Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv21314/devel Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.3-pcf-read-a.patch freetype-2.5.3-pcf-read-b.patch Log Message: * Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-5 - Add freetype-2.5.3-pcf-read-a.patch and freetype-2.5.3-pcf-read-b.patch ("Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) freetype-2.5.3-pcf-read-a.patch: pcfread.c | 55 +++++++++++++++++++++++++++++++++++++++++++------------ 1 file changed, 43 insertions(+), 12 deletions(-) --- NEW FILE freetype-2.5.3-pcf-read-a.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Mon, 8 Dec 2014 16:01:50 +0100 Subject: [PATCH] [pcf] Fix Savannah bug #43774. Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' functions. Since the PCF format doesn't have an official specification, we have to exactly follow these functions' behaviour. The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last element. Instead, assign real size. --- ChangeLog | 14 ++++++++++++++ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++----------- 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 998cbed..e3caf82 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,7 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000-2010, 2012, 2013 by + Copyright 2000-2010, 2012-2014 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -78,7 +78,7 @@ THE SOFTWARE. FT_FRAME_START( 16 ), FT_FRAME_ULONG_LE( type ), FT_FRAME_ULONG_LE( format ), - FT_FRAME_ULONG_LE( size ), + FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */ FT_FRAME_ULONG_LE( offset ), FT_FRAME_END }; @@ -95,9 +95,11 @@ THE SOFTWARE. FT_Memory memory = FT_FACE( face )->memory; FT_UInt n; + FT_ULong size; - if ( FT_STREAM_SEEK ( 0 ) || - FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) + + if ( FT_STREAM_SEEK( 0 ) || + FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) return FT_THROW( Cannot_Open_Resource ); if ( toc->version != PCF_FILE_VERSION || @@ -151,14 +153,35 @@ THE SOFTWARE. break; } - /* we now check whether the `size' and `offset' values are reasonable: */ - /* `offset' + `size' must not exceed the stream size */ + /* + * We now check whether the `size' and `offset' values are reasonable: + * `offset' + `size' must not exceed the stream size. + * + * Note, however, that X11's `pcfWriteFont' routine (used by the + * `bdftopcf' program to create PDF font files) has two special + * features. + * + * - It always assigns the accelerator table a size of 100 bytes in the + * TOC, regardless of its real size, which can vary between 34 and 72 + * bytes. + * + * - Due to the way the routine is designed, it ships out the last font + * table with its real size, ignoring the TOC's size value. Since + * the TOC size values are always rounded up to a multiple of 4, the + * difference can be up to three bytes for all tables except the + * accelerator table, for which the difference can be as large as 66 + * bytes. + * + */ + tables = face->toc.tables; - for ( n = 0; n < toc->count; n++ ) + size = stream->size; + + for ( n = 0; n < toc->count - 1; n++ ) { /* we need two checks to avoid overflow */ - if ( ( tables->size > stream->size ) || - ( tables->offset > stream->size - tables->size ) ) + if ( ( tables->size > size ) || + ( tables->offset > size - tables->size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; @@ -166,6 +189,15 @@ THE SOFTWARE. tables++; } + /* no check of `tables->size' for last table element ... */ + if ( ( tables->offset > size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + /* ... instead, we adjust `tables->size' to the real value */ + tables->size = size - tables->offset; + #ifdef FT_DEBUG_LEVEL_TRACE { @@ -714,8 +746,8 @@ THE SOFTWARE. FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); - /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ - if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) + /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ + if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) return FT_THROW( Invalid_File_Format ); if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) -- 2.1.0 freetype-2.5.3-pcf-read-b.patch: pcfread.c | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-pcf-read-b.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 13 Dec 2014 07:42:51 +0100 Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from 2014-12-08. --- ChangeLog | 4 ++++ src/pcf/pcfread.c | 7 ++++--- 2 files changed, 8 insertions(+), 3 deletions(-) diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index e3caf82..a29a9e3 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -189,14 +189,15 @@ THE SOFTWARE. tables++; } - /* no check of `tables->size' for last table element ... */ + /* only check `tables->offset' for last table element ... */ if ( ( tables->offset > size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; } - /* ... instead, we adjust `tables->size' to the real value */ - tables->size = size - tables->offset; + /* ... and adjust `tables->size' to the real value if necessary */ + if ( tables->size > size - tables->offset ) + tables->size = size - tables->offset; #ifdef FT_DEBUG_LEVEL_TRACE -- 2.1.0 Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v retrieving revision 1.38 retrieving revision 1.39 diff -u -r1.38 -r1.39 --- freetype-freeworld.spec 18 Feb 2015 01:32:07 -0000 1.38 +++ freetype-freeworld.spec 24 Feb 2015 17:47:38 -0000 1.39 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.3 -Release: 4%{?dist} +Release: 5%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -43,6 +43,11 @@ Patch116: freetype-2.5.3-unsigned-long.patch Patch117: freetype-2.5.3-CVE-2014-9674b.patch +# fix regression from CVE-2014-9671 fix +# https://bugzilla.redhat.com/show_bug.cgi?id=1195652 +Patch118: freetype-2.5.3-pcf-read-a.patch +Patch119: freetype-2.5.3-pcf-read-b.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -98,6 +103,9 @@ %patch116 -p1 -b .unsigned-long %patch117 -p1 -b .CVE-2014-9674b +%patch118 -p1 -b .pcf-read-a +%patch119 -p1 -b .pcf-read-b + %build %configure --disable-static @@ -136,6 +144,11 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Tue Feb 24 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-5 +- Add freetype-2.5.3-pcf-read-a.patch and freetype-2.5.3-pcf-read-b.patch ("Work + around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from + Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652) + * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-4 - Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.)