-x86_64-346.35.run +10f1bd71d061cadf5c716bdd03f4b5b2 NVIDIA-Linux-armv7l-gnueabihf-346.47.run +ae61b6c3c081383f991bcc64ee0844b1 NVIDIA-Linux-x86-346.47.run +3fd4affac0165058fcdbbc6f18d84e2d NVIDIA-Linux-x86_64-346.47.run Index: xorg-x11-drv-nvidia.spec =================================================================== RCS file: /cvs/nonfree/rpms/xorg-x11-drv-nvidia/devel/xorg-x11-drv-nvidia.spec,v retrieving revision 1.171 retrieving revision 1.172 diff -u -r1.171 -r1.172 --- xorg-x11-drv-nvidia.spec 15 Feb 2015 22:04:20 -0000 1.171 +++ xorg-x11-drv-nvidia.spec 24 Feb 2015 17:53:01 -0000 1.172 @@ -7,8 +7,8 @@ Name: xorg-x11-drv-nvidia Epoch: 1 -Version: 346.35 -Release: 4%{?dist} +Version: 346.47 +Release: 1%{?dist} Summary: NVIDIA's proprietary display driver for NVIDIA graphic cards Group: User Interface/X Hardware Support @@ -515,6 +515,9 @@ %{_nvidia_libdir}/libnvidia-fbc.so %changelog +* Tue Feb 24 2015 Leigh Scott <leigh123linux(a)googlemail.com> - 1:346.47-1 +- Update to 343.47 + * Sun Feb 15 2015 Nicolas Chauvet <kwizart(a)gmail.com> - 1:346.35-4 - Fix build for armhfp

9 years, 9 months

1
0
0 / 0

rpms/freetype-freeworld/F-20 freetype-2.5.0-pcf-read-a.patch, NONE, 1.1 freetype-2.5.0-pcf-read-b.patch, NONE, 1.1 freetype-freeworld.spec, 1.34, 1.35

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-20 In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv21522/F-20 Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.0-pcf-read-a.patch freetype-2.5.0-pcf-read-b.patch Log Message: * Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-7 - Add freetype-2.5.0-pcf-read-a.patch and freetype-2.5.0-pcf-read-b.patch ("Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) freetype-2.5.0-pcf-read-a.patch: pcfread.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 12 deletions(-) --- NEW FILE freetype-2.5.0-pcf-read-a.patch --- >From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 8 Dec 2014 16:01:50 +0100 Subject: [PATCH] [pcf] Fix Savannah bug #43774. Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' functions. Since the PCF format doesn't have an official specification, we have to exactly follow these functions' behaviour. The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last element. Instead, assign real size. --- ChangeLog | 14 ++++++++++++++ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 998cbed..e3caf82 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,7 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000-2010, 2012, 2013 by + Copyright 2000-2010, 2012-2014 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -78,7 +78,7 @@ THE SOFTWARE. FT_FRAME_START( 16 ), FT_FRAME_ULONG_LE( type ), FT_FRAME_ULONG_LE( format ), - FT_FRAME_ULONG_LE( size ), + FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */ FT_FRAME_ULONG_LE( offset ), FT_FRAME_END }; @@ -95,9 +95,11 @@ THE SOFTWARE. FT_Memory memory = FT_FACE( face )->memory; FT_UInt n; + FT_ULong size; - if ( FT_STREAM_SEEK ( 0 ) || - FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) + + if ( FT_STREAM_SEEK( 0 ) || + FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) return FT_THROW( Cannot_Open_Resource ); if ( toc->version != PCF_FILE_VERSION || @@ -151,14 +153,35 @@ THE SOFTWARE. break; } - /* we now check whether the `size' and `offset' values are reasonable: */ - /* `offset' + `size' must not exceed the stream size */ + /* + * We now check whether the `size' and `offset' values are reasonable: + * `offset' + `size' must not exceed the stream size. + * + * Note, however, that X11's `pcfWriteFont' routine (used by the + * `bdftopcf' program to create PDF font files) has two special + * features. + * + * - It always assigns the accelerator table a size of 100 bytes in the + * TOC, regardless of its real size, which can vary between 34 and 72 + * bytes. + * + * - Due to the way the routine is designed, it ships out the last font + * table with its real size, ignoring the TOC's size value. Since + * the TOC size values are always rounded up to a multiple of 4, the + * difference can be up to three bytes for all tables except the + * accelerator table, for which the difference can be as large as 66 + * bytes. + * + */ + tables = face->toc.tables; - for ( n = 0; n < toc->count; n++ ) + size = stream->size; + + for ( n = 0; n < toc->count - 1; n++ ) { /* we need two checks to avoid overflow */ - if ( ( tables->size > stream->size ) || - ( tables->offset > stream->size - tables->size ) ) + if ( ( tables->size > size ) || + ( tables->offset > size - tables->size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; @@ -166,6 +189,15 @@ THE SOFTWARE. tables++; } + /* no check of `tables->size' for last table element ... */ + if ( ( tables->offset > size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + /* ... instead, we adjust `tables->size' to the real value */ + tables->size = size - tables->offset; + #ifdef FT_DEBUG_LEVEL_TRACE { @@ -714,8 +746,8 @@ THE SOFTWARE. FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); - /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ - if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) + /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ + if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) return FT_THROW( Invalid_File_Format ); if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) -- 2.1.0 freetype-2.5.0-pcf-read-b.patch: pcfread.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.0-pcf-read-b.patch --- >From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 13 Dec 2014 07:42:51 +0100 Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from 2014-12-08. --- ChangeLog | 4 ++++ src/pcf/pcfread.c | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index e3caf82..a29a9e3 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -189,14 +189,15 @@ THE SOFTWARE. tables++; } - /* no check of `tables->size' for last table element ... */ + /* only check `tables->offset' for last table element ... */ if ( ( tables->offset > size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; } - /* ... instead, we adjust `tables->size' to the real value */ - tables->size = size - tables->offset; + /* ... and adjust `tables->size' to the real value if necessary */ + if ( tables->size > size - tables->offset ) + tables->size = size - tables->offset; #ifdef FT_DEBUG_LEVEL_TRACE -- 2.1.0 Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-20/freetype-freeworld.spec,v retrieving revision 1.34 retrieving revision 1.35 diff -u -r1.34 -r1.35 --- freetype-freeworld.spec 18 Feb 2015 01:57:37 -0000 1.34 +++ freetype-freeworld.spec 24 Feb 2015 17:52:52 -0000 1.35 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.0.1 -Release: 6%{?dist} +Release: 7%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -50,6 +50,11 @@ Patch116: freetype-2.5.0-CVE-2014-9674a.patch Patch118: freetype-2.5.0-CVE-2014-9674b.patch +# fix regression from CVE-2014-9671 fix +# https://bugzilla.redhat.com/show_bug.cgi?id=1195652 +Patch119: freetype-2.5.0-pcf-read-a.patch +Patch120: freetype-2.5.0-pcf-read-b.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) Provides: freetype-bytecode @@ -109,6 +114,9 @@ %patch117 -p1 -b .CVE-2014-9674a %patch118 -p1 -b .CVE-2014-9674b +%patch119 -p1 -b .pcf-read-a +%patch120 -p1 -b .pcf-read-b + %build @@ -153,6 +161,11 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-7 +- Add freetype-2.5.0-pcf-read-a.patch and freetype-2.5.0-pcf-read-b.patch ("Work + around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from + Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) + * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-6 - Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.)

9 years, 9 months

1
0
0 / 0

rpms/freetype-freeworld/devel freetype-2.5.3-pcf-read-a.patch, NONE, 1.1 freetype-2.5.3-pcf-read-b.patch, NONE, 1.1 freetype-freeworld.spec, 1.38, 1.39

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv21314/devel Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.3-pcf-read-a.patch freetype-2.5.3-pcf-read-b.patch Log Message: * Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-5 - Add freetype-2.5.3-pcf-read-a.patch and freetype-2.5.3-pcf-read-b.patch ("Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) freetype-2.5.3-pcf-read-a.patch: pcfread.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 12 deletions(-) --- NEW FILE freetype-2.5.3-pcf-read-a.patch --- >From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 8 Dec 2014 16:01:50 +0100 Subject: [PATCH] [pcf] Fix Savannah bug #43774. Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' functions. Since the PCF format doesn't have an official specification, we have to exactly follow these functions' behaviour. The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last element. Instead, assign real size. --- ChangeLog | 14 ++++++++++++++ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 998cbed..e3caf82 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,7 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000-2010, 2012, 2013 by + Copyright 2000-2010, 2012-2014 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -78,7 +78,7 @@ THE SOFTWARE. FT_FRAME_START( 16 ), FT_FRAME_ULONG_LE( type ), FT_FRAME_ULONG_LE( format ), - FT_FRAME_ULONG_LE( size ), + FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */ FT_FRAME_ULONG_LE( offset ), FT_FRAME_END }; @@ -95,9 +95,11 @@ THE SOFTWARE. FT_Memory memory = FT_FACE( face )->memory; FT_UInt n; + FT_ULong size; - if ( FT_STREAM_SEEK ( 0 ) || - FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) + + if ( FT_STREAM_SEEK( 0 ) || + FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) return FT_THROW( Cannot_Open_Resource ); if ( toc->version != PCF_FILE_VERSION || @@ -151,14 +153,35 @@ THE SOFTWARE. break; } - /* we now check whether the `size' and `offset' values are reasonable: */ - /* `offset' + `size' must not exceed the stream size */ + /* + * We now check whether the `size' and `offset' values are reasonable: + * `offset' + `size' must not exceed the stream size. + * + * Note, however, that X11's `pcfWriteFont' routine (used by the + * `bdftopcf' program to create PDF font files) has two special + * features. + * + * - It always assigns the accelerator table a size of 100 bytes in the + * TOC, regardless of its real size, which can vary between 34 and 72 + * bytes. + * + * - Due to the way the routine is designed, it ships out the last font + * table with its real size, ignoring the TOC's size value. Since + * the TOC size values are always rounded up to a multiple of 4, the + * difference can be up to three bytes for all tables except the + * accelerator table, for which the difference can be as large as 66 + * bytes. + * + */ + tables = face->toc.tables; - for ( n = 0; n < toc->count; n++ ) + size = stream->size; + + for ( n = 0; n < toc->count - 1; n++ ) { /* we need two checks to avoid overflow */ - if ( ( tables->size > stream->size ) || - ( tables->offset > stream->size - tables->size ) ) + if ( ( tables->size > size ) || + ( tables->offset > size - tables->size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; @@ -166,6 +189,15 @@ THE SOFTWARE. tables++; } + /* no check of `tables->size' for last table element ... */ + if ( ( tables->offset > size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + /* ... instead, we adjust `tables->size' to the real value */ + tables->size = size - tables->offset; + #ifdef FT_DEBUG_LEVEL_TRACE { @@ -714,8 +746,8 @@ THE SOFTWARE. FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); - /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ - if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) + /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ + if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) return FT_THROW( Invalid_File_Format ); if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) -- 2.1.0 freetype-2.5.3-pcf-read-b.patch: pcfread.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-pcf-read-b.patch --- >From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 13 Dec 2014 07:42:51 +0100 Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from 2014-12-08. --- ChangeLog | 4 ++++ src/pcf/pcfread.c | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index e3caf82..a29a9e3 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -189,14 +189,15 @@ THE SOFTWARE. tables++; } - /* no check of `tables->size' for last table element ... */ + /* only check `tables->offset' for last table element ... */ if ( ( tables->offset > size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; } - /* ... instead, we adjust `tables->size' to the real value */ - tables->size = size - tables->offset; + /* ... and adjust `tables->size' to the real value if necessary */ + if ( tables->size > size - tables->offset ) + tables->size = size - tables->offset; #ifdef FT_DEBUG_LEVEL_TRACE -- 2.1.0 Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- freetype-freeworld.spec 18 Feb 2015 01:32:07 -0000 1.38 +++ freetype-freeworld.spec 24 Feb 2015 17:47:38 -0000 1.39 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.3 -Release: 4%{?dist} +Release: 5%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -43,6 +43,11 @@ Patch116: freetype-2.5.3-unsigned-long.patch Patch117: freetype-2.5.3-CVE-2014-9674b.patch +# fix regression from CVE-2014-9671 fix +# https://bugzilla.redhat.com/show_bug.cgi?id=1195652 +Patch118: freetype-2.5.3-pcf-read-a.patch +Patch119: freetype-2.5.3-pcf-read-b.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -98,6 +103,9 @@ %patch116 -p1 -b .unsigned-long %patch117 -p1 -b .CVE-2014-9674b +%patch118 -p1 -b .pcf-read-a +%patch119 -p1 -b .pcf-read-b + %build %configure --disable-static @@ -136,6 +144,11 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-5 +- Add freetype-2.5.3-pcf-read-a.patch and freetype-2.5.3-pcf-read-b.patch ("Work + around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from + Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) + * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-4 - Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.)

9 years, 9 months

1
0
0 / 0

rpms/nvidia-kmod/devel 4.0.0_kernel.patch, NONE, 1.1 nvidia-kmod.spec, 1.185, 1.186

by Leigh Scott

Author: leigh123linux Update of /cvs/nonfree/rpms/nvidia-kmod/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv16368 Modified Files: nvidia-kmod.spec Added Files: 4.0.0_kernel.patch Log Message: * Tue Feb 24 2015 Leigh Scott <leigh123linux(a)googlemail.com> - 1:346.35-2 - Patch for 4.0.0 kernel 4.0.0_kernel.patch: nv-pat.c | 9 +++++++++ 1 file changed, 9 insertions(+) --- NEW FILE 4.0.0_kernel.patch --- --- a/kernel/nv-pat.c 2015-01-11 04:30:46.000000000 +0000 +++ b/kernel/nv-pat.c 2015-02-23 10:39:33.352315652 +0000 @@ -35,8 +35,13 @@ static inline void nv_disable_caches(uns unsigned long cr0 = read_cr0(); write_cr0(((cr0 & (0xdfffffff)) | 0x40000000)); wbinvd(); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,20,0) + *cr4 = __read_cr4(); + if (*cr4 & 0x80) __write_cr4(*cr4 & ~0x80); +#else *cr4 = read_cr4(); if (*cr4 & 0x80) write_cr4(*cr4 & ~0x80); +#endif __flush_tlb(); } @@ -46,7 +51,11 @@ static inline void nv_enable_caches(unsi wbinvd(); __flush_tlb(); write_cr0((cr0 & 0x9fffffff)); +#if LINUX_VERSION_CODE >= KERNEL_VERSION(3,20,0) + if (cr4 & 0x80) __write_cr4(cr4); +#else if (cr4 & 0x80) write_cr4(cr4); +#endif } static int nv_determine_pat_mode(void) Index: nvidia-kmod.spec =================================================================== RCS file: /cvs/nonfree/rpms/nvidia-kmod/devel/nvidia-kmod.spec,v retrieving revision 1.185 retrieving revision 1.186 diff -u -r1.185 -r1.186 --- nvidia-kmod.spec 14 Feb 2015 13:18:35 -0000 1.185 +++ nvidia-kmod.spec 24 Feb 2015 10:13:54 -0000 1.186 @@ -3,13 +3,13 @@ # "buildforkernels newest" macro for just that build; immediately after # queuing that build enable the macro again for subsequent builds; that way # a new akmod package will only get build when a new one is actually needed -%global buildforkernels newest +%global buildforkernels current Name: nvidia-kmod Epoch: 1 Version: 346.35 # Taken over by kmodtool -Release: 1%{?dist}.5 +Release: 2%{?dist} Summary: NVIDIA display driver kernel module Group: System Environment/Kernel License: Redistributable, no modification permitted @@ -18,6 +18,7 @@ Source11: nvidia-kmodtool-excludekernel-filterfile Patch0: nv-linux-arm.patch Patch1: 3.18_kernel.patch +Patch2: 4.0.0_kernel.patch BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n) @@ -45,6 +46,7 @@ # patch loop %patch0 -p1 %patch1 -p1 +%patch2 -p1 for kernel_version in %{?kernel_versions} ; do @@ -92,6 +94,9 @@ %changelog +* Tue Feb 24 2015 Leigh Scott <leigh123linux(a)googlemail.com> - 1:346.35-2 +- Patch for 4.0.0 kernel + * Sat Feb 14 2015 Nicolas Chauvet <kwizart(a)gmail.com> - 1:346.35-1.5 - Rebuilt for kernel

9 years, 9 months

1
0
0 / 0

rpms/mame-data-extras/F-20 .cvsignore, 1.6, 1.7 mame-data-extras.spec, 1.5, 1.6 sources, 1.6, 1.7

by Julian Sikorski

Author: belegdol Update of /cvs/nonfree/rpms/mame-data-extras/F-20 In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv11394 Modified Files: .cvsignore mame-data-extras.spec sources Log Message: * Mon Feb 23 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.158-1 - Updated everything except sysinfo.dat and cheat.zip to 0.158 Index: .cvsignore =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/F-20/.cvsignore,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- .cvsignore 18 Jan 2015 08:37:52 -0000 1.6 +++ .cvsignore 23 Feb 2015 17:38:52 -0000 1.7 @@ -1,9 +1,9 @@ catveren.zip cheat0156.zip ctrlr.rar -history157.7z -Mameinfo0157.zip +history158.7z +Mameinfo0158.zip messinfo.zip -nplayers0157.zip +nplayers0158.zip robby.zip sysinfo.zip Index: mame-data-extras.spec =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/F-20/mame-data-extras.spec,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- mame-data-extras.spec 18 Jan 2015 08:37:52 -0000 1.5 +++ mame-data-extras.spec 23 Feb 2015 17:38:52 -0000 1.6 @@ -1,4 +1,4 @@ -%global vernumber 157 +%global vernumber 158 Name: mame-data-extras Version: 0.%{vernumber} @@ -10,13 +10,13 @@ Source1: http://www.arcade-history.com/dats/history%{vernumber}.7z Source2: http://www.mameworld.info/mameinfo/download/Mameinfo0%{vernumber}.zip Source3: http://www.kutek.net/mame_roms_pinball/mame32_config_files/ctrlr.rar -# 0.154_fix +# 0.158 Source4: http://www.progettoemma.net/public/cat/catveren.zip Source5: http://nplayers.arcadebelgium.be/files/nplayers0%{vernumber}.zip Source6: http://cheat.retrogames.com/download/cheat0156.zip # 0.148 Source7: http://www.progettoemma.net/mess/zips/sysinfo.zip -# 0.157 +# 0.158 Source8: http://www.progettosnaps.net/messinfo/messinfo.zip Source10: http://mamedev.org/roms/robby/robby.zip @@ -135,6 +135,9 @@ %changelog +* Mon Feb 23 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.158-1 +- Updated everything except sysinfo.dat and cheat.zip to 0.158 + * Sun Jan 18 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.157-1 - Updated everything except sysinfo.dat, catver.ini and cheat.zip to 0.157 - Updated cheat.zip to 0.156 Index: sources =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/F-20/sources,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- sources 18 Jan 2015 08:37:52 -0000 1.6 +++ sources 23 Feb 2015 17:38:52 -0000 1.7 @@ -1,9 +1,9 @@ -e5e0cef013941a4a21cb24743d8d7e40 catveren.zip +1d67bd22fdd8005ad8d3394d978dfb18 catveren.zip 36390c5328b1d63ac14aede964fa5ce2 cheat0156.zip d907085f2f69b74198796378e3ed0cb3 ctrlr.rar -11de2441c922f1a1eda41d2acc103841 history157.7z -f7ec094e8da1a8dff67a0bf30fc8acd4 Mameinfo0157.zip -6ab2da1c30a023800960012aa0a91abb messinfo.zip -f77b8cb35e2f96f2a7a0270ea45a4ed3 nplayers0157.zip +5c4575629c07d39073008f7689fcd6f9 history158.7z +bdb16526d03d2d00d60b77b4e7827876 Mameinfo0158.zip +95defc03fc532372342d0d71deb555fa messinfo.zip +e47962eebf659a18766d1c57a37511cf nplayers0158.zip e1acc79344dd33466081c0d7fa56011a robby.zip 170a9a793ed01af870bf81dfe278cc77 sysinfo.zip

9 years, 9 months

1
0
0 / 0

rpms/mame-data-extras/devel .cvsignore, 1.6, 1.7 mame-data-extras.spec, 1.5, 1.6 sources, 1.6, 1.7

by Julian Sikorski

Author: belegdol Update of /cvs/nonfree/rpms/mame-data-extras/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv11287 Modified Files: .cvsignore mame-data-extras.spec sources Log Message: * Mon Feb 23 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.158-1 - Updated everything except sysinfo.dat and cheat.zip to 0.158 Index: .cvsignore =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/devel/.cvsignore,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- .cvsignore 18 Jan 2015 08:37:46 -0000 1.6 +++ .cvsignore 23 Feb 2015 17:38:45 -0000 1.7 @@ -1,9 +1,9 @@ catveren.zip cheat0156.zip ctrlr.rar -history157.7z -Mameinfo0157.zip +history158.7z +Mameinfo0158.zip messinfo.zip -nplayers0157.zip +nplayers0158.zip robby.zip sysinfo.zip Index: mame-data-extras.spec =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/devel/mame-data-extras.spec,v retrieving revision 1.5 retrieving revision 1.6 diff -u -r1.5 -r1.6 --- mame-data-extras.spec 18 Jan 2015 08:37:46 -0000 1.5 +++ mame-data-extras.spec 23 Feb 2015 17:38:45 -0000 1.6 @@ -1,4 +1,4 @@ -%global vernumber 157 +%global vernumber 158 Name: mame-data-extras Version: 0.%{vernumber} @@ -10,13 +10,13 @@ Source1: http://www.arcade-history.com/dats/history%{vernumber}.7z Source2: http://www.mameworld.info/mameinfo/download/Mameinfo0%{vernumber}.zip Source3: http://www.kutek.net/mame_roms_pinball/mame32_config_files/ctrlr.rar -# 0.154_fix +# 0.158 Source4: http://www.progettoemma.net/public/cat/catveren.zip Source5: http://nplayers.arcadebelgium.be/files/nplayers0%{vernumber}.zip Source6: http://cheat.retrogames.com/download/cheat0156.zip # 0.148 Source7: http://www.progettoemma.net/mess/zips/sysinfo.zip -# 0.157 +# 0.158 Source8: http://www.progettosnaps.net/messinfo/messinfo.zip Source10: http://mamedev.org/roms/robby/robby.zip @@ -135,6 +135,9 @@ %changelog +* Mon Feb 23 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.158-1 +- Updated everything except sysinfo.dat and cheat.zip to 0.158 + * Sun Jan 18 2015 Julian Sikorski <belegdol(a)fedoraproject.org> - 0.157-1 - Updated everything except sysinfo.dat, catver.ini and cheat.zip to 0.157 - Updated cheat.zip to 0.156 Index: sources =================================================================== RCS file: /cvs/nonfree/rpms/mame-data-extras/devel/sources,v retrieving revision 1.6 retrieving revision 1.7 diff -u -r1.6 -r1.7 --- sources 18 Jan 2015 08:37:46 -0000 1.6 +++ sources 23 Feb 2015 17:38:45 -0000 1.7 @@ -1,9 +1,9 @@ -e5e0cef013941a4a21cb24743d8d7e40 catveren.zip +1d67bd22fdd8005ad8d3394d978dfb18 catveren.zip 36390c5328b1d63ac14aede964fa5ce2 cheat0156.zip d907085f2f69b74198796378e3ed0cb3 ctrlr.rar -11de2441c922f1a1eda41d2acc103841 history157.7z -f7ec094e8da1a8dff67a0bf30fc8acd4 Mameinfo0157.zip -6ab2da1c30a023800960012aa0a91abb messinfo.zip -f77b8cb35e2f96f2a7a0270ea45a4ed3 nplayers0157.zip +5c4575629c07d39073008f7689fcd6f9 history158.7z +bdb16526d03d2d00d60b77b4e7827876 Mameinfo0158.zip +95defc03fc532372342d0d71deb555fa messinfo.zip +e47962eebf659a18766d1c57a37511cf nplayers0158.zip e1acc79344dd33466081c0d7fa56011a robby.zip 170a9a793ed01af870bf81dfe278cc77 sysinfo.zip

9 years, 9 months

1
0
0 / 0

rpms/openmw/devel openmw.spec,1.11,1.12

by Alexandre Moine

Author: nobrakal Update of /cvs/free/rpms/openmw/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv19384 Modified Files: openmw.spec Log Message: * Sat Feb 21 2015 Alexandre Moine <nobrakal(a)fedoraproject.org> 0.35.0-1 - Update to new upstream. - Change binairies name from opencs to openmw-cs Index: openmw.spec =================================================================== RCS file: /cvs/free/rpms/openmw/devel/openmw.spec,v retrieving revision 1.11 retrieving revision 1.12 diff -u -r1.11 -r1.12 --- openmw.spec 9 Jan 2015 18:21:39 -0000 1.11 +++ openmw.spec 21 Feb 2015 19:06:35 -0000 1.12 @@ -1,5 +1,5 @@ Name: openmw -Version: 0.34.0 +Version: 0.35.0 Release: 1%{?dist} Summary: Unofficial open source engine re-implementation of the game Morrowind @@ -75,7 +75,7 @@ pushd build %make_install popd -desktop-file-validate %{buildroot}/%{_datadir}/applications/opencs.desktop +desktop-file-validate %{buildroot}/%{_datadir}/applications/openmw-cs.desktop desktop-file-validate %{buildroot}/%{_datadir}/applications/openmw.desktop # Move license files back so they can be packaged by %%doc @@ -87,24 +87,29 @@ mkdir -p %{buildroot}/%{_datadir}/%{name}/data %files -%doc docs/license/GPL3.txt readme.txt _tmpdoc/* +%doc docs/license/GPL3.txt README.md _tmpdoc/* +%{_bindir}/%{name} +%{_bindir}/%{name}-launcher +%{_bindir}/%{name}-iniimporter +%{_bindir}/%{name}-essimporter +%{_bindir}/%{name}-wizard +%{_bindir}/%{name}-cs %{_bindir}/esmtool -%{_bindir}/mwiniimport -%{_bindir}/omwlauncher -%{_bindir}/opencs -%{_bindir}/openmw %{_bindir}/bsatool -%{_bindir}/openmw-wizard %{_libdir}/Plugin_MyGUI_OpenMW_Resources.so -%{_datadir}/applications/opencs.desktop -%{_datadir}/applications/openmw.desktop %{_datadir}/%{name}/ -%{_datadir}/pixmaps/opencs.png +%{_datadir}/applications/%{name}-cs.desktop +%{_datadir}/applications/%{name}.desktop +%{_datadir}/pixmaps/openmw-cs.png %{_datadir}/pixmaps/openmw.png %config(noreplace) %{_sysconfdir}/openmw/ %changelog +* Sat Feb 21 2015 Alexandre Moine <nobrakal(a)fedoraproject.org> 0.35.0-1 +- Update to new upstream. +- Change binairies name from opencs to openmw-cs + * Wed Dec 31 2014 Alexandre Moine <nobrakal(a)fedoraproject.org> 0.34.0-1 - Update directly to 0.34.0 due to the new mygui just released in fedora (see BGZ #1145811) - Remove openmw-datapath.patch, it set a variable in /components/files/linuxpath.cpp now in cmake

9 years, 9 months

1
0
0 / 0

rpms/openmw/devel sources,1.7,1.8

by Alexandre Moine

Author: nobrakal Update of /cvs/free/rpms/openmw/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv19304 Modified Files: sources Log Message: new sources Index: sources =================================================================== RCS file: /cvs/free/rpms/openmw/devel/sources,v retrieving revision 1.7 retrieving revision 1.8 diff -u -r1.7 -r1.8 --- sources 9 Jan 2015 18:21:39 -0000 1.7 +++ sources 21 Feb 2015 19:05:16 -0000 1.8 @@ -1 +1 @@ -687ab871962cee9e8f701716d4d06561 openmw-0.34.0.tar.gz +8df7e90c76fc15a7e2d2e85735be1d7d openmw-0.35.0.tar.gz

9 years, 9 months

1
0
0 / 0

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-20 In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv8981/F-20 Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.0-CVE-2014-9656.patch freetype-2.5.0-CVE-2014-9657.patch freetype-2.5.0-CVE-2014-9658.patch freetype-2.5.0-CVE-2014-9660.patch freetype-2.5.0-CVE-2014-9661a.patch freetype-2.5.0-CVE-2014-9661b.patch freetype-2.5.0-CVE-2014-9662.patch freetype-2.5.0-CVE-2014-9663.patch freetype-2.5.0-CVE-2014-9664a.patch freetype-2.5.0-CVE-2014-9664b.patch freetype-2.5.0-CVE-2014-9666.patch freetype-2.5.0-CVE-2014-9667.patch freetype-2.5.0-CVE-2014-9669.patch freetype-2.5.0-CVE-2014-9670.patch freetype-2.5.0-CVE-2014-9671.patch freetype-2.5.0-CVE-2014-9672.patch freetype-2.5.0-CVE-2014-9673.patch freetype-2.5.0-CVE-2014-9674a.patch freetype-2.5.0-CVE-2014-9674b.patch freetype-2.5.0-CVE-2014-9675.patch freetype-2.5.0-ft-strncmp.patch freetype-2.5.0-unsigned-long.patch Log Message: * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-6 - Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.) - Add freetype-2.5.0-CVE-2014-9657.patch from Fedora freetype (rh#1191099) (Check minimum size of `record_size'.) - Add freetype-2.5.0-CVE-2014-9658.patch from Fedora freetype (rh#1191099) (Use correct value for minimum table length test.) - Add freetype-2.5.0-ft-strncmp.patch from Fedora freetype (rh#1191193) (Fix http://savannah.nongnu.org/bugs/?41692. Prereq of CVE-2014-9675 patch.) - Add freetype-2.5.0-CVE-2014-9675.patch from Fedora freetype (rh#1191193) (New macro that checks one character more than `strncmp'.) - Add freetype-2.5.0-CVE-2014-9660.patch from Fedora freetype (rh#1191099) (Check `_BDF_GLYPH_BITS'.) - Add freetype-2.5.0-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) - Add freetype-2.5.0-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) (Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array.) - Add freetype-2.5.0-CVE-2014-9662.patch from Fedora freetype (rh#1191099) (Handle return values of point allocation routines.) - Add freetype-2.5.0-CVE-2014-9663.patch from Fedora freetype (rh#1191099) (Fix order of validity tests.) - Add freetype-2.5.0-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) (Add another boundary testing.) - Add freetype-2.5.0-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) (Fix boundary testing.) - Add freetype-2.5.0-CVE-2014-9666.patch from Fedora freetype (rh#1191099) (Protect against addition and multiplication overflow.) - Add freetype-2.5.0-CVE-2014-9667.patch from Fedora freetype (rh#1191099) (Protect against addition overflow.) - Add freetype-2.5.0-CVE-2014-9669.patch from Fedora freetype (rh#1191099) (Protect against overflow in additions and multiplications.) - Add freetype-2.5.0-CVE-2014-9670.patch from Fedora freetype (rh#1191099) (Add sanity checks for row and column values.) - Add freetype-2.5.0-CVE-2014-9671.patch from Fedora freetype (rh#1191099) (Check `size' and `offset' values.) - Add freetype-2.5.0-CVE-2014-9672.patch from Fedora freetype (rh#1191095) (Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table.) - Add freetype-2.5.0-CVE-2014-9673.patch from Fedora freetype (rh#1191096) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.0-unsigned-long.patch from Fedora freetype (rh#1191191) (Use unsigned long variables to read the lengths in POST fragments.) - Add freetype-2.5.0-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.0-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) (Additional overflow check in the summation of POST fragment lengths.) freetype-2.5.0-CVE-2014-9656.patch: ttsbit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9656.patch --- >From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 09:51:21 +0000 Subject: [sfnt] Fix Savannah bug #43680. This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index b37bd7d..c2db96c 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -1049,7 +1049,8 @@ num_glyphs = FT_NEXT_ULONG( p ); /* overflow check for p + ( num_glyphs + 1 ) * 4 */ - if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + if ( p + 4 > p_limit || + num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) goto NoBitmap; for ( mm = 0; mm < num_glyphs; mm++ ) -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9657.patch: ttpload.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9657.patch --- >From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 09:22:08 +0000 Subject: [truetype] Fix Savannah bug #43679. * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of `record_size'. --- diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 9723a51..9991925 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -508,9 +508,9 @@ record_size = FT_NEXT_ULONG( p ); /* The maximum number of bytes in an hdmx device record is the */ - /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ - /* the reason why `record_size' is a long (which we read as */ - /* unsigned long for convenience). In practice, two bytes */ + /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ + /* explaining why `record_size' is a long (which we read as */ + /* unsigned long for convenience). In practice, two bytes are */ /* sufficient to hold the size value. */ /* */ /* There are at least two fonts, HANNOM-A and HANNOM-B version */ @@ -522,8 +522,10 @@ record_size &= 0xFFFFU; /* The limit for `num_records' is a heuristic value. */ - - if ( version != 0 || num_records > 255 || record_size > 0x10001L ) + if ( version != 0 || + num_records > 255 || + record_size > 0x10001L || + record_size < 4 ) { error = FT_THROW( Invalid_File_Format ); goto Fail; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9658.patch: ttkern.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9658.patch --- >From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 08:31:32 +0000 Subject: [sfnt] Fix Savannah bug #43672. * src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for minimum table length test. --- diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c index 32c4008..455e7b5 100644 --- a/src/sfnt/ttkern.c +++ b/src/sfnt/ttkern.c @@ -99,7 +99,7 @@ length = FT_NEXT_USHORT( p ); coverage = FT_NEXT_USHORT( p ); - if ( length <= 6 ) + if ( length <= 6 + 8 ) break; p_next += length; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9660.patch: bdflib.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.0-CVE-2014-9660.patch --- >From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 12:29:10 +0000 Subject: [bdf] Fix Savannah bug #43660. * src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check `_BDF_GLYPH_BITS'. --- diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index c128526..369c111 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1556,6 +1556,14 @@ /* Check for the ENDFONT field. */ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { + if ( p->flags & _BDF_GLYPH_BITS ) + { + /* Missing ENDCHAR field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); + error = FT_THROW( Corrupted_Font_Glyphs ); + goto Exit; + } + /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, font->glyphs_used, -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9661a.patch: t42objs.c | 6 ++++++ t42parse.c | 26 ++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9661a.patch --- >From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 09:46:47 +0000 Subject: [type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 798ebdb..7a9cb57 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -47,6 +47,12 @@ if ( FT_ALLOC( face->ttf_data, 12 ) ) goto Exit; + /* while parsing the font we always update `face->ttf_size' so that */ + /* even in case of buggy data (which might lead to premature end of */ + /* scanning without causing an error) the call to `FT_Open_Face' in */ + /* `T42_Face_Init' passes the correct size */ + face->ttf_size = 12; + error = t42_parser_init( parser, face->root.stream, memory, diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index a60e216..daf304d 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -498,7 +498,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -591,7 +591,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -631,18 +631,18 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -661,24 +661,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9661b.patch: t42objs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9661b.patch --- >From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 11:44:33 +0000 Subject: [type42] Allow only embedded TrueType fonts. This is a follow-up to Savannah bug #43659. * src/type42/t42objs.c (T42_Face_Init): Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 7a9cb57..915e81f 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -293,7 +293,9 @@ FT_Open_Args args; - args.flags = FT_OPEN_MEMORY; + args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; + args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), + "truetype" ); args.memory_base = face->ttf_data; args.memory_size = face->ttf_size; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9662.patch: cf2ft.c | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9662.patch --- >From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 08:16:39 +0000 Subject: [cff] Fix Savannah bug #43658. * src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle return values of point allocation routines. --- diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c index cb8d31c..ebba469 100644 --- a/src/cff/cf2ft.c +++ b/src/cff/cf2ft.c @@ -140,6 +140,8 @@ cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -154,15 +156,27 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* `cff_builder_add_point1' includes a check_points call for one point */ - cff_builder_add_point1( builder, - params->pt1.x, - params->pt1.y ); + error = cff_builder_add_point1( builder, + params->pt1.x, + params->pt1.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } @@ -170,6 +184,8 @@ cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -184,13 +200,25 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* prepare room for 3 points: 2 off-curve, 1 on-curve */ - cff_check_points( builder, 3 ); + error = cff_check_points( builder, 3 ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } cff_builder_add_point( builder, params->pt1.x, -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9663.patch: ttcmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9663.patch --- >From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 05:24:45 +0000 Subject: [sfnt] Fix Savannah bug #43656. * src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity tests. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 712bd4f..fb863c3 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -823,9 +823,6 @@ FT_Error error = FT_Err_Ok; - if ( length < 16 ) - FT_INVALID_TOO_SHORT; - /* in certain fonts, the `length' field is invalid and goes */ /* out of bound. We try to correct this here... */ if ( table + length > valid->limit ) @@ -836,6 +833,9 @@ length = (FT_UInt)( valid->limit - table ); } + if ( length < 16 ) + FT_INVALID_TOO_SHORT; + p = table + 6; num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9664a.patch: type1/t1load.c | 5 +++++ type42/t42parse.c | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.0-CVE-2014-9664a.patch --- >From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 06:30:05 +0000 Subject: [type1, type42] Another fix for Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Add another boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index caa75bd..24b14a8 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1591,6 +1591,11 @@ } T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index daf304d..d45c069 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -823,6 +823,12 @@ break; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9664b.patch: type1/t1load.c | 2 +- type42/t42parse.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9664b.patch --- >From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Fri, 21 Nov 2014 21:19:28 +0000 Subject: [type1, type42] Fix Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Fix boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index fd06432..caa75bd 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1604,7 +1604,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { error = FT_THROW( Invalid_File_Format ); goto Fail; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 9b66888..a60e216 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -837,7 +837,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); error = FT_THROW( Invalid_File_Format ); -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9666.patch: ttsbit.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9666.patch --- >From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 20:42:13 +0000 Subject: [sfnt] Fix Savannah bug #43591. * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition and multiplication overflow. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index da6b01b..b37bd7d 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -234,9 +234,11 @@ p += 34; decoder->bit_depth = *p; - if ( decoder->strike_index_array > face->sbit_table_size || - decoder->strike_index_array + 8 * decoder->strike_index_count > - face->sbit_table_size ) + /* decoder->strike_index_array + */ + /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ + if ( decoder->strike_index_array > face->sbit_table_size || + decoder->strike_index_count > + ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) error = FT_THROW( Invalid_File_Format ); } -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9667.patch: ttload.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9667.patch --- >From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 20:26:44 +0000 Subject: [sfnt] Fix Savannah bug #43590. * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): Protect against addition overflow. --- diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 0a3cd29..8338150 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -5,7 +5,7 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2010, 2012, 2013 by */ +/* Copyright 1996-2010, 2012-2014 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -207,7 +207,10 @@ } /* we ignore invalid tables */ - if ( table.Offset + table.Length > stream->size ) + + /* table.Offset + table.Length > stream->size ? */ + if ( table.Length > stream->size || + table.Offset > stream->size - table.Length ) { FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); continue; @@ -398,7 +398,10 @@ entry->Length = FT_GET_LONG(); /* ignore invalid tables */ - if ( entry->Offset + entry->Length > stream->size ) + + /* entry->Offset + entry->Length > stream->size ? */ + if ( entry->Length > stream->size || + entry->Offset > stream->size - entry->Length ) continue; else { -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9669.patch: ttcmap.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9669.patch --- >From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 19:51:20 +0000 Subject: [sfnt] Fix Savannah bug #43588. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect against overflow in additions and multiplications. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index f9acf5d..712bd4f 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1647,7 +1647,8 @@ p = is32 + 8192; /* skip `is32' array */ num_groups = TT_NEXT_ULONG( p ); - if ( p + num_groups * 12 > valid->limit ) + /* p + num_groups * 12 > valid->limit ? */ + if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -1672,7 +1673,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; count = (FT_UInt32)( end - start + 1 ); @@ -1870,7 +1876,9 @@ count = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 20 + count * 2 ) + /* length < 20 + count * 2 ? */ + length < 20 || + ( length - 20 ) / 2 < count ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2057,7 +2065,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2079,7 +2089,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; } @@ -2381,7 +2396,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2762,7 +2779,9 @@ if ( length > (FT_ULong)( valid->limit - table ) || - length < 10 + 11 * num_selectors ) + /* length < 10 + 11 * num_selectors ? */ + length < 10 || + ( length - 10 ) / 11 < num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2798,7 +2817,8 @@ FT_ULong lastBase = 0; - if ( defp + numRanges * 4 > valid->limit ) + /* defp + numRanges * 4 > valid->limit ? */ + if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numRanges; ++i ) @@ -2825,7 +2845,8 @@ FT_ULong i, lastUni = 0; - if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ + if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9670.patch: pcfread.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.0-CVE-2014-9670.patch --- >From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Thu, 06 Nov 2014 22:25:05 +0000 Subject: Fix Savannah bug #43548. * src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and column values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 8db31bd..668c962 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -812,6 +812,15 @@ THE SOFTWARE. if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) return FT_THROW( Invalid_File_Format ); + /* sanity checks */ + if ( firstCol < 0 || + firstCol > lastCol || + lastCol > 0xFF || + firstRow < 0 || + firstRow > lastRow || + lastRow > 0xFF ) + return FT_THROW( Invalid_Table ); + FT_TRACE4(( "pdf_get_encodings:\n" )); FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9671.patch: pcfread.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.0-CVE-2014-9671.patch --- >From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Thu, 06 Nov 2014 21:32:46 +0000 Subject: Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index f63377b..8db31bd 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -151,6 +151,21 @@ THE SOFTWARE. break; } + /* we now check whether the `size' and `offset' values are reasonable: */ + /* `offset' + `size' must not exceed the stream size */ + tables = face->toc.tables; + for ( n = 0; n < toc->count; n++ ) + { + /* we need two checks to avoid overflow */ + if ( ( tables->size > stream->size ) || + ( tables->offset > stream->size - tables->size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + tables++; + } + #ifdef FT_DEBUG_LEVEL_TRACE { -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9672.patch: ftmac.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9672.patch --- >From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 07:11:38 +0000 Subject: Fix Savannah bug #43540. * src/base/ftmac.c (parse_fond): Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table. --- diff --git a/src/base/ftmac.c b/src/base/ftmac.c index 9b49da8..184a2e1 100644 --- a/src/base/ftmac.c +++ b/src/base/ftmac.c @@ -440,9 +440,10 @@ style = (StyleTable*)p; p += sizeof ( StyleTable ); string_count = EndianS16_BtoN( *(short*)(p) ); + string_count = FT_MIN( 64, string_count ); p += sizeof ( short ); - for ( i = 0; i < string_count && i < 64; i++ ) + for ( i = 0; i < string_count; i++ ) { names[i] = p; p += names[i][0]; @@ -459,7 +460,7 @@ ps_name[ps_name_len] = 0; } if ( style->indexes[face_index] > 1 && - style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) + style->indexes[face_index] <= string_count ) { unsigned char* suffixes = names[style->indexes[face_index] - 1]; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9673.patch: ftobjs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.0-CVE-2014-9673.patch --- >From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 06:52:23 +0000 Subject: Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index ffbbc32..922216e 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1615,6 +1615,11 @@ goto Exit2; if ( FT_READ_LONG( rlen ) ) goto Exit; + if ( rlen < 0 ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", @@ -1632,7 +1637,14 @@ rlen = 0; if ( ( flags >> 8 ) == type ) + { + if ( 0x7FFFFFFFL - rlen < len ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } len += rlen; + } else { if ( pfb_lenpos + 3 > pfb_len + 2 ) @@ -1661,6 +1673,11 @@ } error = FT_ERR( Cannot_Open_Resource ); + if ( rlen > 0x7FFFFFFFL - pfb_pos ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9674a.patch: ftobjs.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9674a.patch --- >From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 06:43:29 +0000 Subject: Fix Savannah bug #43538. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4d60e88..ffbbc32 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1591,10 +1591,23 @@ goto Exit; if ( FT_READ_LONG( temp ) ) goto Exit; + if ( 0 > temp ) + error = FT_THROW( Invalid_Offset ); + else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) + error = FT_THROW( Array_Too_Large ); + + if ( error ) + goto Exit; + pfb_len += temp + 6; } - if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + if ( 0x7FFFFFFFL - 2 < pfb_len ) + error = FT_THROW( Array_Too_Large ); + else + error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); + + if ( error ) goto Exit; pfb_data[0] = 0x80; -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9674b.patch: ftobjs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9674b.patch --- >From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 15:20:48 +0000 Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check in the summation of POST fragment lengths, suggested by Mateusz Jurczyk <mjurczyk(a)google.com>. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4321126..b28216a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1592,8 +1592,10 @@ if ( FT_READ_ULONG( temp ) ) goto Exit; FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); - if ( 0x7FFFFFFFUL < temp ) + if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) { + FT_TRACE2(( " too long fragment length makes" + " pfb_len confused: temp=0x%08x\n", temp )); error = FT_THROW( Invalid_Offset ); goto Exit; } -- cgit v0.9.0.2 freetype-2.5.0-CVE-2014-9675.patch: bdflib.c | 62 +++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 25 deletions(-) --- NEW FILE freetype-2.5.0-CVE-2014-9675.patch --- commit 2c4832d30939b45c05757f0a05128ce64c4cacc7 Author: Werner Lemberg <wl(a)gnu.org> Date: Fri Nov 7 07:42:33 2014 +0100 Fix Savannah bug #43535. * src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one character more than `strncmp'. s/ft_strncmp/_bdf_strncmp/ everywhere. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index 2eda11c..c128526 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -169,6 +169,18 @@ sizeof ( _bdf_properties[0] ); + /* An auxiliary macro to parse properties, to be used in conditionals. */ + /* It behaves like `strncmp' but also tests the following character */ + /* whether it is a whitespace or NULL. */ + /* `property' is a constant string of length `n' to compare with. */ +#define _bdf_strncmp( name, property, n ) \ + ( ft_strncmp( name, property, n ) || \ + !( name[n] == ' ' || \ + name[n] == '\0' || \ + name[n] == '\n' || \ + name[n] == '\r' || \ + name[n] == '\t' ) ) + /* Auto correction messages. */ #define ACMSG1 "FONT_ASCENT property missing. " \ "Added `FONT_ASCENT %hd'.\n" @@ -1409,7 +1421,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1427,13 +1439,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1491,7 +1503,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1508,7 +1520,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1542,7 +1554,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, @@ -1556,7 +1568,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1572,7 +1584,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1606,7 +1618,7 @@ } /* Check for the ENCODING field. */ - if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1792,7 +1804,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1808,7 +1820,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1836,7 +1848,7 @@ } /* Expect the BBX field next. */ - if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1904,7 +1916,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1979,7 +1991,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2020,12 +2032,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2089,7 +2101,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2115,7 +2127,7 @@ { memory = p->memory; - if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2163,7 +2175,7 @@ } /* Check for the start of the properties. */ - if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2192,7 +2204,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2223,7 +2235,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2258,7 +2270,7 @@ } /* Check for the SIZE field. */ - if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2312,7 +2324,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128]; freetype-2.5.0-ft-strncmp.patch: bdflib.c | 50 +++++++++++++++++++++++++------------------------- 1 file changed, 25 insertions(+), 25 deletions(-) --- NEW FILE freetype-2.5.0-ft-strncmp.patch --- commit 9a56764037dfc01a89fe61f5c67971bf50343d00 Author: Werner Lemberg <wl(a)gnu.org> Date: Wed Feb 26 13:08:07 2014 +0100 [bdf] Fix Savannah bug #41692. bdflib puts data from the input stream into a buffer in chunks of 1024 bytes. The data itself gets then parsed line by line, simply increasing the current pointer into the buffer; if the search for the final newline character exceeds the buffer size, more data gets read. However, in case the current line's end is very near to the buffer end, and the keyword to compare with is longer than the current line's length, an out-of-bounds read might happen since `memcmp' doesn't stop properly at the string end. * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons stop at string ends. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index c9e231e..b0ec292 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1409,7 +1409,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_memcmp( name, "COMMENT", 7 ) != 0 ) + if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1427,13 +1427,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_memcmp( name, "SPACING", 7 ) == 0 ) + else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1491,7 +1491,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1508,7 +1508,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_memcmp( line, "CHARS", 5 ) != 0 ) + if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1542,7 +1542,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) + if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) { /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, @@ -1556,7 +1556,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 ) + if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1572,7 +1572,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 ) + if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1606,7 +1606,7 @@ } /* Check for the ENCODING field. */ - if ( ft_memcmp( line, "ENCODING", 8 ) == 0 ) + if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1792,7 +1792,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) + if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1808,7 +1808,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) + if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1836,7 +1836,7 @@ } /* Expect the BBX field next. */ - if ( ft_memcmp( line, "BBX", 3 ) == 0 ) + if ( ft_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1904,7 +1904,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) + if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1979,7 +1979,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2020,12 +2020,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2089,7 +2089,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) + if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2115,7 +2115,7 @@ { memory = p->memory; - if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 ) + if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2163,7 +2163,7 @@ } /* Check for the start of the properties. */ - if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2192,7 +2192,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2223,7 +2223,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_memcmp( line, "FONT", 4 ) == 0 ) + if ( ft_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2258,7 +2258,7 @@ } /* Check for the SIZE field. */ - if ( ft_memcmp( line, "SIZE", 4 ) == 0 ) + if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2312,7 +2312,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_memcmp( line, "CHARS", 5 ) == 0 ) + if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128]; freetype-2.5.0-unsigned-long.patch: ftobjs.c | 59 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) --- NEW FILE freetype-2.5.0-unsigned-long.patch --- commit 453316792fee912cfced48e9e270e9eb19892e64 Author: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed Nov 26 16:02:17 2014 +0900 * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. Suggested by Mateusz Jurczyk <mjurczyk(a)google.com>. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 922216e..dfad24a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1571,9 +1571,9 @@ FT_Memory memory = library->memory; FT_Byte* pfb_data = NULL; int i, type, flags; - FT_Long len; - FT_Long pfb_len, pfb_pos, pfb_lenpos; - FT_Long rlen, temp; + FT_ULong len; + FT_ULong pfb_len, pfb_pos, pfb_lenpos; + FT_ULong rlen, temp; if ( face_index == -1 ) @@ -1589,25 +1589,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit; - if ( FT_READ_LONG( temp ) ) + if ( FT_READ_ULONG( temp ) ) goto Exit; - if ( 0 > temp ) + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { error = FT_THROW( Invalid_Offset ); - else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) - error = FT_THROW( Array_Too_Large ); - - if ( error ) goto Exit; + } pfb_len += temp + 6; } - if ( 0x7FFFFFFFL - 2 < pfb_len ) + FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { error = FT_THROW( Array_Too_Large ); - else - error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); - - if ( error ) + goto Exit; + } + if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) goto Exit; pfb_data[0] = 0x80; @@ -1626,21 +1628,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit2; - if ( FT_READ_LONG( rlen ) ) + if ( FT_READ_ULONG( rlen ) ) goto Exit; - if ( rlen < 0 ) + if ( 0x7FFFFFFFUL < rlen ) { error = FT_THROW( Invalid_Offset ); goto Exit2; } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + error = FT_ERR( Array_Too_Large ); /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + { + FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); continue; + } /* the flags are part of the resource, so rlen >= 2. */ /* but some fonts declare rlen = 0 for empty fragment */ @@ -1650,16 +1658,10 @@ rlen = 0; if ( ( flags >> 8 ) == type ) - { - if ( 0x7FFFFFFFL - rlen < len ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } len += rlen; - } else { + FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); if ( pfb_lenpos + 3 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); @@ -1670,6 +1672,7 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); if ( pfb_pos + 6 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1685,21 +1688,17 @@ pfb_data[pfb_pos++] = 0; } - error = FT_ERR( Cannot_Open_Resource ); - if ( rlen > 0x7FFFFFFFL - pfb_pos ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; + FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); if ( error ) goto Exit2; pfb_pos += rlen; } + error = FT_ERR( Array_Too_Large ); if ( pfb_pos + 2 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1720,6 +1719,12 @@ aface ); Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) + FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) + error = FT_ERR( Cannot_Open_Resource ); FT_FREE( pfb_data ); Exit: Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-20/freetype-freeworld.spec,v retrieving revision 1.33 retrieving revision 1.34 diff -u -r1.33 -r1.34 --- freetype-freeworld.spec 12 Dec 2014 04:04:27 -0000 1.33 +++ freetype-freeworld.spec 18 Feb 2015 01:57:37 -0000 1.34 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.0.1 -Release: 5%{?dist} +Release: 6%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -16,14 +16,40 @@ Patch92: 0001-Fix-vertical-size-of-emboldened-glyphs.patch ## Security fixes: -# https://bugzilla.gnome.org/show_bug.cgi?id=1074647 +# https://bugzilla.redhat.com/show_bug.cgi?id=1074647 Patch93: freetype-2.5.0-CVE-2014-2240.patch Patch94: freetype-2.5.0-CVE-2014-2241.patch -# https://bugzilla.gnome.org/show_bug.cgi?id=1172634 +# https://bugzilla.redhat.com/show_bug.cgi?id=1172634 Patch95: freetype-2.5.0-hintmask.patch Patch96: freetype-2.5.0-hintmap.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1191099 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191191 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191193 +Patch97: freetype-2.5.0-CVE-2014-9656.patch +Patch98: freetype-2.5.0-CVE-2014-9657.patch +Patch99: freetype-2.5.0-CVE-2014-9658.patch +Patch100: freetype-2.5.0-ft-strncmp.patch +Patch101: freetype-2.5.0-CVE-2014-9675.patch +Patch102: freetype-2.5.0-CVE-2014-9660.patch +Patch103: freetype-2.5.0-CVE-2014-9661a.patch +Patch104: freetype-2.5.0-CVE-2014-9661b.patch +Patch105: freetype-2.5.0-CVE-2014-9662.patch +Patch106: freetype-2.5.0-CVE-2014-9663.patch +Patch107: freetype-2.5.0-CVE-2014-9664a.patch +Patch108: freetype-2.5.0-CVE-2014-9664b.patch +Patch109: freetype-2.5.0-CVE-2014-9666.patch +Patch110: freetype-2.5.0-CVE-2014-9667.patch +Patch111: freetype-2.5.0-CVE-2014-9669.patch +Patch112: freetype-2.5.0-CVE-2014-9670.patch +Patch113: freetype-2.5.0-CVE-2014-9671.patch +Patch114: freetype-2.5.0-CVE-2014-9672.patch +Patch115: freetype-2.5.0-CVE-2014-9673.patch +Patch117: freetype-2.5.0-unsigned-long.patch +Patch116: freetype-2.5.0-CVE-2014-9674a.patch +Patch118: freetype-2.5.0-CVE-2014-9674b.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) Provides: freetype-bytecode @@ -60,6 +86,29 @@ %patch95 -p1 -b .hintmask %patch96 -p1 -b .hintmap +%patch97 -p1 -b .CVE-2014-9656 +%patch98 -p1 -b .CVE-2014-9657 +%patch99 -p1 -b .CVE-2014-9658 +%patch100 -p1 -b .ft-strncmp +%patch101 -p1 -b .CVE-2014-9675 +%patch102 -p1 -b .CVE-2014-9660 +%patch103 -p1 -b .CVE-2014-9661a +%patch104 -p1 -b .CVE-2014-9661b +%patch105 -p1 -b .CVE-2014-9662 +%patch106 -p1 -b .CVE-2014-9663 +%patch107 -p1 -b .CVE-2014-9664a +%patch108 -p1 -b .CVE-2014-9664b +%patch109 -p1 -b .CVE-2014-9666 +%patch110 -p1 -b .CVE-2014-9667 +%patch111 -p1 -b .CVE-2014-9669 +%patch112 -p1 -b .CVE-2014-9670 +%patch113 -p1 -b .CVE-2014-9671 +%patch114 -p1 -b .CVE-2014-9672 +%patch115 -p1 -b .CVE-2014-9673 +%patch116 -p1 -b .unsigned-long +%patch117 -p1 -b .CVE-2014-9674a +%patch118 -p1 -b .CVE-2014-9674b + %build @@ -104,6 +153,54 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-6 +- Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099) + (Check `p' before `num_glyphs'.) +- Add freetype-2.5.0-CVE-2014-9657.patch from Fedora freetype (rh#1191099) + (Check minimum size of `record_size'.) +- Add freetype-2.5.0-CVE-2014-9658.patch from Fedora freetype (rh#1191099) + (Use correct value for minimum table length test.) +- Add freetype-2.5.0-ft-strncmp.patch from Fedora freetype (rh#1191193) + (Fix http://savannah.nongnu.org/bugs/?41692. Prereq of CVE-2014-9675 patch.) +- Add freetype-2.5.0-CVE-2014-9675.patch from Fedora freetype (rh#1191193) + (New macro that checks one character more than `strncmp'.) +- Add freetype-2.5.0-CVE-2014-9660.patch from Fedora freetype (rh#1191099) + (Check `_BDF_GLYPH_BITS'.) +- Add freetype-2.5.0-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) + (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) +- Add freetype-2.5.0-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) + (Exclusively use the `truetype' font driver for loading the font contained + in the `sfnts' array.) +- Add freetype-2.5.0-CVE-2014-9662.patch from Fedora freetype (rh#1191099) + (Handle return values of point allocation routines.) +- Add freetype-2.5.0-CVE-2014-9663.patch from Fedora freetype (rh#1191099) + (Fix order of validity tests.) +- Add freetype-2.5.0-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) + (Add another boundary testing.) +- Add freetype-2.5.0-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) + (Fix boundary testing.) +- Add freetype-2.5.0-CVE-2014-9666.patch from Fedora freetype (rh#1191099) + (Protect against addition and multiplication overflow.) +- Add freetype-2.5.0-CVE-2014-9667.patch from Fedora freetype (rh#1191099) + (Protect against addition overflow.) +- Add freetype-2.5.0-CVE-2014-9669.patch from Fedora freetype (rh#1191099) + (Protect against overflow in additions and multiplications.) +- Add freetype-2.5.0-CVE-2014-9670.patch from Fedora freetype (rh#1191099) + (Add sanity checks for row and column values.) +- Add freetype-2.5.0-CVE-2014-9671.patch from Fedora freetype (rh#1191099) + (Check `size' and `offset' values.) +- Add freetype-2.5.0-CVE-2014-9672.patch from Fedora freetype (rh#1191095) + (Prevent a buffer overrun caused by a font including too many (> 63) strings + to store names[] table.) +- Add freetype-2.5.0-CVE-2014-9673.patch from Fedora freetype (rh#1191096) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.0-unsigned-long.patch from Fedora freetype (rh#1191191) + (Use unsigned long variables to read the lengths in POST fragments.) +- Add freetype-2.5.0-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.0-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) + (Additional overflow check in the summation of POST fragment lengths.) + * Fri Dec 12 2014 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-5 - Add freetype-2.5.0-hintmask.patch from Fedora freetype (rh#1172634) (Don't append to stem arrays after hintmask is constructed.)

9 years, 9 months

1
0
0 / 0

by Kevin Kofler

Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv32326/devel Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.3-CVE-2014-9656.patch freetype-2.5.3-CVE-2014-9657.patch freetype-2.5.3-CVE-2014-9658.patch freetype-2.5.3-CVE-2014-9660.patch freetype-2.5.3-CVE-2014-9661a.patch freetype-2.5.3-CVE-2014-9661b.patch freetype-2.5.3-CVE-2014-9662.patch freetype-2.5.3-CVE-2014-9663.patch freetype-2.5.3-CVE-2014-9664a.patch freetype-2.5.3-CVE-2014-9664b.patch freetype-2.5.3-CVE-2014-9665.patch freetype-2.5.3-CVE-2014-9666.patch freetype-2.5.3-CVE-2014-9667.patch freetype-2.5.3-CVE-2014-9668.patch freetype-2.5.3-CVE-2014-9669.patch freetype-2.5.3-CVE-2014-9670.patch freetype-2.5.3-CVE-2014-9671.patch freetype-2.5.3-CVE-2014-9672.patch freetype-2.5.3-CVE-2014-9673.patch freetype-2.5.3-CVE-2014-9674a.patch freetype-2.5.3-CVE-2014-9674b.patch freetype-2.5.3-CVE-2014-9675.patch freetype-2.5.3-unsigned-long.patch Log Message: * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-4 - Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.) - Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099) (Check minimum size of `record_size'.) - Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099) (Use correct value for minimum table length test.) - Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193) (New macro that checks one character more than `strncmp'.) - Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099) (Check `_BDF_GLYPH_BITS'.) - Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) - Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) (Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array.) - Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099) (Handle return values of point allocation routines.) - Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099) (Fix order of validity tests.) - Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) (Add another boundary testing.) - Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) (Fix boundary testing.) - Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099) (Protect against too large bitmaps.) - Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099) (Protect against addition and multiplication overflow.) - Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099) (Protect against addition overflow.) - Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099) (Protect against addition overflow.) - Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099) (Protect against overflow in additions and multiplications.) - Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099) (Add sanity checks for row and column values.) - Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099) (Check `size' and `offset' values.) - Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095) (Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table.) - Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191) (Use unsigned long variables to read the lengths in POST fragments.) - Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) (Additional overflow check in the summation of POST fragment lengths.) freetype-2.5.3-CVE-2014-9656.patch: ttsbit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9656.patch --- >From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 09:51:21 +0000 Subject: [sfnt] Fix Savannah bug #43680. This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index b37bd7d..c2db96c 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -1147,7 +1147,8 @@ num_glyphs = FT_NEXT_ULONG( p ); /* overflow check for p + ( num_glyphs + 1 ) * 4 */ - if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + if ( p + 4 > p_limit || + num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) goto NoBitmap; for ( mm = 0; mm < num_glyphs; mm++ ) -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9657.patch: ttpload.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9657.patch --- >From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 09:22:08 +0000 Subject: [truetype] Fix Savannah bug #43679. * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of `record_size'. --- diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 9723a51..9991925 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -508,9 +508,9 @@ record_size = FT_NEXT_ULONG( p ); /* The maximum number of bytes in an hdmx device record is the */ - /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ - /* the reason why `record_size' is a long (which we read as */ - /* unsigned long for convenience). In practice, two bytes */ + /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ + /* explaining why `record_size' is a long (which we read as */ + /* unsigned long for convenience). In practice, two bytes are */ /* sufficient to hold the size value. */ /* */ /* There are at least two fonts, HANNOM-A and HANNOM-B version */ @@ -522,8 +522,10 @@ record_size &= 0xFFFFU; /* The limit for `num_records' is a heuristic value. */ - - if ( version != 0 || num_records > 255 || record_size > 0x10001L ) + if ( version != 0 || + num_records > 255 || + record_size > 0x10001L || + record_size < 4 ) { error = FT_THROW( Invalid_File_Format ); goto Fail; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9658.patch: ttkern.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9658.patch --- >From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 08:31:32 +0000 Subject: [sfnt] Fix Savannah bug #43672. * src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for minimum table length test. --- diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c index 32c4008..455e7b5 100644 --- a/src/sfnt/ttkern.c +++ b/src/sfnt/ttkern.c @@ -99,7 +99,7 @@ length = FT_NEXT_USHORT( p ); coverage = FT_NEXT_USHORT( p ); - if ( length <= 6 ) + if ( length <= 6 + 8 ) break; p_next += length; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9660.patch: bdflib.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9660.patch --- >From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 12:29:10 +0000 Subject: [bdf] Fix Savannah bug #43660. * src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check `_BDF_GLYPH_BITS'. --- diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index c128526..369c111 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1555,6 +1555,14 @@ /* Check for the ENDFONT field. */ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { + if ( p->flags & _BDF_GLYPH_BITS ) + { + /* Missing ENDCHAR field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); + error = FT_THROW( Corrupted_Font_Glyphs ); + goto Exit; + } + /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, font->glyphs_used, -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9661a.patch: t42objs.c | 6 ++++++ t42parse.c | 26 ++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9661a.patch --- >From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 09:46:47 +0000 Subject: [type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 798ebdb..7a9cb57 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -47,6 +47,12 @@ if ( FT_ALLOC( face->ttf_data, 12 ) ) goto Exit; + /* while parsing the font we always update `face->ttf_size' so that */ + /* even in case of buggy data (which might lead to premature end of */ + /* scanning without causing an error) the call to `FT_Open_Face' in */ + /* `T42_Face_Init' passes the correct size */ + face->ttf_size = 12; + error = t42_parser_init( parser, face->root.stream, memory, diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index a60e216..daf304d 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -524,7 +524,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -617,7 +617,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -657,18 +657,18 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -687,24 +687,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9661b.patch: t42objs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9661b.patch --- >From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 11:44:33 +0000 Subject: [type42] Allow only embedded TrueType fonts. This is a follow-up to Savannah bug #43659. * src/type42/t42objs.c (T42_Face_Init): Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 7a9cb57..915e81f 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -292,7 +292,9 @@ FT_Open_Args args; - args.flags = FT_OPEN_MEMORY; + args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; + args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), + "truetype" ); args.memory_base = face->ttf_data; args.memory_size = face->ttf_size; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9662.patch: cf2ft.c | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9662.patch --- >From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 08:16:39 +0000 Subject: [cff] Fix Savannah bug #43658. * src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle return values of point allocation routines. --- diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c index cb8d31c..ebba469 100644 --- a/src/cff/cf2ft.c +++ b/src/cff/cf2ft.c @@ -142,6 +142,8 @@ cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -156,15 +158,27 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* `cff_builder_add_point1' includes a check_points call for one point */ - cff_builder_add_point1( builder, - params->pt1.x, - params->pt1.y ); + error = cff_builder_add_point1( builder, + params->pt1.x, + params->pt1.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } @@ -172,6 +186,8 @@ cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -186,13 +202,25 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* prepare room for 3 points: 2 off-curve, 1 on-curve */ - cff_check_points( builder, 3 ); + error = cff_check_points( builder, 3 ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } cff_builder_add_point( builder, params->pt1.x, -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9663.patch: ttcmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9663.patch --- >From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Sat, 22 Nov 2014 05:24:45 +0000 Subject: [sfnt] Fix Savannah bug #43656. * src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity tests. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 712bd4f..fb863c3 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -845,9 +845,6 @@ p = table + 2; /* skip format */ length = TT_NEXT_USHORT( p ); - if ( length < 16 ) - FT_INVALID_TOO_SHORT; - /* in certain fonts, the `length' field is invalid and goes */ /* out of bound. We try to correct this here... */ if ( table + length > valid->limit ) @@ -858,6 +855,9 @@ length = (FT_UInt)( valid->limit - table ); } + if ( length < 16 ) + FT_INVALID_TOO_SHORT; + p = table + 6; num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9664a.patch: type1/t1load.c | 5 +++++ type42/t42parse.c | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9664a.patch --- >From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Mon, 24 Nov 2014 06:30:05 +0000 Subject: [type1, type42] Another fix for Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Add another boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index caa75bd..24b14a8 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1596,6 +1596,11 @@ } T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index daf304d..d45c069 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -849,6 +849,12 @@ break; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9664b.patch: type1/t1load.c | 2 +- type42/t42parse.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9664b.patch --- >From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Fri, 21 Nov 2014 21:19:28 +0000 Subject: [type1, type42] Fix Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Fix boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index fd06432..caa75bd 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1609,7 +1609,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { error = FT_THROW( Invalid_File_Format ); goto Fail; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 9b66888..a60e216 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -863,7 +863,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); error = FT_THROW( Invalid_File_Format ); -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9665.patch: pngshim.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- NEW FILE freetype-2.5.3-CVE-2014-9665.patch --- --- freetype-2.5.3/src/sfnt/pngshim.c +++ freetype-2.5.3/src/sfnt/pngshim.c @@ -269,6 +269,20 @@ map->pitch = map->width * 4; map->num_grays = 256; + /* reject bitmaps with negative dimensions */ + if ( map->rows < 0 || map->width < 0 ) + { + error = FT_THROW( Invalid_Argument ); + goto DestroyExit; + } + + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + size = map->rows * map->pitch; error = ft_glyphslot_alloc_bitmap( slot, size ); freetype-2.5.3-CVE-2014-9666.patch: ttsbit.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9666.patch --- >From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 20:42:13 +0000 Subject: [sfnt] Fix Savannah bug #43591. * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition and multiplication overflow. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index da6b01b..b37bd7d 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -380,9 +380,11 @@ p += 34; decoder->bit_depth = *p; - if ( decoder->strike_index_array > face->sbit_table_size || - decoder->strike_index_array + 8 * decoder->strike_index_count > - face->sbit_table_size ) + /* decoder->strike_index_array + */ + /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ + if ( decoder->strike_index_array > face->sbit_table_size || + decoder->strike_index_count > + ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) error = FT_THROW( Invalid_File_Format ); } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9667.patch: ttload.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9667.patch --- >From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 20:26:44 +0000 Subject: [sfnt] Fix Savannah bug #43590. * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): Protect against addition overflow. --- diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 0a3cd29..8338150 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -5,7 +5,7 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2010, 2012, 2013 by */ +/* Copyright 1996-2010, 2012-2014 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -207,7 +207,10 @@ } /* we ignore invalid tables */ - if ( table.Offset + table.Length > stream->size ) + + /* table.Offset + table.Length > stream->size ? */ + if ( table.Length > stream->size || + table.Offset > stream->size - table.Length ) { FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); continue; @@ -395,7 +398,10 @@ entry->Length = FT_GET_ULONG(); /* ignore invalid tables */ - if ( entry->Offset + entry->Length > stream->size ) + + /* entry->Offset + entry->Length > stream->size ? */ + if ( entry->Length > stream->size || + entry->Offset > stream->size - entry->Length ) continue; else { -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9668.patch: sfobjs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9668.patch --- >From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 20:06:08 +0000 Subject: [sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow. --- diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c index cfea9cd..70b988d 100644 --- a/src/sfnt/sfobjs.c +++ b/src/sfnt/sfobjs.c @@ -574,8 +574,10 @@ if ( table->Offset != woff_offset || - table->Offset + table->CompLength > woff.length || - sfnt_offset + table->OrigLength > woff.totalSfntSize || + table->CompLength > woff.length || + table->Offset > woff.length - table->CompLength || + table->OrigLength > woff.totalSfntSize || + sfnt_offset > woff.totalSfntSize - table->OrigLength || table->CompLength > table->OrigLength ) { error = FT_THROW( Invalid_Table ); -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9669.patch: ttcmap.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9669.patch --- >From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Wed, 12 Nov 2014 19:51:20 +0000 Subject: [sfnt] Fix Savannah bug #43588. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect against overflow in additions and multiplications. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index f9acf5d..712bd4f 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1669,7 +1669,8 @@ p = is32 + 8192; /* skip `is32' array */ num_groups = TT_NEXT_ULONG( p ); - if ( p + num_groups * 12 > valid->limit ) + /* p + num_groups * 12 > valid->limit ? */ + if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -1694,7 +1695,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; count = (FT_UInt32)( end - start + 1 ); @@ -1892,7 +1898,9 @@ count = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 20 + count * 2 ) + /* length < 20 + count * 2 ? */ + length < 20 || + ( length - 20 ) / 2 < count ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2079,7 +2087,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2101,7 +2111,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; } @@ -2401,7 +2416,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2787,7 +2804,9 @@ num_selectors = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 10 + 11 * num_selectors ) + /* length < 10 + 11 * num_selectors ? */ + length < 10 || + ( length - 10 ) / 11 < num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2823,7 +2842,8 @@ FT_ULong lastBase = 0; - if ( defp + numRanges * 4 > valid->limit ) + /* defp + numRanges * 4 > valid->limit ? */ + if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numRanges; ++i ) @@ -2850,7 +2870,8 @@ FT_ULong i, lastUni = 0; - if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ + if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9670.patch: pcfread.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9670.patch --- >From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Thu, 06 Nov 2014 22:25:05 +0000 Subject: Fix Savannah bug #43548. * src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and column values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 8db31bd..668c962 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -812,6 +812,15 @@ THE SOFTWARE. if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) return FT_THROW( Invalid_File_Format ); + /* sanity checks */ + if ( firstCol < 0 || + firstCol > lastCol || + lastCol > 0xFF || + firstRow < 0 || + firstRow > lastRow || + lastRow > 0xFF ) + return FT_THROW( Invalid_Table ); + FT_TRACE4(( "pdf_get_encodings:\n" )); FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9671.patch: pcfread.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9671.patch --- >From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <wl(a)gnu.org> Date: Thu, 06 Nov 2014 21:32:46 +0000 Subject: Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index f63377b..8db31bd 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -151,6 +151,21 @@ THE SOFTWARE. break; } + /* we now check whether the `size' and `offset' values are reasonable: */ + /* `offset' + `size' must not exceed the stream size */ + tables = face->toc.tables; + for ( n = 0; n < toc->count; n++ ) + { + /* we need two checks to avoid overflow */ + if ( ( tables->size > stream->size ) || + ( tables->offset > stream->size - tables->size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + tables++; + } + #ifdef FT_DEBUG_LEVEL_TRACE { -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9672.patch: ftmac.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9672.patch --- >From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 07:11:38 +0000 Subject: Fix Savannah bug #43540. * src/base/ftmac.c (parse_fond): Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table. --- diff --git a/src/base/ftmac.c b/src/base/ftmac.c index 9b49da8..184a2e1 100644 --- a/src/base/ftmac.c +++ b/src/base/ftmac.c @@ -440,9 +440,10 @@ style = (StyleTable*)p; p += sizeof ( StyleTable ); string_count = EndianS16_BtoN( *(short*)(p) ); + string_count = FT_MIN( 64, string_count ); p += sizeof ( short ); - for ( i = 0; i < string_count && i < 64; i++ ) + for ( i = 0; i < string_count; i++ ) { names[i] = p; p += names[i][0]; @@ -459,7 +460,7 @@ ps_name[ps_name_len] = 0; } if ( style->indexes[face_index] > 1 && - style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) + style->indexes[face_index] <= string_count ) { unsigned char* suffixes = names[style->indexes[face_index] - 1]; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9673.patch: ftobjs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9673.patch --- >From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 06:52:23 +0000 Subject: Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index ffbbc32..922216e 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1627,6 +1627,11 @@ goto Exit2; if ( FT_READ_LONG( rlen ) ) goto Exit; + if ( rlen < 0 ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", @@ -1644,7 +1649,14 @@ rlen = 0; if ( ( flags >> 8 ) == type ) + { + if ( 0x7FFFFFFFL - rlen < len ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } len += rlen; + } else { if ( pfb_lenpos + 3 > pfb_len + 2 ) @@ -1673,6 +1685,11 @@ } error = FT_ERR( Cannot_Open_Resource ); + if ( rlen > 0x7FFFFFFFL - pfb_pos ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9674a.patch: ftobjs.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9674a.patch --- >From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 06:43:29 +0000 Subject: Fix Savannah bug #43538. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4d60e88..ffbbc32 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1603,10 +1603,23 @@ goto Exit; if ( FT_READ_LONG( temp ) ) goto Exit; + if ( 0 > temp ) + error = FT_THROW( Invalid_Offset ); + else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) + error = FT_THROW( Array_Too_Large ); + + if ( error ) + goto Exit; + pfb_len += temp + 6; } - if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + if ( 0x7FFFFFFFL - 2 < pfb_len ) + error = FT_THROW( Array_Too_Large ); + else + error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); + + if ( error ) goto Exit; pfb_data[0] = 0x80; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9674b.patch: ftobjs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9674b.patch --- >From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001 From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed, 26 Nov 2014 15:20:48 +0000 Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check in the summation of POST fragment lengths, suggested by Mateusz Jurczyk <mjurczyk(a)google.com>. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4321126..b28216a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1604,8 +1604,10 @@ if ( FT_READ_ULONG( temp ) ) goto Exit; FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); - if ( 0x7FFFFFFFUL < temp ) + if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) { + FT_TRACE2(( " too long fragment length makes" + " pfb_len confused: temp=0x%08x\n", temp )); error = FT_THROW( Invalid_Offset ); goto Exit; } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9675.patch: bdflib.c | 62 +++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 25 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9675.patch --- commit 2c4832d30939b45c05757f0a05128ce64c4cacc7 Author: Werner Lemberg <wl(a)gnu.org> Date: Fri Nov 7 07:42:33 2014 +0100 Fix Savannah bug #43535. * src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one character more than `strncmp'. s/ft_strncmp/_bdf_strncmp/ everywhere. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index 2eda11c..c128526 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -169,6 +169,18 @@ sizeof ( _bdf_properties[0] ); + /* An auxiliary macro to parse properties, to be used in conditionals. */ + /* It behaves like `strncmp' but also tests the following character */ + /* whether it is a whitespace or NULL. */ + /* `property' is a constant string of length `n' to compare with. */ +#define _bdf_strncmp( name, property, n ) \ + ( ft_strncmp( name, property, n ) || \ + !( name[n] == ' ' || \ + name[n] == '\0' || \ + name[n] == '\n' || \ + name[n] == '\r' || \ + name[n] == '\t' ) ) + /* Auto correction messages. */ #define ACMSG1 "FONT_ASCENT property missing. " \ "Added `FONT_ASCENT %hd'.\n" @@ -1408,7 +1420,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1426,13 +1438,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1490,7 +1502,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1507,7 +1519,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1541,7 +1553,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, @@ -1555,7 +1567,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1571,7 +1583,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1605,7 +1617,7 @@ } /* Check for the ENCODING field. */ - if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1791,7 +1803,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1807,7 +1819,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1835,7 +1847,7 @@ } /* Expect the BBX field next. */ - if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1903,7 +1915,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1978,7 +1990,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2019,12 +2031,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2088,7 +2100,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2114,7 +2126,7 @@ { memory = p->memory; - if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2162,7 +2174,7 @@ } /* Check for the start of the properties. */ - if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2191,7 +2203,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2222,7 +2234,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2257,7 +2269,7 @@ } /* Check for the SIZE field. */ - if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2311,7 +2323,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128]; freetype-2.5.3-unsigned-long.patch: ftobjs.c | 59 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) --- NEW FILE freetype-2.5.3-unsigned-long.patch --- commit 453316792fee912cfced48e9e270e9eb19892e64 Author: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp> Date: Wed Nov 26 16:02:17 2014 +0900 * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. Suggested by Mateusz Jurczyk <mjurczyk(a)google.com>. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 922216e..dfad24a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1583,9 +1583,9 @@ FT_Memory memory = library->memory; FT_Byte* pfb_data = NULL; int i, type, flags; - FT_Long len; - FT_Long pfb_len, pfb_pos, pfb_lenpos; - FT_Long rlen, temp; + FT_ULong len; + FT_ULong pfb_len, pfb_pos, pfb_lenpos; + FT_ULong rlen, temp; if ( face_index == -1 ) @@ -1601,25 +1601,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit; - if ( FT_READ_LONG( temp ) ) + if ( FT_READ_ULONG( temp ) ) goto Exit; - if ( 0 > temp ) + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { error = FT_THROW( Invalid_Offset ); - else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) - error = FT_THROW( Array_Too_Large ); - - if ( error ) goto Exit; + } pfb_len += temp + 6; } - if ( 0x7FFFFFFFL - 2 < pfb_len ) + FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { error = FT_THROW( Array_Too_Large ); - else - error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); - - if ( error ) + goto Exit; + } + if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) goto Exit; pfb_data[0] = 0x80; @@ -1638,21 +1640,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit2; - if ( FT_READ_LONG( rlen ) ) + if ( FT_READ_ULONG( rlen ) ) goto Exit; - if ( rlen < 0 ) + if ( 0x7FFFFFFFUL < rlen ) { error = FT_THROW( Invalid_Offset ); goto Exit2; } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + error = FT_ERR( Array_Too_Large ); /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + { + FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); continue; + } /* the flags are part of the resource, so rlen >= 2. */ /* but some fonts declare rlen = 0 for empty fragment */ @@ -1662,16 +1670,10 @@ rlen = 0; if ( ( flags >> 8 ) == type ) - { - if ( 0x7FFFFFFFL - rlen < len ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } len += rlen; - } else { + FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); if ( pfb_lenpos + 3 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); @@ -1682,6 +1684,7 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); if ( pfb_pos + 6 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1697,21 +1700,17 @@ pfb_data[pfb_pos++] = 0; } - error = FT_ERR( Cannot_Open_Resource ); - if ( rlen > 0x7FFFFFFFL - pfb_pos ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; + FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); if ( error ) goto Exit2; pfb_pos += rlen; } + error = FT_ERR( Array_Too_Large ); if ( pfb_pos + 2 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1732,6 +1731,12 @@ aface ); Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) + FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) + error = FT_ERR( Cannot_Open_Resource ); FT_FREE( pfb_data ); Exit: Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- freetype-freeworld.spec 12 Dec 2014 03:58:15 -0000 1.37 +++ freetype-freeworld.spec 18 Feb 2015 01:32:07 -0000 1.38 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.3 -Release: 3%{?dist} +Release: 4%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -12,10 +12,37 @@ Patch46: freetype-2.2.1-enable-valid.patch ## Security fixes: -# https://bugzilla.gnome.org/show_bug.cgi?id=1172634 +# https://bugzilla.redhat.com/show_bug.cgi?id=1172634 Patch93: freetype-2.5.3-hintmask.patch Patch94: freetype-2.5.3-hintmap.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1191099 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191191 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191193 +Patch95: freetype-2.5.3-CVE-2014-9656.patch +Patch96: freetype-2.5.3-CVE-2014-9657.patch +Patch97: freetype-2.5.3-CVE-2014-9658.patch +Patch98: freetype-2.5.3-CVE-2014-9675.patch +Patch99: freetype-2.5.3-CVE-2014-9660.patch +Patch100: freetype-2.5.3-CVE-2014-9661a.patch +Patch101: freetype-2.5.3-CVE-2014-9661b.patch +Patch102: freetype-2.5.3-CVE-2014-9662.patch +Patch103: freetype-2.5.3-CVE-2014-9663.patch +Patch104: freetype-2.5.3-CVE-2014-9664a.patch +Patch105: freetype-2.5.3-CVE-2014-9664b.patch +Patch106: freetype-2.5.3-CVE-2014-9665.patch +Patch107: freetype-2.5.3-CVE-2014-9666.patch +Patch108: freetype-2.5.3-CVE-2014-9667.patch +Patch109: freetype-2.5.3-CVE-2014-9668.patch +Patch110: freetype-2.5.3-CVE-2014-9669.patch +Patch111: freetype-2.5.3-CVE-2014-9670.patch +Patch112: freetype-2.5.3-CVE-2014-9671.patch +Patch113: freetype-2.5.3-CVE-2014-9672.patch +Patch114: freetype-2.5.3-CVE-2014-9673.patch +Patch115: freetype-2.5.3-CVE-2014-9674a.patch +Patch116: freetype-2.5.3-unsigned-long.patch +Patch117: freetype-2.5.3-CVE-2014-9674b.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -47,6 +74,30 @@ %patch93 -p1 -b .hintmask %patch94 -p1 -b .hintmap +%patch95 -p1 -b .CVE-2014-9656 +%patch96 -p1 -b .CVE-2014-9657 +%patch97 -p1 -b .CVE-2014-9658 +%patch98 -p1 -b .CVE-2014-9675 +%patch99 -p1 -b .CVE-2014-9660 +%patch100 -p1 -b .CVE-2014-9661a +%patch101 -p1 -b .CVE-2014-9661b +%patch102 -p1 -b .CVE-2014-9662 +%patch103 -p1 -b .CVE-2014-9663 +%patch104 -p1 -b .CVE-2014-9664a +%patch105 -p1 -b .CVE-2014-9664b +%patch106 -p1 -b .CVE-2014-9665 +%patch107 -p1 -b .CVE-2014-9666 +%patch108 -p1 -b .CVE-2014-9667 +%patch109 -p1 -b .CVE-2014-9668 +%patch110 -p1 -b .CVE-2014-9669 +%patch111 -p1 -b .CVE-2014-9670 +%patch112 -p1 -b .CVE-2014-9671 +%patch113 -p1 -b .CVE-2014-9672 +%patch114 -p1 -b .CVE-2014-9673 +%patch115 -p1 -b .CVE-2014-9674a +%patch116 -p1 -b .unsigned-long +%patch117 -p1 -b .CVE-2014-9674b + %build %configure --disable-static @@ -85,6 +136,56 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-4 +- Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) + (Check `p' before `num_glyphs'.) +- Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099) + (Check minimum size of `record_size'.) +- Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099) + (Use correct value for minimum table length test.) +- Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193) + (New macro that checks one character more than `strncmp'.) +- Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099) + (Check `_BDF_GLYPH_BITS'.) +- Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) + (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) +- Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) + (Exclusively use the `truetype' font driver for loading the font contained + in the `sfnts' array.) +- Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099) + (Handle return values of point allocation routines.) +- Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099) + (Fix order of validity tests.) +- Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) + (Add another boundary testing.) +- Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) + (Fix boundary testing.) +- Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099) + (Protect against too large bitmaps.) +- Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099) + (Protect against addition and multiplication overflow.) +- Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099) + (Protect against addition overflow.) +- Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099) + (Protect against addition overflow.) +- Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099) + (Protect against overflow in additions and multiplications.) +- Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099) + (Add sanity checks for row and column values.) +- Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099) + (Check `size' and `offset' values.) +- Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095) + (Prevent a buffer overrun caused by a font including too many (> 63) strings + to store names[] table.) +- Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191) + (Use unsigned long variables to read the lengths in POST fragments.) +- Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) + (Additional overflow check in the summation of POST fragment lengths.) + * Fri Dec 12 2014 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.3-3 - Add freetype-2.5.3-hintmask.patch from Fedora freetype (rh#1172634) (Don't append to stem arrays after hintmask is constructed.)

9 years, 9 months

1
0
0 / 0

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

rpmfusion-commits February 2015