Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/F-20
In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv8981/F-20
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.5.0-CVE-2014-9656.patch
freetype-2.5.0-CVE-2014-9657.patch
freetype-2.5.0-CVE-2014-9658.patch
freetype-2.5.0-CVE-2014-9660.patch
freetype-2.5.0-CVE-2014-9661a.patch
freetype-2.5.0-CVE-2014-9661b.patch
freetype-2.5.0-CVE-2014-9662.patch
freetype-2.5.0-CVE-2014-9663.patch
freetype-2.5.0-CVE-2014-9664a.patch
freetype-2.5.0-CVE-2014-9664b.patch
freetype-2.5.0-CVE-2014-9666.patch
freetype-2.5.0-CVE-2014-9667.patch
freetype-2.5.0-CVE-2014-9669.patch
freetype-2.5.0-CVE-2014-9670.patch
freetype-2.5.0-CVE-2014-9671.patch
freetype-2.5.0-CVE-2014-9672.patch
freetype-2.5.0-CVE-2014-9673.patch
freetype-2.5.0-CVE-2014-9674a.patch
freetype-2.5.0-CVE-2014-9674b.patch
freetype-2.5.0-CVE-2014-9675.patch
freetype-2.5.0-ft-strncmp.patch
freetype-2.5.0-unsigned-long.patch
Log Message:
* Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-6
- Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099)
(Check `p' before `num_glyphs'.)
- Add freetype-2.5.0-CVE-2014-9657.patch from Fedora freetype (rh#1191099)
(Check minimum size of `record_size'.)
- Add freetype-2.5.0-CVE-2014-9658.patch from Fedora freetype (rh#1191099)
(Use correct value for minimum table length test.)
- Add freetype-2.5.0-ft-strncmp.patch from Fedora freetype (rh#1191193)
(Fix
http://savannah.nongnu.org/bugs/?41692. Prereq of CVE-2014-9675 patch.)
- Add freetype-2.5.0-CVE-2014-9675.patch from Fedora freetype (rh#1191193)
(New macro that checks one character more than `strncmp'.)
- Add freetype-2.5.0-CVE-2014-9660.patch from Fedora freetype (rh#1191099)
(Check `_BDF_GLYPH_BITS'.)
- Add freetype-2.5.0-CVE-2014-9661a.patch from Fedora freetype (rh#1191099)
(Initialize `face->ttf_size'. Always set `face->ttf_size' directly.)
- Add freetype-2.5.0-CVE-2014-9661b.patch from Fedora freetype (rh#1191099)
(Exclusively use the `truetype' font driver for loading the font contained
in the `sfnts' array.)
- Add freetype-2.5.0-CVE-2014-9662.patch from Fedora freetype (rh#1191099)
(Handle return values of point allocation routines.)
- Add freetype-2.5.0-CVE-2014-9663.patch from Fedora freetype (rh#1191099)
(Fix order of validity tests.)
- Add freetype-2.5.0-CVE-2014-9664a.patch from Fedora freetype (rh#1191099)
(Add another boundary testing.)
- Add freetype-2.5.0-CVE-2014-9664b.patch from Fedora freetype (rh#1191099)
(Fix boundary testing.)
- Add freetype-2.5.0-CVE-2014-9666.patch from Fedora freetype (rh#1191099)
(Protect against addition and multiplication overflow.)
- Add freetype-2.5.0-CVE-2014-9667.patch from Fedora freetype (rh#1191099)
(Protect against addition overflow.)
- Add freetype-2.5.0-CVE-2014-9669.patch from Fedora freetype (rh#1191099)
(Protect against overflow in additions and multiplications.)
- Add freetype-2.5.0-CVE-2014-9670.patch from Fedora freetype (rh#1191099)
(Add sanity checks for row and column values.)
- Add freetype-2.5.0-CVE-2014-9671.patch from Fedora freetype (rh#1191099)
(Check `size' and `offset' values.)
- Add freetype-2.5.0-CVE-2014-9672.patch from Fedora freetype (rh#1191095)
(Prevent a buffer overrun caused by a font including too many (> 63) strings
to store names[] table.)
- Add freetype-2.5.0-CVE-2014-9673.patch from Fedora freetype (rh#1191096)
(Fix integer overflow by a broken POST table in resource-fork.)
- Add freetype-2.5.0-unsigned-long.patch from Fedora freetype (rh#1191191)
(Use unsigned long variables to read the lengths in POST fragments.)
- Add freetype-2.5.0-CVE-2014-9674a.patch from Fedora freetype (rh#1191191)
(Fix integer overflow by a broken POST table in resource-fork.)
- Add freetype-2.5.0-CVE-2014-9674b.patch from Fedora freetype (rh#1191191)
(Additional overflow check in the summation of POST fragment lengths.)
freetype-2.5.0-CVE-2014-9656.patch:
ttsbit.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9656.patch ---
From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Mon, 24 Nov 2014 09:51:21 +0000
Subject: [sfnt] Fix Savannah bug #43680.
This adds an additional constraint to make the fix from 2013-01-25
really work.
* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
Check `p' before `num_glyphs'.
---
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index b37bd7d..c2db96c 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -1049,7 +1049,8 @@
num_glyphs = FT_NEXT_ULONG( p );
/* overflow check for p + ( num_glyphs + 1 ) * 4 */
- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+ if ( p + 4 > p_limit ||
+ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
goto NoBitmap;
for ( mm = 0; mm < num_glyphs; mm++ )
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9657.patch:
ttpload.c | 13 +++++++------
1 file changed, 7 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9657.patch ---
From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Mon, 24 Nov 2014 09:22:08 +0000
Subject: [truetype] Fix Savannah bug #43679.
* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
`record_size'.
---
diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
index 9723a51..9991925 100644
--- a/src/truetype/ttpload.c
+++ b/src/truetype/ttpload.c
@@ -508,9 +508,9 @@
record_size = FT_NEXT_ULONG( p );
/* The maximum number of bytes in an hdmx device record is the */
- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
- /* the reason why `record_size' is a long (which we read as */
- /* unsigned long for convenience). In practice, two bytes */
+ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
+ /* explaining why `record_size' is a long (which we read as */
+ /* unsigned long for convenience). In practice, two bytes are */
/* sufficient to hold the size value. */
/* */
/* There are at least two fonts, HANNOM-A and HANNOM-B version */
@@ -522,8 +522,10 @@
record_size &= 0xFFFFU;
/* The limit for `num_records' is a heuristic value. */
-
- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
+ if ( version != 0 ||
+ num_records > 255 ||
+ record_size > 0x10001L ||
+ record_size < 4 )
{
error = FT_THROW( Invalid_File_Format );
goto Fail;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9658.patch:
ttkern.c | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9658.patch ---
From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Mon, 24 Nov 2014 08:31:32 +0000
Subject: [sfnt] Fix Savannah bug #43672.
* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for
minimum table length test.
---
diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c
index 32c4008..455e7b5 100644
--- a/src/sfnt/ttkern.c
+++ b/src/sfnt/ttkern.c
@@ -99,7 +99,7 @@
length = FT_NEXT_USHORT( p );
coverage = FT_NEXT_USHORT( p );
- if ( length <= 6 )
+ if ( length <= 6 + 8 )
break;
p_next += length;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9660.patch:
bdflib.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9660.patch ---
From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Sat, 22 Nov 2014 12:29:10 +0000
Subject: [bdf] Fix Savannah bug #43660.
* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check
`_BDF_GLYPH_BITS'.
---
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index c128526..369c111 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1556,6 +1556,14 @@
/* Check for the ENDFONT field. */
if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
{
+ if ( p->flags & _BDF_GLYPH_BITS )
+ {
+ /* Missing ENDCHAR field. */
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR"
));
+ error = FT_THROW( Corrupted_Font_Glyphs );
+ goto Exit;
+ }
+
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
font->glyphs_used,
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9661a.patch:
t42objs.c | 6 ++++++
t42parse.c | 26 ++++++++++++--------------
2 files changed, 18 insertions(+), 14 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9661a.patch ---
From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Sat, 22 Nov 2014 09:46:47 +0000
Subject: [type42] Fix Savannah bug #43659.
* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
* src/type42/t42parse.c (t42_parse_sfnts): Always set
`face->ttf_size' directly. This ensures a correct stream size in
the call to `FT_Open_Face', which follows after parsing, even for
buggy input data.
Fix error messages.
---
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index 798ebdb..7a9cb57 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -47,6 +47,12 @@
if ( FT_ALLOC( face->ttf_data, 12 ) )
goto Exit;
+ /* while parsing the font we always update `face->ttf_size' so that */
+ /* even in case of buggy data (which might lead to premature end of */
+ /* scanning without causing an error) the call to `FT_Open_Face' in */
+ /* `T42_Face_Init' passes the correct size */
+ face->ttf_size = 12;
+
error = t42_parser_init( parser,
face->root.stream,
memory,
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index a60e216..daf304d 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -498,7 +498,7 @@
FT_Byte* limit = parser->root.limit;
FT_Error error;
FT_Int num_tables = 0;
- FT_ULong count, ttf_size = 0;
+ FT_ULong count;
FT_Long n, string_size, old_string_size, real_size;
FT_Byte* string_buf = NULL;
@@ -591,7 +591,7 @@
if ( limit - parser->root.cursor < string_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
@@ -631,18 +631,18 @@
}
else
{
- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
- status = BEFORE_TABLE_DIR;
- ttf_size = 12 + 16 * num_tables;
+ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+ status = BEFORE_TABLE_DIR;
+ face->ttf_size = 12 + 16 * num_tables;
- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
+ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
goto Fail;
}
/* fall through */
case BEFORE_TABLE_DIR:
/* the offset table is read; read the table directory */
- if ( count < ttf_size )
+ if ( count < face->ttf_size )
{
face->ttf_data[count++] = string_buf[n];
continue;
@@ -661,24 +661,23 @@
len = FT_PEEK_ULONG( p );
/* Pad to a 4-byte boundary length */
- ttf_size += ( len + 3 ) & ~3;
+ face->ttf_size += ( len + 3 ) & ~3;
}
- status = OTHER_TABLES;
- face->ttf_size = ttf_size;
+ status = OTHER_TABLES;
/* there are no more than 256 tables, so no size check here */
if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
- ttf_size + 1 ) )
+ face->ttf_size + 1 ) )
goto Fail;
}
/* fall through */
case OTHER_TABLES:
/* all other tables are just copied */
- if ( count >= ttf_size )
+ if ( count >= face->ttf_size )
{
- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
+ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
error = FT_THROW( Invalid_File_Format );
goto Fail;
}
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9661b.patch:
t42objs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9661b.patch ---
From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Sat, 22 Nov 2014 11:44:33 +0000
Subject: [type42] Allow only embedded TrueType fonts.
This is a follow-up to Savannah bug #43659.
* src/type42/t42objs.c (T42_Face_Init): Exclusively use the
`truetype' font driver for loading the font contained in the `sfnts'
array.
---
diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
index 7a9cb57..915e81f 100644
--- a/src/type42/t42objs.c
+++ b/src/type42/t42objs.c
@@ -293,7 +293,9 @@
FT_Open_Args args;
- args.flags = FT_OPEN_MEMORY;
+ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
+ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ),
+ "truetype" );
args.memory_base = face->ttf_data;
args.memory_size = face->ttf_size;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9662.patch:
cf2ft.c | 49 ++++++++++++++++++++++++++++++++++++++-----------
1 file changed, 38 insertions(+), 11 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9662.patch ---
From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Sat, 22 Nov 2014 08:16:39 +0000
Subject: [cff] Fix Savannah bug #43658.
* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle
return values of point allocation routines.
---
diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
index cb8d31c..ebba469 100644
--- a/src/cff/cf2ft.c
+++ b/src/cff/cf2ft.c
@@ -140,6 +140,8 @@
cf2_builder_lineTo( CF2_OutlineCallbacks callbacks,
const CF2_CallbackParams params )
{
+ FT_Error error;
+
/* downcast the object pointer */
CF2_Outline outline = (CF2_Outline)callbacks;
CFF_Builder* builder;
@@ -154,15 +156,27 @@
{
/* record the move before the line; also check points and set */
/* `path_begun' */
- cff_builder_start_point( builder,
- params->pt0.x,
- params->pt0.y );
+ error = cff_builder_start_point( builder,
+ params->pt0.x,
+ params->pt0.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
/* `cff_builder_add_point1' includes a check_points call for one point */
- cff_builder_add_point1( builder,
- params->pt1.x,
- params->pt1.y );
+ error = cff_builder_add_point1( builder,
+ params->pt1.x,
+ params->pt1.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
@@ -170,6 +184,8 @@
cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks,
const CF2_CallbackParams params )
{
+ FT_Error error;
+
/* downcast the object pointer */
CF2_Outline outline = (CF2_Outline)callbacks;
CFF_Builder* builder;
@@ -184,13 +200,25 @@
{
/* record the move before the line; also check points and set */
/* `path_begun' */
- cff_builder_start_point( builder,
- params->pt0.x,
- params->pt0.y );
+ error = cff_builder_start_point( builder,
+ params->pt0.x,
+ params->pt0.y );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
}
/* prepare room for 3 points: 2 off-curve, 1 on-curve */
- cff_check_points( builder, 3 );
+ error = cff_check_points( builder, 3 );
+ if ( error )
+ {
+ if ( !*callbacks->error )
+ *callbacks->error = error;
+ return;
+ }
cff_builder_add_point( builder,
params->pt1.x,
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9663.patch:
ttcmap.c | 7 +++----
1 file changed, 3 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9663.patch ---
From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Sat, 22 Nov 2014 05:24:45 +0000
Subject: [sfnt] Fix Savannah bug #43656.
* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
tests.
---
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 712bd4f..fb863c3 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -823,9 +823,6 @@
FT_Error error = FT_Err_Ok;
- if ( length < 16 )
- FT_INVALID_TOO_SHORT;
-
/* in certain fonts, the `length' field is invalid and goes */
/* out of bound. We try to correct this here... */
if ( table + length > valid->limit )
@@ -836,6 +833,9 @@
length = (FT_UInt)( valid->limit - table );
}
+ if ( length < 16 )
+ FT_INVALID_TOO_SHORT;
+
p = table + 6;
num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9664a.patch:
type1/t1load.c | 5 +++++
type42/t42parse.c | 7 ++++++-
2 files changed, 11 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9664a.patch ---
From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Mon, 24 Nov 2014 06:30:05 +0000
Subject: [type1, type42] Another fix for Savannah bug #43655.
* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Add another boundary testing.
---
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index caa75bd..24b14a8 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1591,6 +1591,11 @@
}
T1_Skip_PS_Token( parser );
+ if ( parser->root.cursor >= limit )
+ {
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
if ( parser->root.error )
return;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index daf304d..d45c069 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -823,6 +823,12 @@
break;
T1_Skip_PS_Token( parser );
+ if ( parser->root.cursor >= limit )
+ {
+ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+ }
if ( parser->root.error )
return;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9664b.patch:
type1/t1load.c | 2 +-
type42/t42parse.c | 3 +--
2 files changed, 2 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9664b.patch ---
From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Fri, 21 Nov 2014 21:19:28 +0000
Subject: [type1, type42] Fix Savannah bug #43655.
* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
(t42_parse_charstrings): Fix boundary testing.
---
diff --git a/src/type1/t1load.c b/src/type1/t1load.c
index fd06432..caa75bd 100644
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1604,7 +1604,7 @@
FT_PtrDist len;
- if ( cur + 1 >= limit )
+ if ( cur + 2 >= limit )
{
error = FT_THROW( Invalid_File_Format );
goto Fail;
diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
index 9b66888..a60e216 100644
--- a/src/type42/t42parse.c
+++ b/src/type42/t42parse.c
@@ -837,7 +837,7 @@
FT_PtrDist len;
- if ( cur + 1 >= limit )
+ if ( cur + 2 >= limit )
{
FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
error = FT_THROW( Invalid_File_Format );
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9666.patch:
ttsbit.c | 9 +++++----
1 file changed, 5 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9666.patch ---
From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Wed, 12 Nov 2014 20:42:13 +0000
Subject: [sfnt] Fix Savannah bug #43591.
* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
and multiplication overflow.
---
diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c
index da6b01b..b37bd7d 100644
--- a/src/sfnt/ttsbit.c
+++ b/src/sfnt/ttsbit.c
@@ -234,9 +234,11 @@
p += 34;
decoder->bit_depth = *p;
- if ( decoder->strike_index_array > face->sbit_table_size ||
- decoder->strike_index_array + 8 * decoder->strike_index_count >
- face->sbit_table_size )
+ /* decoder->strike_index_array + */
+ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */
+ if ( decoder->strike_index_array > face->sbit_table_size ||
+ decoder->strike_index_count >
+ ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
error = FT_THROW( Invalid_File_Format );
}
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9667.patch:
ttload.c | 13 +++++++++----
1 file changed, 9 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9667.patch ---
From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Wed, 12 Nov 2014 20:26:44 +0000
Subject: [sfnt] Fix Savannah bug #43590.
* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
Protect against addition overflow.
---
diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
index 0a3cd29..8338150 100644
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -5,7 +5,7 @@
/* Load the basic TrueType tables, i.e., tables that can be either in */
/* TTF or OTF fonts (body). */
/* */
-/* Copyright 1996-2010, 2012, 2013 by */
+/* Copyright 1996-2010, 2012-2014 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -207,7 +207,10 @@
}
/* we ignore invalid tables */
- if ( table.Offset + table.Length > stream->size )
+
+ /* table.Offset + table.Length > stream->size ? */
+ if ( table.Length > stream->size ||
+ table.Offset > stream->size - table.Length )
{
FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
continue;
@@ -398,7 +398,10 @@
entry->Length = FT_GET_LONG();
/* ignore invalid tables */
- if ( entry->Offset + entry->Length > stream->size )
+
+ /* entry->Offset + entry->Length > stream->size ? */
+ if ( entry->Length > stream->size ||
+ entry->Offset > stream->size - entry->Length )
continue;
else
{
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9669.patch:
ttcmap.c | 40 ++++++++++++++++++++++++++++++----------
1 file changed, 30 insertions(+), 10 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9669.patch ---
From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Wed, 12 Nov 2014 19:51:20 +0000
Subject: [sfnt] Fix Savannah bug #43588.
* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
against overflow in additions and multiplications.
---
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index f9acf5d..712bd4f 100644
--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
@@ -1647,7 +1647,8 @@
p = is32 + 8192; /* skip `is32' array */
num_groups = TT_NEXT_ULONG( p );
- if ( p + num_groups * 12 > valid->limit )
+ /* p + num_groups * 12 > valid->limit ? */
+ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -1672,7 +1673,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
count = (FT_UInt32)( end - start + 1 );
@@ -1870,7 +1876,9 @@
count = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 20 + count * 2 )
+ /* length < 20 + count * 2 ? */
+ length < 20 ||
+ ( length - 20 ) / 2 < count )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2057,7 +2065,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2079,7 +2089,12 @@
if ( valid->level >= FT_VALIDATE_TIGHT )
{
- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
+ FT_UInt32 d = end - start;
+
+
+ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
+ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
+ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
FT_INVALID_GLYPH_ID;
}
@@ -2381,7 +2396,9 @@
num_groups = TT_NEXT_ULONG( p );
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 16 + 12 * num_groups )
+ /* length < 16 + 12 * num_groups ? */
+ length < 16 ||
+ ( length - 16 ) / 12 < num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2762,7 +2779,9 @@
if ( length > (FT_ULong)( valid->limit - table ) ||
- length < 10 + 11 * num_selectors )
+ /* length < 10 + 11 * num_selectors ? */
+ length < 10 ||
+ ( length - 10 ) / 11 < num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2798,7 +2817,8 @@
FT_ULong lastBase = 0;
- if ( defp + numRanges * 4 > valid->limit )
+ /* defp + numRanges * 4 > valid->limit ? */
+ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numRanges; ++i )
@@ -2825,7 +2845,8 @@
FT_ULong i, lastUni = 0;
- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
+ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9670.patch:
pcfread.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9670.patch ---
From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Thu, 06 Nov 2014 22:25:05 +0000
Subject: Fix Savannah bug #43548.
* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and
column values.
---
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index 8db31bd..668c962 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -812,6 +812,15 @@ THE SOFTWARE.
if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) )
return FT_THROW( Invalid_File_Format );
+ /* sanity checks */
+ if ( firstCol < 0 ||
+ firstCol > lastCol ||
+ lastCol > 0xFF ||
+ firstRow < 0 ||
+ firstRow > lastRow ||
+ lastRow > 0xFF )
+ return FT_THROW( Invalid_Table );
+
FT_TRACE4(( "pdf_get_encodings:\n" ));
FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n",
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9671.patch:
pcfread.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9671.patch ---
From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl(a)gnu.org>
Date: Thu, 06 Nov 2014 21:32:46 +0000
Subject: Fix Savannah bug #43547.
* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
values.
---
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index f63377b..8db31bd 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -151,6 +151,21 @@ THE SOFTWARE.
break;
}
+ /* we now check whether the `size' and `offset' values are reasonable: */
+ /* `offset' + `size' must not exceed the stream size */
+ tables = face->toc.tables;
+ for ( n = 0; n < toc->count; n++ )
+ {
+ /* we need two checks to avoid overflow */
+ if ( ( tables->size > stream->size ) ||
+ ( tables->offset > stream->size - tables->size ) )
+ {
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+ tables++;
+ }
+
#ifdef FT_DEBUG_LEVEL_TRACE
{
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9672.patch:
ftmac.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9672.patch ---
From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 07:11:38 +0000
Subject: Fix Savannah bug #43540.
* src/base/ftmac.c (parse_fond): Prevent a buffer overrun
caused by a font including too many (> 63) strings to store
names[] table.
---
diff --git a/src/base/ftmac.c b/src/base/ftmac.c
index 9b49da8..184a2e1 100644
--- a/src/base/ftmac.c
+++ b/src/base/ftmac.c
@@ -440,9 +440,10 @@
style = (StyleTable*)p;
p += sizeof ( StyleTable );
string_count = EndianS16_BtoN( *(short*)(p) );
+ string_count = FT_MIN( 64, string_count );
p += sizeof ( short );
- for ( i = 0; i < string_count && i < 64; i++ )
+ for ( i = 0; i < string_count; i++ )
{
names[i] = p;
p += names[i][0];
@@ -459,7 +460,7 @@
ps_name[ps_name_len] = 0;
}
if ( style->indexes[face_index] > 1 &&
- style->indexes[face_index] <= FT_MIN( string_count, 64 ) )
+ style->indexes[face_index] <= string_count )
{
unsigned char* suffixes = names[style->indexes[face_index] - 1];
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9673.patch:
ftobjs.c | 18 +++++++++++++++++-
1 file changed, 17 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9673.patch ---
From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:52:23 +0000
Subject: Fix Savannah bug #43539.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index ffbbc32..922216e 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1615,6 +1615,11 @@
goto Exit2;
if ( FT_READ_LONG( rlen ) )
goto Exit;
+ if ( rlen < 0 )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit2;
+ }
if ( FT_READ_USHORT( flags ) )
goto Exit;
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x,
flags=0x%04x\n",
@@ -1632,7 +1637,14 @@
rlen = 0;
if ( ( flags >> 8 ) == type )
+ {
+ if ( 0x7FFFFFFFL - rlen < len )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
len += rlen;
+ }
else
{
if ( pfb_lenpos + 3 > pfb_len + 2 )
@@ -1661,6 +1673,11 @@
}
error = FT_ERR( Cannot_Open_Resource );
+ if ( rlen > 0x7FFFFFFFL - pfb_pos )
+ {
+ error = FT_THROW( Array_Too_Large );
+ goto Exit2;
+ }
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
goto Exit2;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9674a.patch:
ftobjs.c | 16 ++++++++++++++--
1 file changed, 14 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9674a.patch ---
From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 06:43:29 +0000
Subject: Fix Savannah bug #43538.
* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
by a broken POST table in resource-fork.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4d60e88..ffbbc32 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1591,10 +1591,23 @@
goto Exit;
if ( FT_READ_LONG( temp ) )
goto Exit;
+ if ( 0 > temp )
+ error = FT_THROW( Invalid_Offset );
+ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+ error = FT_THROW( Array_Too_Large );
+
+ if ( error )
+ goto Exit;
+
pfb_len += temp + 6;
}
- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+ if ( 0x7FFFFFFFL - 2 < pfb_len )
+ error = FT_THROW( Array_Too_Large );
+ else
+ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+
+ if ( error )
goto Exit;
pfb_data[0] = 0x80;
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9674b.patch:
ftobjs.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9674b.patch ---
From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001
From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp>
Date: Wed, 26 Nov 2014 15:20:48 +0000
Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional
overflow check in the summation of POST fragment lengths,
suggested by Mateusz Jurczyk <mjurczyk(a)google.com>.
---
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 4321126..b28216a 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1592,8 +1592,10 @@
if ( FT_READ_ULONG( temp ) )
goto Exit;
FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i,
temp));
- if ( 0x7FFFFFFFUL < temp )
+ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
{
+ FT_TRACE2(( " too long fragment length makes"
+ " pfb_len confused: temp=0x%08x\n", temp ));
error = FT_THROW( Invalid_Offset );
goto Exit;
}
--
cgit v0.9.0.2
freetype-2.5.0-CVE-2014-9675.patch:
bdflib.c | 62 +++++++++++++++++++++++++++++++++++++-------------------------
1 file changed, 37 insertions(+), 25 deletions(-)
--- NEW FILE freetype-2.5.0-CVE-2014-9675.patch ---
commit 2c4832d30939b45c05757f0a05128ce64c4cacc7
Author: Werner Lemberg <wl(a)gnu.org>
Date: Fri Nov 7 07:42:33 2014 +0100
Fix Savannah bug #43535.
* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one
character more than `strncmp'.
s/ft_strncmp/_bdf_strncmp/ everywhere.
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index 2eda11c..c128526 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -169,6 +169,18 @@
sizeof ( _bdf_properties[0] );
+ /* An auxiliary macro to parse properties, to be used in conditionals. */
+ /* It behaves like `strncmp' but also tests the following character */
+ /* whether it is a whitespace or NULL. */
+ /* `property' is a constant string of length `n' to compare with. */
+#define _bdf_strncmp( name, property, n ) \
+ ( ft_strncmp( name, property, n ) || \
+ !( name[n] == ' ' || \
+ name[n] == '\0' || \
+ name[n] == '\n' || \
+ name[n] == '\r' || \
+ name[n] == '\t' ) )
+
/* Auto correction messages. */
#define ACMSG1 "FONT_ASCENT property missing. " \
"Added `FONT_ASCENT %hd'.\n"
@@ -1409,7 +1421,7 @@
/* If the property happens to be a comment, then it doesn't need */
/* to be added to the internal hash table. */
- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
+ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 )
{
/* Add the property to the font property table. */
error = hash_insert( fp->name,
@@ -1427,13 +1439,13 @@
/* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
/* present, and the SPACING property should override the default */
/* spacing. */
- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
font->default_char = fp->value.l;
- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
font->font_ascent = fp->value.l;
- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
font->font_descent = fp->value.l;
- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
+ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 )
{
if ( !fp->value.atom )
{
@@ -1491,7 +1503,7 @@
memory = font->memory;
/* Check for a comment. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
linelen -= 7;
@@ -1508,7 +1520,7 @@
/* The very first thing expected is the number of glyphs. */
if ( !( p->flags & _BDF_GLYPHS ) )
{
- if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
+ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS"
));
error = FT_THROW( Missing_Chars_Field );
@@ -1542,7 +1554,7 @@
}
/* Check for the ENDFONT field. */
- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
{
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
@@ -1556,7 +1568,7 @@
}
/* Check for the ENDCHAR field. */
- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 )
{
p->glyph_enc = 0;
p->flags &= ~_BDF_GLYPH_BITS;
@@ -1572,7 +1584,7 @@
goto Exit;
/* Check for the STARTCHAR field. */
- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 )
{
/* Set the character name in the parse info first until the */
/* encoding can be checked for an unencoded character. */
@@ -1606,7 +1618,7 @@
}
/* Check for the ENCODING field. */
- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
+ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 )
{
if ( !( p->flags & _BDF_GLYPH ) )
{
@@ -1792,7 +1804,7 @@
}
/* Expect the SWIDTH (scalable width) field next. */
- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1808,7 +1820,7 @@
}
/* Expect the DWIDTH (scalable width) field next. */
- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1836,7 +1848,7 @@
}
/* Expect the BBX field next. */
- if ( ft_strncmp( line, "BBX", 3 ) == 0 )
+ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1904,7 +1916,7 @@
}
/* And finally, gather up the bitmap. */
- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
+ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 )
{
unsigned long bitmap_size;
@@ -1979,7 +1991,7 @@
p = (_bdf_parse_t *) client_data;
/* Check for the end of the properties. */
- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
{
/* If the FONT_ASCENT or FONT_DESCENT properties have not been */
/* encountered yet, then make sure they are added as properties and */
@@ -2020,12 +2032,12 @@
}
/* Ignore the _XFREE86_GLYPH_RANGES properties. */
- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
goto Exit;
/* Handle COMMENT fields and properties in a special way to preserve */
/* the spacing. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
name = value = line;
value += 7;
@@ -2089,7 +2101,7 @@
/* Check for a comment. This is done to handle those fonts that have */
/* comments before the STARTFONT line for some reason. */
- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
{
if ( p->opts->keep_comments != 0 && p->font != 0 )
{
@@ -2115,7 +2127,7 @@
{
memory = p->memory;
- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
+ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 )
{
/* we don't emit an error message since this code gets */
/* explicitly caught one level higher */
@@ -2163,7 +2175,7 @@
}
/* Check for the start of the properties. */
- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_BBX ) )
{
@@ -2192,7 +2204,7 @@
}
/* Check for the FONTBOUNDINGBOX field. */
- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
{
if ( !( p->flags & _BDF_SIZE ) )
{
@@ -2223,7 +2235,7 @@
}
/* The next thing to check for is the FONT field. */
- if ( ft_strncmp( line, "FONT", 4 ) == 0 )
+ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 )
{
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -2258,7 +2270,7 @@
}
/* Check for the SIZE field. */
- if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
+ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_NAME ) )
{
@@ -2312,7 +2324,7 @@
}
/* Check for the CHARS field -- font properties are optional */
- if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
+ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 )
{
char nbuf[128];
freetype-2.5.0-ft-strncmp.patch:
bdflib.c | 50 +++++++++++++++++++++++++-------------------------
1 file changed, 25 insertions(+), 25 deletions(-)
--- NEW FILE freetype-2.5.0-ft-strncmp.patch ---
commit 9a56764037dfc01a89fe61f5c67971bf50343d00
Author: Werner Lemberg <wl(a)gnu.org>
Date: Wed Feb 26 13:08:07 2014 +0100
[bdf] Fix Savannah bug #41692.
bdflib puts data from the input stream into a buffer in chunks of
1024 bytes. The data itself gets then parsed line by line, simply
increasing the current pointer into the buffer; if the search for
the final newline character exceeds the buffer size, more data gets
read.
However, in case the current line's end is very near to the buffer
end, and the keyword to compare with is longer than the current
line's length, an out-of-bounds read might happen since `memcmp'
doesn't stop properly at the string end.
* src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons
stop at string ends.
diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
index c9e231e..b0ec292 100644
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1409,7 +1409,7 @@
/* If the property happens to be a comment, then it doesn't need */
/* to be added to the internal hash table. */
- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 )
+ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
{
/* Add the property to the font property table. */
error = hash_insert( fp->name,
@@ -1427,13 +1427,13 @@
/* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
/* present, and the SPACING property should override the default */
/* spacing. */
- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
font->default_char = fp->value.l;
- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 )
+ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
font->font_ascent = fp->value.l;
- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 )
+ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
font->font_descent = fp->value.l;
- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 )
+ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
{
if ( !fp->value.atom )
{
@@ -1491,7 +1491,7 @@
memory = font->memory;
/* Check for a comment. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
linelen -= 7;
@@ -1508,7 +1508,7 @@
/* The very first thing expected is the number of glyphs. */
if ( !( p->flags & _BDF_GLYPHS ) )
{
- if ( ft_memcmp( line, "CHARS", 5 ) != 0 )
+ if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS"
));
error = FT_THROW( Missing_Chars_Field );
@@ -1542,7 +1542,7 @@
}
/* Check for the ENDFONT field. */
- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
+ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
{
/* Sort the glyphs by encoding. */
ft_qsort( (char *)font->glyphs,
@@ -1556,7 +1556,7 @@
}
/* Check for the ENDCHAR field. */
- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 )
+ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
{
p->glyph_enc = 0;
p->flags &= ~_BDF_GLYPH_BITS;
@@ -1572,7 +1572,7 @@
goto Exit;
/* Check for the STARTCHAR field. */
- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 )
+ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
{
/* Set the character name in the parse info first until the */
/* encoding can be checked for an unencoded character. */
@@ -1606,7 +1606,7 @@
}
/* Check for the ENCODING field. */
- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 )
+ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
{
if ( !( p->flags & _BDF_GLYPH ) )
{
@@ -1792,7 +1792,7 @@
}
/* Expect the SWIDTH (scalable width) field next. */
- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
+ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1808,7 +1808,7 @@
}
/* Expect the DWIDTH (scalable width) field next. */
- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
+ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1836,7 +1836,7 @@
}
/* Expect the BBX field next. */
- if ( ft_memcmp( line, "BBX", 3 ) == 0 )
+ if ( ft_strncmp( line, "BBX", 3 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
goto Missing_Encoding;
@@ -1904,7 +1904,7 @@
}
/* And finally, gather up the bitmap. */
- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
{
unsigned long bitmap_size;
@@ -1979,7 +1979,7 @@
p = (_bdf_parse_t *) client_data;
/* Check for the end of the properties. */
- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
{
/* If the FONT_ASCENT or FONT_DESCENT properties have not been */
/* encountered yet, then make sure they are added as properties and */
@@ -2020,12 +2020,12 @@
}
/* Ignore the _XFREE86_GLYPH_RANGES properties. */
- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
goto Exit;
/* Handle COMMENT fields and properties in a special way to preserve */
/* the spacing. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
name = value = line;
value += 7;
@@ -2089,7 +2089,7 @@
/* Check for a comment. This is done to handle those fonts that have */
/* comments before the STARTFONT line for some reason. */
- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
+ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
{
if ( p->opts->keep_comments != 0 && p->font != 0 )
{
@@ -2115,7 +2115,7 @@
{
memory = p->memory;
- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 )
+ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
{
/* we don't emit an error message since this code gets */
/* explicitly caught one level higher */
@@ -2163,7 +2163,7 @@
}
/* Check for the start of the properties. */
- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_BBX ) )
{
@@ -2192,7 +2192,7 @@
}
/* Check for the FONTBOUNDINGBOX field. */
- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
{
if ( !( p->flags & _BDF_SIZE ) )
{
@@ -2223,7 +2223,7 @@
}
/* The next thing to check for is the FONT field. */
- if ( ft_memcmp( line, "FONT", 4 ) == 0 )
+ if ( ft_strncmp( line, "FONT", 4 ) == 0 )
{
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -2258,7 +2258,7 @@
}
/* Check for the SIZE field. */
- if ( ft_memcmp( line, "SIZE", 4 ) == 0 )
+ if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
{
if ( !( p->flags & _BDF_FONT_NAME ) )
{
@@ -2312,7 +2312,7 @@
}
/* Check for the CHARS field -- font properties are optional */
- if ( ft_memcmp( line, "CHARS", 5 ) == 0 )
+ if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
{
char nbuf[128];
freetype-2.5.0-unsigned-long.patch:
ftobjs.c | 59 ++++++++++++++++++++++++++++++-----------------------------
1 file changed, 30 insertions(+), 29 deletions(-)
--- NEW FILE freetype-2.5.0-unsigned-long.patch ---
commit 453316792fee912cfced48e9e270e9eb19892e64
Author: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp>
Date: Wed Nov 26 16:02:17 2014 +0900
* src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long
variables to read the lengths in POST fragments. Suggested by
Mateusz Jurczyk <mjurczyk(a)google.com>.
diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index 922216e..dfad24a 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -1571,9 +1571,9 @@
FT_Memory memory = library->memory;
FT_Byte* pfb_data = NULL;
int i, type, flags;
- FT_Long len;
- FT_Long pfb_len, pfb_pos, pfb_lenpos;
- FT_Long rlen, temp;
+ FT_ULong len;
+ FT_ULong pfb_len, pfb_pos, pfb_lenpos;
+ FT_ULong rlen, temp;
if ( face_index == -1 )
@@ -1589,25 +1589,25 @@
error = FT_Stream_Seek( stream, offsets[i] );
if ( error )
goto Exit;
- if ( FT_READ_LONG( temp ) )
+ if ( FT_READ_ULONG( temp ) )
goto Exit;
- if ( 0 > temp )
+ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i,
temp));
+ if ( 0x7FFFFFFFUL < temp )
+ {
error = FT_THROW( Invalid_Offset );
- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
- error = FT_THROW( Array_Too_Large );
-
- if ( error )
goto Exit;
+ }
pfb_len += temp + 6;
}
- if ( 0x7FFFFFFFL - 2 < pfb_len )
+ FT_TRACE2(( " total buffer size to concatenate %d POST fragments:
0x%08x\n",
+ resource_cnt, pfb_len + 2));
+ if ( pfb_len + 2 < 6 ) {
error = FT_THROW( Array_Too_Large );
- else
- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
-
- if ( error )
+ goto Exit;
+ }
+ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
goto Exit;
pfb_data[0] = 0x80;
@@ -1626,21 +1628,25 @@
error = FT_Stream_Seek( stream, offsets[i] );
if ( error )
goto Exit2;
- if ( FT_READ_LONG( rlen ) )
+ if ( FT_READ_ULONG( rlen ) )
goto Exit;
- if ( rlen < 0 )
+ if ( 0x7FFFFFFFUL < rlen )
{
error = FT_THROW( Invalid_Offset );
goto Exit2;
}
if ( FT_READ_USHORT( flags ) )
goto Exit;
FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x,
flags=0x%04x\n",
i, offsets[i], rlen, flags ));
+ error = FT_ERR( Array_Too_Large );
/* postpone the check of rlen longer than buffer until FT_Stream_Read() */
if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
+ {
+ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i
));
continue;
+ }
/* the flags are part of the resource, so rlen >= 2. */
/* but some fonts declare rlen = 0 for empty fragment */
@@ -1650,16 +1658,10 @@
rlen = 0;
if ( ( flags >> 8 ) == type )
- {
- if ( 0x7FFFFFFFL - rlen < len )
- {
- error = FT_THROW( Array_Too_Large );
- goto Exit2;
- }
len += rlen;
- }
else
{
+ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p +
0x%08x\n", i, pfb_data, pfb_lenpos ));
if ( pfb_lenpos + 3 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_lenpos ] = (FT_Byte)( len );
@@ -1670,6 +1672,7 @@
if ( ( flags >> 8 ) == 5 ) /* End of font mark */
break;
+ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p +
0x%08x\n", i, pfb_data, pfb_pos ));
if ( pfb_pos + 6 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
@@ -1685,21 +1688,17 @@
pfb_data[pfb_pos++] = 0;
}
- error = FT_ERR( Cannot_Open_Resource );
- if ( rlen > 0x7FFFFFFFL - pfb_pos )
- {
- error = FT_THROW( Array_Too_Large );
- goto Exit2;
- }
if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
goto Exit2;
+ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p +
0x%08x\n", i, rlen, pfb_data, pfb_pos ));
error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
if ( error )
goto Exit2;
pfb_pos += rlen;
}
+ error = FT_ERR( Array_Too_Large );
if ( pfb_pos + 2 > pfb_len + 2 )
goto Exit2;
pfb_data[pfb_pos++] = 0x80;
@@ -1720,6 +1719,12 @@
aface );
Exit2:
+ if ( error == FT_ERR( Array_Too_Large ) )
+ FT_TRACE2(( " Abort due to too-short buffer to store all POST
fragments\n" ));
+ else if ( error == FT_ERR( Invalid_Offset ) )
+ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
+ if ( error )
+ error = FT_ERR( Cannot_Open_Resource );
FT_FREE( pfb_data );
Exit:
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-20/freetype-freeworld.spec,v
retrieving revision 1.33
retrieving revision 1.34
diff -u -r1.33 -r1.34
--- freetype-freeworld.spec 12 Dec 2014 04:04:27 -0000 1.33
+++ freetype-freeworld.spec 18 Feb 2015 01:57:37 -0000 1.34
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.5.0.1
-Release: 5%{?dist}
+Release: 6%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL:
http://www.freetype.org
@@ -16,14 +16,40 @@
Patch92: 0001-Fix-vertical-size-of-emboldened-glyphs.patch
## Security fixes:
-#
https://bugzilla.gnome.org/show_bug.cgi?id=1074647
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1074647
Patch93: freetype-2.5.0-CVE-2014-2240.patch
Patch94: freetype-2.5.0-CVE-2014-2241.patch
-#
https://bugzilla.gnome.org/show_bug.cgi?id=1172634
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1172634
Patch95: freetype-2.5.0-hintmask.patch
Patch96: freetype-2.5.0-hintmap.patch
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1191099
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1191191
+#
https://bugzilla.redhat.com/show_bug.cgi?id=1191193
+Patch97: freetype-2.5.0-CVE-2014-9656.patch
+Patch98: freetype-2.5.0-CVE-2014-9657.patch
+Patch99: freetype-2.5.0-CVE-2014-9658.patch
+Patch100: freetype-2.5.0-ft-strncmp.patch
+Patch101: freetype-2.5.0-CVE-2014-9675.patch
+Patch102: freetype-2.5.0-CVE-2014-9660.patch
+Patch103: freetype-2.5.0-CVE-2014-9661a.patch
+Patch104: freetype-2.5.0-CVE-2014-9661b.patch
+Patch105: freetype-2.5.0-CVE-2014-9662.patch
+Patch106: freetype-2.5.0-CVE-2014-9663.patch
+Patch107: freetype-2.5.0-CVE-2014-9664a.patch
+Patch108: freetype-2.5.0-CVE-2014-9664b.patch
+Patch109: freetype-2.5.0-CVE-2014-9666.patch
+Patch110: freetype-2.5.0-CVE-2014-9667.patch
+Patch111: freetype-2.5.0-CVE-2014-9669.patch
+Patch112: freetype-2.5.0-CVE-2014-9670.patch
+Patch113: freetype-2.5.0-CVE-2014-9671.patch
+Patch114: freetype-2.5.0-CVE-2014-9672.patch
+Patch115: freetype-2.5.0-CVE-2014-9673.patch
+Patch117: freetype-2.5.0-unsigned-long.patch
+Patch116: freetype-2.5.0-CVE-2014-9674a.patch
+Patch118: freetype-2.5.0-CVE-2014-9674b.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
Provides: freetype-bytecode
@@ -60,6 +86,29 @@
%patch95 -p1 -b .hintmask
%patch96 -p1 -b .hintmap
+%patch97 -p1 -b .CVE-2014-9656
+%patch98 -p1 -b .CVE-2014-9657
+%patch99 -p1 -b .CVE-2014-9658
+%patch100 -p1 -b .ft-strncmp
+%patch101 -p1 -b .CVE-2014-9675
+%patch102 -p1 -b .CVE-2014-9660
+%patch103 -p1 -b .CVE-2014-9661a
+%patch104 -p1 -b .CVE-2014-9661b
+%patch105 -p1 -b .CVE-2014-9662
+%patch106 -p1 -b .CVE-2014-9663
+%patch107 -p1 -b .CVE-2014-9664a
+%patch108 -p1 -b .CVE-2014-9664b
+%patch109 -p1 -b .CVE-2014-9666
+%patch110 -p1 -b .CVE-2014-9667
+%patch111 -p1 -b .CVE-2014-9669
+%patch112 -p1 -b .CVE-2014-9670
+%patch113 -p1 -b .CVE-2014-9671
+%patch114 -p1 -b .CVE-2014-9672
+%patch115 -p1 -b .CVE-2014-9673
+%patch116 -p1 -b .unsigned-long
+%patch117 -p1 -b .CVE-2014-9674a
+%patch118 -p1 -b .CVE-2014-9674b
+
%build
@@ -104,6 +153,54 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-6
+- Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099)
+ (Check `p' before `num_glyphs'.)
+- Add freetype-2.5.0-CVE-2014-9657.patch from Fedora freetype (rh#1191099)
+ (Check minimum size of `record_size'.)
+- Add freetype-2.5.0-CVE-2014-9658.patch from Fedora freetype (rh#1191099)
+ (Use correct value for minimum table length test.)
+- Add freetype-2.5.0-ft-strncmp.patch from Fedora freetype (rh#1191193)
+ (Fix
http://savannah.nongnu.org/bugs/?41692. Prereq of CVE-2014-9675 patch.)
+- Add freetype-2.5.0-CVE-2014-9675.patch from Fedora freetype (rh#1191193)
+ (New macro that checks one character more than `strncmp'.)
+- Add freetype-2.5.0-CVE-2014-9660.patch from Fedora freetype (rh#1191099)
+ (Check `_BDF_GLYPH_BITS'.)
+- Add freetype-2.5.0-CVE-2014-9661a.patch from Fedora freetype (rh#1191099)
+ (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.)
+- Add freetype-2.5.0-CVE-2014-9661b.patch from Fedora freetype (rh#1191099)
+ (Exclusively use the `truetype' font driver for loading the font contained
+ in the `sfnts' array.)
+- Add freetype-2.5.0-CVE-2014-9662.patch from Fedora freetype (rh#1191099)
+ (Handle return values of point allocation routines.)
+- Add freetype-2.5.0-CVE-2014-9663.patch from Fedora freetype (rh#1191099)
+ (Fix order of validity tests.)
+- Add freetype-2.5.0-CVE-2014-9664a.patch from Fedora freetype (rh#1191099)
+ (Add another boundary testing.)
+- Add freetype-2.5.0-CVE-2014-9664b.patch from Fedora freetype (rh#1191099)
+ (Fix boundary testing.)
+- Add freetype-2.5.0-CVE-2014-9666.patch from Fedora freetype (rh#1191099)
+ (Protect against addition and multiplication overflow.)
+- Add freetype-2.5.0-CVE-2014-9667.patch from Fedora freetype (rh#1191099)
+ (Protect against addition overflow.)
+- Add freetype-2.5.0-CVE-2014-9669.patch from Fedora freetype (rh#1191099)
+ (Protect against overflow in additions and multiplications.)
+- Add freetype-2.5.0-CVE-2014-9670.patch from Fedora freetype (rh#1191099)
+ (Add sanity checks for row and column values.)
+- Add freetype-2.5.0-CVE-2014-9671.patch from Fedora freetype (rh#1191099)
+ (Check `size' and `offset' values.)
+- Add freetype-2.5.0-CVE-2014-9672.patch from Fedora freetype (rh#1191095)
+ (Prevent a buffer overrun caused by a font including too many (> 63) strings
+ to store names[] table.)
+- Add freetype-2.5.0-CVE-2014-9673.patch from Fedora freetype (rh#1191096)
+ (Fix integer overflow by a broken POST table in resource-fork.)
+- Add freetype-2.5.0-unsigned-long.patch from Fedora freetype (rh#1191191)
+ (Use unsigned long variables to read the lengths in POST fragments.)
+- Add freetype-2.5.0-CVE-2014-9674a.patch from Fedora freetype (rh#1191191)
+ (Fix integer overflow by a broken POST table in resource-fork.)
+- Add freetype-2.5.0-CVE-2014-9674b.patch from Fedora freetype (rh#1191191)
+ (Additional overflow check in the summation of POST fragment lengths.)
+
* Fri Dec 12 2014 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.5.0.1-5
- Add freetype-2.5.0-hintmask.patch from Fedora freetype (rh#1172634)
(Don't append to stem arrays after hintmask is constructed.)