Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-13 In directory se02.es.rpmfusion.net:/tmp/cvs-serv9852/F-13 Modified Files: freetype-freeworld.spec Added Files: freetype-2.3.11-CVE-2010-1797.patch freetype-2.3.11-CVE-2010-2498.patch freetype-2.3.11-CVE-2010-2499.patch freetype-2.3.11-CVE-2010-2500.patch freetype-2.3.11-CVE-2010-2519.patch freetype-2.3.11-CVE-2010-2520.patch freetype-2.3.11-CVE-2010-2527.patch freetype-2.3.11-CVE-2010-2541.patch freetype-2.3.11-CVE-2010-2805.patch freetype-2.3.11-CVE-2010-2806.patch freetype-2.3.11-CVE-2010-2808.patch freetype-2.3.11-CVE-2010-3311.patch Log Message: * Tue Oct 05 2010 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.3.11-3 - Update the description to reflect that the bytecode interpreter was disabled in Fedora again. - Restore the conditionals (for the above reason). - Add freetype-2.3.11-CVE-2010-2805.patch (Fix comparison.) - Add freetype-2.3.11-CVE-2010-2806.patch (Protect against negative string_size. Fix comparison.) - Add freetype-2.3.11-CVE-2010-2808.patch (Check the total length of collected POST segments.) - Add freetype-2.3.11-CVE-2010-3311.patch (Don't seek behind end of stream.) - Resolves: rh#638522 - Add freetype-2.3.11-CVE-2010-1797.patch (Check stack after execution of operations too. Skip the evaluations of the values in decoder, if cff_decoder_parse_charstrings() returns any error.) - Resolves: rh#621627 - Add freetype-2.3.11-CVE-2010-2498.patch (Assure that `end_point' is not larger than `glyph->num_points') - Add freetype-2.3.11-CVE-2010-2499.patch (Check the buffer size during gathering PFB fragments) - Add freetype-2.3.11-CVE-2010-2500.patch (Use smaller threshold values for `width' and `height') - Add freetype-2.3.11-CVE-2010-2519.patch (Check `rlen' the length of fragment declared in the POST fragment header) - Add freetype-2.3.11-CVE-2010-2520.patch (Fix bounds check) - Add freetype-2.3.11-CVE-2010-2527.patch (Use precision for `%s' where appropriate to avoid buffer overflows) - Add freetype-2.3.11-CVE-2010-2541.patch (Avoid overflow when dealing with names of axes) - Resolves: rh#613299 freetype-2.3.11-CVE-2010-1797.patch: cffgload.c | 73 ++++++++++++++++++++++++++++++++++--------------------------- 1 file changed, 41 insertions(+), 32 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-1797.patch --- --- freetype-2.3.11/src/cff/cffgload.c 2009-09-10 17:52:21.000000000 +0200 +++ freetype-2.3.11/src/cff/cffgload.c 2010-08-11 13:39:32.000000000 +0200 @@ -2358,8 +2358,11 @@ return CFF_Err_Unimplemented_Feature; } - decoder->top = args; + decoder->top = args; + if ( decoder->top - stack >= CFF_MAX_OPERANDS ) + goto Stack_Overflow; + } /* general operator processing */ } /* while ip < limit */ @@ -2627,48 +2630,54 @@ /* now load the unscaled outline */ error = cff_get_glyph_data( face, glyph_index, &charstring, &charstring_len ); - if ( !error ) - { - error = cff_decoder_prepare( &decoder, size, glyph_index ); - if ( !error ) - { - error = cff_decoder_parse_charstrings( &decoder, - charstring, - charstring_len ); + if ( error ) + goto Glyph_Build_Finished; + + error = cff_decoder_prepare( &decoder, size, glyph_index ); + if ( error ) + goto Glyph_Build_Finished; - cff_free_glyph_data( face, &charstring, charstring_len ); + error = cff_decoder_parse_charstrings( &decoder, + charstring, + charstring_len ); + + cff_free_glyph_data( face, &charstring, charstring_len ); + + if ( error ) + goto Glyph_Build_Finished; #ifdef FT_CONFIG_OPTION_INCREMENTAL - /* Control data and length may not be available for incremental */ - /* fonts. */ - if ( face->root.internal->incremental_interface ) - { - glyph->root.control_data = 0; - glyph->root.control_len = 0; - } - else + /* Control data and length may not be available for incremental */ + /* fonts. */ + if ( face->root.internal->incremental_interface ) + { + glyph->root.control_data = 0; + glyph->root.control_len = 0; + } + else #endif /* FT_CONFIG_OPTION_INCREMENTAL */ - /* We set control_data and control_len if charstrings is loaded. */ - /* See how charstring loads at cff_index_access_element() in */ - /* cffload.c. */ - { - CFF_Index csindex = &cff->charstrings_index; + /* We set control_data and control_len if charstrings is loaded. */ + /* See how charstring loads at cff_index_access_element() in */ + /* cffload.c. */ + { + CFF_Index csindex = &cff->charstrings_index; - if ( csindex->offsets ) - { - glyph->root.control_data = csindex->bytes + - csindex->offsets[glyph_index] - 1; - glyph->root.control_len = charstring_len; - } - } + if ( csindex->offsets ) + { + glyph->root.control_data = csindex->bytes + + csindex->offsets[glyph_index] - 1; + glyph->root.control_len = charstring_len; } } - /* save new glyph tables */ - cff_builder_done( &decoder.builder ); + Glyph_Build_Finished: + /* save new glyph tables, if no error */ + if ( !error ) + cff_builder_done( &decoder.builder ); + /* XXX: anything to do for broken glyph entry? */ } #ifdef FT_CONFIG_OPTION_INCREMENTAL freetype-2.3.11-CVE-2010-2498.patch: pshalgo.c | 12 +++++++++--- 1 file changed, 9 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2498.patch --- --- freetype-2.3.11/src/pshinter/pshalgo.c 2009-07-03 15:28:24.000000000 +0200 +++ freetype-2.3.11/src/pshinter/pshalgo.c 2010-07-13 13:14:22.000000000 +0200 @@ -4,7 +4,8 @@ /* */ /* PostScript hinting algorithm (body). */ /* */ -/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 */ +/* by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used */ @@ -1690,7 +1691,10 @@ /* process secondary hints to `selected' points */ if ( num_masks > 1 && glyph->num_points > 0 ) { - first = mask->end_point; + /* the `endchar' op can reduce the number of points */ + first = mask->end_point > glyph->num_points + ? glyph->num_points + : mask->end_point; mask++; for ( ; num_masks > 1; num_masks--, mask++ ) { @@ -1698,7 +1702,9 @@ FT_Int count; - next = mask->end_point; + next = mask->end_point > glyph->num_points + ? glyph->num_points + : mask->end_point; count = next - first; if ( count > 0 ) { freetype-2.3.11-CVE-2010-2499.patch: ftobjs.c | 10 ++++++++++ 1 file changed, 10 insertions(+) --- NEW FILE freetype-2.3.11-CVE-2010-2499.patch --- --- freetype-2.3.11/src/base/ftobjs.c 2009-09-02 08:42:41.000000000 +0200 +++ freetype-2.3.11/src/base/ftobjs.c 2010-07-12 16:39:13.000000000 +0200 @@ -1531,6 +1531,8 @@ len += rlen; else { + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); @@ -1539,6 +1541,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; type = flags >> 8; @@ -1553,12 +1557,18 @@ } error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; pfb_pos += rlen; } + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_pos++] = 0x80; pfb_data[pfb_pos++] = 3; + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 ); pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 ); freetype-2.3.11-CVE-2010-2500.patch: ftgrays.c | 2 +- ftsmooth.c | 4 ++-- 2 files changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2500.patch --- --- freetype-2.3.11/src/smooth/ftgrays.c 2009-07-31 18:45:19.000000000 +0200 +++ freetype-2.3.11/src/smooth/ftgrays.c 2010-07-13 10:26:58.000000000 +0200 @@ -1189,7 +1189,7 @@ /* first of all, compute the scanline offset */ p = (unsigned char*)map->buffer - y * map->pitch; if ( map->pitch >= 0 ) - p += ( map->rows - 1 ) * map->pitch; + p += (unsigned)( ( map->rows - 1 ) * map->pitch ); for ( ; count > 0; count--, spans++ ) { --- freetype-2.3.11/src/smooth/ftsmooth.c 2009-07-31 18:45:19.000000000 +0200 +++ freetype-2.3.11/src/smooth/ftsmooth.c 2010-07-13 10:26:58.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* Anti-aliasing renderer interface (body). */ /* */ -/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */ +/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -200,7 +200,7 @@ /* Required check is ( pitch * height < FT_ULONG_MAX ), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0xFFFFU || height > 0xFFFFU ) + if ( width > 0x7FFFU || height > 0x7FFFU ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", width, height )); freetype-2.3.11-CVE-2010-2519.patch: ftobjs.c | 14 +++++++++++++- 1 file changed, 13 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.3.11-CVE-2010-2519.patch --- --- freetype-2.3.11/src/base/ftobjs.c 2010-07-12 17:03:47.000000000 +0200 +++ freetype-2.3.11/src/base/ftobjs.c 2010-07-12 17:07:06.000000000 +0200 @@ -1526,7 +1526,19 @@ goto Exit; if ( FT_READ_USHORT( flags ) ) goto Exit; - rlen -= 2; /* the flags are part of the resource */ + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + continue; + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ + if ( rlen > 2 ) + rlen -= 2; + else + rlen = 0; + if ( ( flags >> 8 ) == type ) len += rlen; else freetype-2.3.11-CVE-2010-2520.patch: ttinterp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2520.patch --- --- freetype-2.3.11/src/truetype/ttinterp.c 2009-07-31 18:45:19.000000000 +0200 +++ freetype-2.3.11/src/truetype/ttinterp.c 2010-07-15 14:44:23.000000000 +0200 @@ -6466,8 +6466,8 @@ end_point = CUR.pts.contours[contour] - CUR.pts.first_point; first_point = point; - if ( CUR.pts.n_points <= end_point ) - end_point = CUR.pts.n_points; + if ( BOUNDS ( end_point, CUR.pts.n_points ) ) + end_point = CUR.pts.n_points - 1; while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 ) point++; freetype-2.3.11-CVE-2010-2527.patch: ftdiff.c | 4 ++-- ftgrid.c | 10 +++++----- ftmulti.c | 8 ++++---- ftstring.c | 11 ++++++----- ftview.c | 8 ++++---- 5 files changed, 21 insertions(+), 20 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2527.patch --- --- freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c 2009-04-30 18:07:48.000000000 +0200 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c 2010-07-22 18:18:06.000000000 +0200 @@ -1054,11 +1054,11 @@ state->message = state->message0; if ( total > 1 ) - sprintf( state->message0, "%s %d/%d @ %5.1fpt", + sprintf( state->message0, "%.100s %d/%d @ %5.1fpt", state->filename, idx + 1, total, state->char_size ); else - sprintf( state->message0, "%s @ %5.1fpt", + sprintf( state->message0, "%.100s @ %5.1fpt", state->filename, state->char_size ); } --- freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c 2009-04-30 18:15:21.000000000 +0200 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c 2010-07-22 18:18:06.000000000 +0200 @@ -2,7 +2,7 @@ /* */ /* The FreeType project -- a free and portable quality TrueType renderer. */ /* */ -/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009 by */ +/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */ /* D. Turner, R.Wilhelm, and W. Lemberg */ /* */ /* */ @@ -787,22 +787,22 @@ grid_status_draw_outline( GridStatus switch ( error_code ) { case FT_Err_Ok: - sprintf( status.header_buffer, "%s %s (file `%s')", + sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')", face->family_name, face->style_name, basename ); break; case FT_Err_Invalid_Pixel_Size: - sprintf( status.header_buffer, "Invalid pixel size (file `%s')", + sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')", basename ); break; case FT_Err_Invalid_PPem: - sprintf( status.header_buffer, "Invalid ppem value (file `%s')", + sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')", basename ); break; default: - sprintf( status.header_buffer, "File `%s': error 0x%04x", + sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename, (FT_UShort)error_code ); break; } --- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2009-03-14 14:58:28.000000000 +0100 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 18:18:39.000000000 +0200 @@ -2,7 +2,7 @@ /* */ /* The FreeType project -- a free and portable quality TrueType renderer. */ /* */ -/* Copyright 1996-2000, 2003, 2004, 2005 by */ +/* Copyright 1996-2000, 2003, 2004, 2005, 2010 by */ /* D. Turner, R.Wilhelm, and W. Lemberg */ /* */ /* */ @@ -34,7 +34,7 @@ #define MAXPTSIZE 500 /* dtp */ - char Header[128]; + char Header[256]; char* new_header = 0; const unsigned char* Text = (unsigned char*) @@ -795,7 +795,7 @@ Render_All( Num, ptsize ); } - sprintf( Header, "%s %s (file %s)", + sprintf( Header, "%.50s %.50s (file %.100s)", face->family_name, face->style_name, ft_basename( argv[file] ) ); @@ -830,7 +830,7 @@ } else { - sprintf( Header, "%s: not an MM font file, or could not be opened", + sprintf( Header, "%.100s: not an MM font file, or could not be opened", ft_basename( argv[file] ) ); } --- freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c 2009-03-14 14:58:28.000000000 +0100 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c 2010-07-22 18:18:06.000000000 +0200 @@ -2,7 +2,7 @@ /* */ /* The FreeType project -- a free and portable quality TrueType renderer. */ /* */ -/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009 by */ +/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */ /* D. Turner, R.Wilhelm, and W. Lemberg */ /* */ /* */ @@ -413,19 +413,20 @@ switch ( error_code ) { case FT_Err_Ok: - sprintf( status.header_buffer, "%s %s (file `%s')", face->family_name, + sprintf( status.header_buffer, + "%.50s %.50s (file `%.100s')", face->family_name, face->style_name, basename ); break; case FT_Err_Invalid_Pixel_Size: - sprintf( status.header_buffer, "Invalid pixel size (file `%s')", + sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')", basename ); break; case FT_Err_Invalid_PPem: - sprintf( status.header_buffer, "Invalid ppem value (file `%s')", + sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')", basename ); break; default: - sprintf( status.header_buffer, "File `%s': error 0x%04x", basename, + sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename, (FT_UShort)error_code ); break; } --- freetype-2.3.11/ft2demos-2.3.11/src/ftview.c 2009-04-30 20:08:25.000000000 +0200 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftview.c 2010-07-22 18:18:06.000000000 +0200 @@ -1086,19 +1086,19 @@ switch ( error_code ) { case FT_Err_Ok: - sprintf( status.header_buffer, "%s %s (file `%s')", + sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')", face->family_name, face->style_name, basename ); break; case FT_Err_Invalid_Pixel_Size: - sprintf( status.header_buffer, "Invalid pixel size (file `%s')", + sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')", basename ); break; case FT_Err_Invalid_PPem: - sprintf( status.header_buffer, "Invalid ppem value (file `%s')", + sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')", basename ); break; default: - sprintf( status.header_buffer, "File `%s': error 0x%04x", + sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename, (FT_UShort)error_code ); break; } freetype-2.3.11-CVE-2010-2541.patch: ftmulti.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2541.patch --- --- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 19:11:50.000000000 +0200 +++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 19:12:41.000000000 +0200 @@ -813,13 +813,13 @@ for ( n = 0; n < (int)multimaster->num_axis; n++ ) { - char temp[32]; + char temp[100]; - sprintf( temp, " %s:%g", + sprintf( temp, " %.50s:%g", multimaster->axis[n].name, - design_pos[n]/65536. ); - strcat( Header, temp ); + design_pos[n] / 65536.0 ); + strncat( Header, temp, sizeof( Header ) - strlen( Header ) - 1 ); } } grWriteCellString( &bit, 0, 16, Header, fore_color ); freetype-2.3.11-CVE-2010-2805.patch: ftstream.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.3.11-CVE-2010-2805.patch --- --- freetype-2.3.11/src/base/ftstream.c 2009-08-03 19:51:40.000000000 +0200 +++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 13:46:08.000000000 +0200 @@ -275,7 +275,7 @@ { /* check current and new position */ if ( stream->pos >= stream->size || - stream->pos + count > stream->size ) + stream->size - stream->pos < count ) { FT_ERROR(( "FT_Stream_EnterFrame:" " invalid i/o; pos = 0x%lx, count = %lu, size = 0x%lx\n", freetype-2.3.11-CVE-2010-2806.patch: t42parse.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-2806.patch --- --- freetype-2.3.11/src/type42/t42parse.c 2009-07-03 15:28:24.000000000 +0200 +++ freetype-2.3.11/src/type42/t42parse.c 2010-09-23 12:15:56.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* Type 42 font parser (body). */ /* */ -/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ /* Roberto Alameda. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -575,6 +575,12 @@ } string_size = T1_ToInt( parser ); + if ( string_size < 0 ) + { + FT_ERROR(( "t42_parse_sfnts: invalid string size\n" )); + error = T42_Err_Invalid_File_Format; + goto Fail; + } T1_Skip_PS_Token( parser ); /* `RD' */ if ( parser->root.error ) @@ -582,13 +588,14 @@ string_buf = parser->root.cursor + 1; /* one space after `RD' */ - parser->root.cursor += string_size + 1; - if ( parser->root.cursor >= limit ) + if ( limit - parser->root.cursor < string_size ) { FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); error = T42_Err_Invalid_File_Format; goto Fail; } + else + parser->root.cursor += string_size + 1; } if ( !string_buf ) freetype-2.3.11-CVE-2010-2808.patch: ftobjs.c | 5 +++++ 1 file changed, 5 insertions(+) --- NEW FILE freetype-2.3.11-CVE-2010-2808.patch --- --- freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:58:50.000000000 +0200 +++ freetype-2.3.11/src/base/ftobjs.c 2010-09-30 13:59:31.000000000 +0200 @@ -1529,6 +1529,7 @@ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ continue; @@ -1568,6 +1569,10 @@ pfb_data[pfb_pos++] = 0; } + error = FT_Err_Cannot_Open_Resource; + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); if ( error ) goto Exit2; freetype-2.3.11-CVE-2010-3311.patch: ftstream.c | 20 ++++++++++---------- 1 file changed, 10 insertions(+), 10 deletions(-) --- NEW FILE freetype-2.3.11-CVE-2010-3311.patch --- --- freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:38.000000000 +0200 +++ freetype-2.3.11/src/base/ftstream.c 2010-09-30 14:12:59.000000000 +0200 @@ -59,8 +59,17 @@ { FT_Error error = FT_Err_Ok; + /* note that seeking to the first position after the file is valid */ + if ( pos > stream->size ) + { + FT_ERROR(( "FT_Stream_Seek:" + " invalid i/o; pos = 0x%lx, size = 0x%lx\n", + pos, stream->size )); - if ( stream->read ) + error = FT_Err_Invalid_Stream_Operation; + } + + if ( !error && stream->read ) { if ( stream->read( stream, pos, 0, 0 ) ) { @@ -71,15 +80,6 @@ error = FT_Err_Invalid_Stream_Operation; } } - /* note that seeking to the first position after the file is valid */ - else if ( pos > stream->size ) - { - FT_ERROR(( "FT_Stream_Seek:" - " invalid i/o; pos = 0x%lx, size = 0x%lx\n", - pos, stream->size )); - - error = FT_Err_Invalid_Stream_Operation; - } if ( !error ) stream->pos = pos; Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-13/freetype-freeworld.spec,v retrieving revision 1.8 retrieving revision 1.9 diff -u -r1.8 -r1.9 --- freetype-freeworld.spec 16 Dec 2009 23:57:35 -0000 1.8 +++ freetype-freeworld.spec 5 Oct 2010 14:02:51 -0000 1.9 @@ -1,9 +1,14 @@ +# Enable patented bytecode interpreter and patented subpixel rendering. +# Setting to 1 disables them. +%define without_bytecode_interpreter 0 +%define without_subpixel_rendering 0 + %{!?with_xfree86:%define with_xfree86 1} Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.3.11 -Release: 2%{?dist} +Release: 3%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -15,10 +20,28 @@ # Enable otvalid and gxvalid modules Patch46: freetype-2.2.1-enable-valid.patch +# Security patches +Patch89: freetype-2.3.11-CVE-2010-2498.patch +Patch90: freetype-2.3.11-CVE-2010-2499.patch +Patch91: freetype-2.3.11-CVE-2010-2500.patch +Patch92: freetype-2.3.11-CVE-2010-2519.patch +Patch93: freetype-2.3.11-CVE-2010-2520.patch +Patch94: freetype-2.3.11-CVE-2010-2527.patch +Patch95: freetype-2.3.11-CVE-2010-2541.patch +Patch96: freetype-2.3.11-CVE-2010-1797.patch +Patch97: freetype-2.3.11-CVE-2010-2805.patch +Patch98: freetype-2.3.11-CVE-2010-2806.patch +Patch99: freetype-2.3.11-CVE-2010-2808.patch +Patch100: freetype-2.3.11-CVE-2010-3311.patch + BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) +%if !0%{?without_bytecode_interpreter} Provides: freetype-bytecode +%endif +%if !0%{?without_subpixel_rendering} Provides: freetype-subpixel +%endif Requires: /etc/ld.so.conf.d BuildRequires: libX11-devel @@ -31,18 +54,38 @@ individual glyphs. FreeType is not a font server or a complete text-rendering library. -This version is compiled with the patented subpixel rendering enabled. It -transparently overrides the system library using ld.so.conf.d. +This version is compiled with the patented subpixel rendering and the formerly +patented bytecode interpreter (which is still disabled in the stock Fedora +packages for technical reasons) enabled. It transparently overrides the system +library using ld.so.conf.d. %prep %setup -q -n freetype-%{version} +%if ! %{without_bytecode_interpreter} %patch20 -p1 -b .enable-ft2-bci +%endif + +%if ! %{without_subpixel_rendering} %patch21 -p1 -b .enable-spr +%endif %patch46 -p1 -b .enable-valid +%patch89 -p1 -b .CVE-2010-2498 +%patch90 -p1 -b .CVE-2010-2499 +%patch91 -p1 -b .CVE-2010-2500 +%patch92 -p1 -b .CVE-2010-2519 +%patch93 -p1 -b .CVE-2010-2520 +%patch94 -p1 -b .CVE-2010-2527 +%patch95 -p1 -b .CVE-2010-2541 +%patch96 -p1 -b .CVE-2010-1797 +%patch97 -p1 -b .CVE-2010-2805 +%patch98 -p1 -b .CVE-2010-2806 +%patch99 -p1 -b .CVE-2010-2808 +%patch100 -p1 -b .CVE-2010-3311 + %build %configure --disable-static @@ -86,6 +129,40 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Tue Oct 05 2010 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.3.11-3 +- Update the description to reflect that the bytecode interpreter was disabled + in Fedora again. +- Restore the conditionals (for the above reason). +- Add freetype-2.3.11-CVE-2010-2805.patch + (Fix comparison.) +- Add freetype-2.3.11-CVE-2010-2806.patch + (Protect against negative string_size. Fix comparison.) +- Add freetype-2.3.11-CVE-2010-2808.patch + (Check the total length of collected POST segments.) +- Add freetype-2.3.11-CVE-2010-3311.patch + (Don't seek behind end of stream.) +- Resolves: rh#638522 +- Add freetype-2.3.11-CVE-2010-1797.patch + (Check stack after execution of operations too. + Skip the evaluations of the values in decoder, if + cff_decoder_parse_charstrings() returns any error.) +- Resolves: rh#621627 +- Add freetype-2.3.11-CVE-2010-2498.patch + (Assure that `end_point' is not larger than `glyph->num_points') +- Add freetype-2.3.11-CVE-2010-2499.patch + (Check the buffer size during gathering PFB fragments) +- Add freetype-2.3.11-CVE-2010-2500.patch + (Use smaller threshold values for `width' and `height') +- Add freetype-2.3.11-CVE-2010-2519.patch + (Check `rlen' the length of fragment declared in the POST fragment header) +- Add freetype-2.3.11-CVE-2010-2520.patch + (Fix bounds check) +- Add freetype-2.3.11-CVE-2010-2527.patch + (Use precision for `%s' where appropriate to avoid buffer overflows) +- Add freetype-2.3.11-CVE-2010-2541.patch + (Avoid overflow when dealing with names of axes) +- Resolves: rh#613299 + * Wed Dec 16 2009 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.3.11-2 - Drop conditionals, always build the bytecode interpreter (now also in Fedora) and subpixel rendering (as that's the only reason to build freetype-freeworld