Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/F-17
In directory se02.es.rpmfusion.net:/tmp/cvs-serv28535/F-17
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.4.8-CVE-2012-1126.patch
freetype-2.4.8-CVE-2012-1127.patch
freetype-2.4.8-CVE-2012-1128.patch
freetype-2.4.8-CVE-2012-1130.patch
freetype-2.4.8-CVE-2012-1131.patch
freetype-2.4.8-CVE-2012-1132.patch
freetype-2.4.8-CVE-2012-1133.patch
freetype-2.4.8-CVE-2012-1134.patch
freetype-2.4.8-CVE-2012-1135.patch
freetype-2.4.8-CVE-2012-1136.patch
freetype-2.4.8-CVE-2012-1137.patch
freetype-2.4.8-CVE-2012-1138.patch
freetype-2.4.8-CVE-2012-1139.patch
freetype-2.4.8-CVE-2012-1140.patch
freetype-2.4.8-CVE-2012-1141.patch
freetype-2.4.8-CVE-2012-1142.patch
freetype-2.4.8-CVE-2012-1143.patch
freetype-2.4.8-CVE-2012-1144.patch
freetype-2.4.8-bdf-overflow.patch
Log Message:
* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3
- Add security patches from Fedora freetype-2.4.8-3 (rh#806270)
freetype-2.4.8-CVE-2012-1126.patch:
bdflib.c | 5 +++--
1 file changed, 3 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1126.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1,6 +1,6 @@
/*
* Copyright 2000 Computing Research Labs, New Mexico State University
- * Copyright 2001-2011
+ * Copyright 2001-2012
* Francesco Zappa Nardelli
*
* Permission is hereby granted, free of charge, to any person obtaining a
@@ -1254,7 +1254,8 @@
ep = line + linelen;
/* Trim the leading whitespace if it exists. */
- *sp++ = 0;
+ if ( *sp )
+ *sp++ = 0;
while ( *sp &&
( *sp == ' ' || *sp == '\t' ) )
sp++;
freetype-2.4.8-CVE-2012-1127.patch:
bdflib.c | 16 +++++++++++++++-
1 file changed, 15 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1127.patch ---
--- a/src/bdf/bdflib.c 2012-03-30 13:06:25.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-30 13:08:00.000000000 +0200
@@ -1098,6 +1098,7 @@
#define ACMSG13 "Glyph %ld extra rows removed.\n"
#define ACMSG14 "Glyph %ld extra columns removed.\n"
#define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n"
+#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n"
/* Error messages. */
#define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
@@ -1703,18 +1704,31 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
+ if ( !c )
+ break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
*++bp = 0;
}
+ /* If any line has not enough columns, */
+ /* indicate they have been padded with zero bits. */
+ if ( i < nibbles &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ {
+ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding ));
+ p->flags |= _BDF_GLYPH_WIDTH_CHECK;
+ font->modified = 1;
+ }
+
/* Remove possible garbage at the right. */
mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
if ( glyph->bbx.width )
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+ if ( i == nibbles &&
+ ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
!( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
freetype-2.4.8-CVE-2012-1128.patch:
ttinterp.c | 21 ++++++---------------
1 file changed, 6 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1128.patch ---
--- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100
+++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200
@@ -5788,7 +5788,7 @@
FT_F26Dot6 dx,
dy;
- FT_UShort last_point, i;
+ FT_UShort limit, i;
if ( BOUNDS( args[0], 2 ) )
@@ -5805,24 +5805,15 @@
/* Twilight zone has no contours, so use `n_points'. */
/* Normal zone's `n_points' includes phantoms, so must */
/* use end of last contour. */
- if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
- last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
+ if ( CUR.GS.gep2 == 0 )
+ limit = (FT_UShort)CUR.zp2.n_points;
else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
- {
- last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
-
- if ( BOUNDS( last_point, CUR.zp2.n_points ) )
- {
- if ( CUR.pedantic_hinting )
- CUR.error = TT_Err_Invalid_Reference;
- return;
- }
- }
+ limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
else
- last_point = 0;
+ limit = 0;
/* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
- for ( i = 0; i <= last_point; i++ )
+ for ( i = 0; i < limit; i++ )
{
if ( zp.cur != CUR.zp2.cur || refp != i )
MOVE_Zp2_Point( i, dx, dy, FALSE );
freetype-2.4.8-CVE-2012-1130.patch:
pcfread.c | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1130.patch ---
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -2,8 +2,7 @@
FreeType font driver for pcf fonts
- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
- 2010 by
+ Copyright 2000-2010, 2012 by
Francesco Zappa Nardelli
Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -496,7 +495,8 @@ THE SOFTWARE.
goto Bail;
}
- if ( FT_NEW_ARRAY( strings, string_size ) )
+ /* allocate one more byte so that we have a final null byte */
+ if ( FT_NEW_ARRAY( strings, string_size + 1 ) )
goto Bail;
error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size );
freetype-2.4.8-CVE-2012-1131.patch:
ftsmooth.c | 12 ++++++------
1 file changed, 6 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1131.patch ---
--- a/src/smooth/ftsmooth.c
+++ b/src/smooth/ftsmooth.c
@@ -4,7 +4,7 @@
/* */
/* Anti-aliasing renderer interface (body). */
/* */
-/* Copyright 2000-2006, 2009-2011 by */
+/* Copyright 2000-2006, 2009-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -105,9 +105,9 @@
FT_Error error;
FT_Outline* outline = NULL;
FT_BBox cbox;
- FT_UInt width, height, pitch;
+ FT_Pos width, height, pitch;
#ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING
- FT_UInt height_org, width_org;
+ FT_Pos height_org, width_org;
#endif
FT_Bitmap* bitmap;
FT_Memory memory;
@@ -151,7 +151,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
+ width = ( cbox.xMax - cbox.xMin ) >> 6;
if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
{
@@ -161,7 +161,7 @@
return Smooth_Err_Raster_Overflow;
}
else
- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+ height = ( cbox.yMax - cbox.yMin ) >> 6;
bitmap = &slot->bitmap;
memory = render->root.memory;
@@ -223,7 +223,7 @@
/* Required check is ( pitch * height < FT_ULONG_MAX ), */
/* but we care realistic cases only. Always pitch <= width. */
- if ( width > 0x7FFFU || height > 0x7FFFU )
+ if ( width > 0x7FFF || height > 0x7FFF )
{
FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
width, height ));
freetype-2.4.8-CVE-2012-1132.patch:
psaux/psobjs.c | 4 ++--
type1/t1load.c | 39 ++++++++++++++++++++++++++-------------
2 files changed, 28 insertions(+), 15 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1132.patch ---
--- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200
+++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* Auxiliary functions for PostScript fonts (body). */
/* */
-/* Copyright 1996-2011 by */
+/* Copyright 1996-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -589,7 +589,7 @@
}
Exit:
- if ( cur == parser->cursor )
+ if ( cur < limit && cur == parser->cursor )
{
FT_ERROR(( "ps_parser_skip_PS_token:"
" current token is `%c' which is self-delimiting\n"
--- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200
+++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1387,15 +1399,17 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1407,7 +1421,8 @@
return;
T1_Skip_Spaces ( parser );
- if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
+ if ( parser->root.cursor + 4 < parser->root.limit &&
+ ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
{
T1_Skip_PS_Token( parser ); /* skip `put' */
T1_Skip_Spaces ( parser );
@@ -1580,7 +1595,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1869,7 +1884,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1882,7 +1897,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2158,9 +2173,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
freetype-2.4.8-CVE-2012-1133.patch:
bdflib.c | 5 +++++
1 file changed, 5 insertions(+)
--- NEW FILE freetype-2.4.8-CVE-2012-1133.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200
@@ -1587,6 +1587,11 @@
p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ /* Normalize negative encoding values. The specification only */
+ /* allows -1, but we can be more generous here. */
+ if ( p->glyph_enc < -1 )
+ p->glyph_enc = -1;
+
/* Check that the encoding is in the range [0,65536] because */
/* otherwise p->have (a bitmap with static size) overflows. */
if ( p->glyph_enc > 0 &&
freetype-2.4.8-CVE-2012-1134.patch:
t1parse.c | 10 +++++++++-
1 file changed, 9 insertions(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1134.patch ---
--- a/src/type1/t1parse.c
+++ b/src/type1/t1parse.c
@@ -4,7 +4,7 @@
/* */
/* Type 1 parser (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
+/* Copyright 1996-2005, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -467,6 +467,14 @@
/* we now decrypt the encoded binary private dictionary */
psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+ if ( parser->private_len < 4 )
+ {
+ FT_ERROR(( "T1_Get_Private_Dict:"
+ " invalid private dictionary section\n" ));
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+ }
+
/* replace the four random bytes at the beginning with whitespace */
parser->private_dict[0] = ' ';
parser->private_dict[1] = ' ';
freetype-2.4.8-CVE-2012-1135.patch:
ttinterp.c | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1135.patch ---
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -4477,7 +4477,7 @@
CUR.length = opcode_length[CUR.opcode];
if ( CUR.length < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto Fail_Overflow;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
}
@@ -7544,7 +7544,7 @@
if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
{
- if ( CUR.IP + 1 > CUR.codeSize )
+ if ( CUR.IP + 1 >= CUR.codeSize )
goto LErrorCodeOverflow_;
CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
freetype-2.4.8-CVE-2012-1136.patch:
bdflib.c | 19 +++++++++++++------
1 file changed, 13 insertions(+), 6 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1136.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200
@@ -1749,12 +1749,7 @@
if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
{
if ( !( p->flags & _BDF_ENCODING ) )
- {
- /* Missing ENCODING field. */
- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING"
));
- error = BDF_Err_Missing_Encoding_Field;
- goto Exit;
- }
+ goto Missing_Encoding;
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
@@ -1769,6 +1764,9 @@
/* Expect the DWIDTH (scalable width) field next. */
if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1794,6 +1792,9 @@
/* Expect the BBX field next. */
if ( ft_memcmp( line, "BBX", 3 ) == 0 )
{
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+
error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
if ( error )
goto Exit;
@@ -1893,6 +1894,12 @@
}
error = BDF_Err_Invalid_File_Format;
+ goto Exit;
+
+ Missing_Encoding:
+ /* Missing ENCODING field. */
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
+ error = BDF_Err_Missing_Encoding_Field;
Exit:
if ( error && ( p->flags & _BDF_GLYPH ) )
freetype-2.4.8-CVE-2012-1137.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1137.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -462,7 +462,7 @@
if ( num_items > list->size )
{
unsigned long oldsize = list->size; /* same as _bdf_list_t.size */
- unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4;
+ unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5;
unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) );
FT_Memory memory = list->memory;
freetype-2.4.8-CVE-2012-1138.patch:
ttinterp.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1138.patch ---
--- a/src/truetype/ttinterp.c
+++ b/src/truetype/ttinterp.c
@@ -6264,7 +6264,7 @@
CUR.zp1.org[point].y = CUR.zp0.org[CUR.GS.rp0].y +
TT_MulFix14( (FT_UInt32)cvt_dist,
CUR.GS.freeVector.y );
- CUR.zp1.cur[point] = CUR.zp0.cur[point];
+ CUR.zp1.cur[point] = CUR.zp1.org[point];
}
org_dist = CUR_Func_dualproj( &CUR.zp1.org[point],
freetype-2.4.8-CVE-2012-1139.patch:
bdflib.c | 10 +++++-----
1 file changed, 5 insertions(+), 5 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1139.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
@@ -791,7 +791,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) &
7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */
@@ -1709,7 +1709,7 @@
for ( i = 0; i < nibbles; i++ )
{
c = line[i];
- if ( !c )
+ if ( !isdigok( hdigits, c ) )
break;
*bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
if ( i + 1 < nibbles && ( i & 1 ) )
@@ -1732,9 +1732,9 @@
*bp &= nibble_mask[mask_index];
/* If any line has extra columns, indicate they have been removed. */
- if ( i == nibbles &&
- ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
- !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ if ( i == nibbles &&
+ isdigok( hdigits, line[nibbles] ) &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
{
FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
p->flags |= _BDF_GLYPH_WIDTH_CHECK;
freetype-2.4.8-CVE-2012-1140.patch:
psconv.c | 16 ++++++++++++----
1 file changed, 12 insertions(+), 4 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1140.patch ---
--- a/src/psaux/psconv.c
+++ b/src/psaux/psconv.c
@@ -4,7 +4,7 @@
/* */
/* Some convenience conversions (body). */
/* */
-/* Copyright 2006, 2008, 2009 by */
+/* Copyright 2006, 2008, 2009, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -79,7 +79,7 @@
FT_Bool sign = 0;
- if ( p == limit || base < 2 || base > 36 )
+ if ( p >= limit || base < 2 || base > 36 )
return 0;
if ( *p == '-' || *p == '+' )
@@ -150,7 +150,7 @@
FT_Bool sign = 0;
- if ( p == limit )
+ if ( p >= limit )
return 0;
if ( *p == '-' || *p == '+' )
@@ -346,7 +346,11 @@
#if 1
- p = *cursor;
+ p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)( limit - p ) )
n = (FT_UInt)( limit - p );
@@ -434,6 +438,10 @@
#if 1
p = *cursor;
+
+ if ( p >= limit )
+ return 0;
+
if ( n > (FT_UInt)(limit - p) )
n = (FT_UInt)(limit - p);
freetype-2.4.8-CVE-2012-1141.patch:
bdflib.c | 8 ++++++++
1 file changed, 8 insertions(+)
--- NEW FILE freetype-2.4.8-CVE-2012-1141.patch ---
--- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
+++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
@@ -521,6 +521,14 @@
/* Initialize the list. */
list->used = 0;
+ if ( list->size )
+ {
+ list->field[0] = (char*)empty;
+ list->field[1] = (char*)empty;
+ list->field[2] = (char*)empty;
+ list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
+ }
/* If the line is empty, then simply return. */
if ( linelen == 0 || line[0] == 0 )
freetype-2.4.8-CVE-2012-1142.patch:
winfnt.c | 11 +++++++++--
1 file changed, 9 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1142.patch ---
--- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200
+++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* FreeType font driver for Windows FNT/FON files */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */
+/* Copyright 1996-2004, 2006-2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* Copyright 2003 Huw D M Davies for Codeweavers */
/* Copyright 2007 Dmitry Timoshkov for Codeweavers */
@@ -827,7 +827,14 @@
root->charmap = root->charmaps[0];
}
- /* setup remaining flags */
+ /* set up remaining flags */
+
+ if ( font->header.last_char < font->header.first_char )
+ {
+ FT_TRACE2(( "invalid number of glyphs\n" ));
+ error = FNT_Err_Invalid_File_Format;
+ goto Fail;
+ }
/* reserve one slot for the .notdef glyph at index 0 */
root->num_glyphs = font->header.last_char -
freetype-2.4.8-CVE-2012-1143.patch:
ftcalc.c | 17 +++++++++--------
1 file changed, 9 insertions(+), 8 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1143.patch ---
--- a/src/base/ftcalc.c
+++ b/src/base/ftcalc.c
@@ -4,7 +4,7 @@
/* */
/* Arithmetic computations (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */
+/* Copyright 1996-2006, 2008, 2012 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -307,7 +307,7 @@
q <<= 1;
r |= lo >> 31;
- if ( r >= (FT_UInt32)y )
+ if ( r >= y )
{
r -= y;
q |= 1;
@@ -373,7 +373,7 @@
if ( a <= 46340L && b <= 46340L && c <= 176095L && c
> 0 )
a = ( a * b + ( c >> 1 ) ) / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp, temp2;
@@ -412,7 +412,7 @@
if ( a <= 46340L && b <= 46340L && c > 0 )
a = a * b / c;
- else if ( c > 0 )
+ else if ( (FT_Int32)c > 0 )
{
FT_Int64 temp;
@@ -544,7 +544,7 @@
s = (FT_Int32)a; a = FT_ABS( a );
s ^= (FT_Int32)b; b = FT_ABS( b );
- if ( b == 0 )
+ if ( (FT_UInt32)b == 0 )
{
/* check for division by 0 */
q = (FT_UInt32)0x7FFFFFFFL;
@@ -552,15 +552,16 @@
else if ( ( a >> 16 ) == 0 )
{
/* compute result directly */
- q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b;
+ q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b;
}
else
{
/* we need more bits; we have to do it by hand */
FT_Int64 temp, temp2;
- temp.hi = (FT_Int32) (a >> 16);
- temp.lo = (FT_UInt32)(a << 16);
+
+ temp.hi = (FT_Int32) ( a >> 16 );
+ temp.lo = (FT_UInt32)( a << 16 );
temp2.hi = 0;
temp2.lo = (FT_UInt32)( b >> 1 );
FT_Add64( &temp, &temp2, &temp );
freetype-2.4.8-CVE-2012-1144.patch:
ttgload.c | 7 +++++--
1 file changed, 5 insertions(+), 2 deletions(-)
--- NEW FILE freetype-2.4.8-CVE-2012-1144.patch ---
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -362,14 +362,17 @@
if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit )
goto Invalid_Outline;
- prev_cont = FT_NEXT_USHORT( p );
+ prev_cont = FT_NEXT_SHORT( p );
if ( n_contours > 0 )
cont[0] = prev_cont;
+ if ( prev_cont < 0 )
+ goto Invalid_Outline;
+
for ( cont++; cont < cont_limit; cont++ )
{
- cont[0] = FT_NEXT_USHORT( p );
+ cont[0] = FT_NEXT_SHORT( p );
if ( cont[0] <= prev_cont )
{
/* unordered contours: this is invalid */
freetype-2.4.8-bdf-overflow.patch:
bdflib.c | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- NEW FILE freetype-2.4.8-bdf-overflow.patch ---
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -1912,7 +1912,7 @@
glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
bitmap_size = glyph->bpr * glyph->bbx.height;
- if ( bitmap_size > 0xFFFFU )
+ if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU )
{
FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
error = BDF_Err_Bbx_Too_Big;
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-17/freetype-freeworld.spec,v
retrieving revision 1.23
retrieving revision 1.24
diff -u -r1.23 -r1.24
--- freetype-freeworld.spec 23 Nov 2011 15:59:05 -0000 1.23
+++ freetype-freeworld.spec 2 Apr 2012 00:32:55 -0000 1.24
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.4.8
-Release: 2%{?dist}
+Release: 3%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL:
http://www.freetype.org
@@ -12,6 +12,27 @@
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
+# Security patches
+Patch89: freetype-2.4.8-CVE-2012-1126.patch
+Patch90: freetype-2.4.8-CVE-2012-1127.patch
+Patch91: freetype-2.4.8-CVE-2012-1128.patch
+Patch92: freetype-2.4.8-CVE-2012-1130.patch
+Patch93: freetype-2.4.8-CVE-2012-1131.patch
+Patch94: freetype-2.4.8-CVE-2012-1132.patch
+Patch95: freetype-2.4.8-CVE-2012-1133.patch
+Patch96: freetype-2.4.8-CVE-2012-1134.patch
+Patch97: freetype-2.4.8-CVE-2012-1135.patch
+Patch98: freetype-2.4.8-CVE-2012-1136.patch
+Patch99: freetype-2.4.8-CVE-2012-1137.patch
+Patch100: freetype-2.4.8-CVE-2012-1138.patch
+Patch101: freetype-2.4.8-CVE-2012-1139.patch
+Patch102: freetype-2.4.8-CVE-2012-1140.patch
+Patch103: freetype-2.4.8-CVE-2012-1141.patch
+Patch104: freetype-2.4.8-CVE-2012-1142.patch
+Patch105: freetype-2.4.8-CVE-2012-1143.patch
+Patch106: freetype-2.4.8-CVE-2012-1144.patch
+Patch107: freetype-2.4.8-bdf-overflow.patch
+
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
Provides: freetype-bytecode
@@ -39,6 +60,26 @@
%patch46 -p1 -b .enable-valid
+%patch89 -p1 -b .CVE-2012-1126
+%patch90 -p1 -b .CVE-2012-1127
+%patch91 -p1 -b .CVE-2012-1128
+%patch92 -p1 -b .CVE-2012-1130
+%patch93 -p1 -b .CVE-2012-1131
+%patch94 -p1 -b .CVE-2012-1132
+%patch95 -p1 -b .CVE-2012-1133
+%patch96 -p1 -b .CVE-2012-1134
+%patch97 -p1 -b .CVE-2012-1135
+%patch98 -p1 -b .CVE-2012-1136
+%patch99 -p1 -b .CVE-2012-1137
+%patch100 -p1 -b .CVE-2012-1138
+%patch101 -p1 -b .CVE-2012-1139
+%patch102 -p1 -b .CVE-2012-1140
+%patch103 -p1 -b .CVE-2012-1141
+%patch104 -p1 -b .CVE-2012-1142
+%patch105 -p1 -b .CVE-2012-1143
+%patch106 -p1 -b .CVE-2012-1144
+%patch107 -p1 -b .bdf-overflow
+
%build
%configure --disable-static
@@ -82,6 +123,9 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-3
+- Add security patches from Fedora freetype-2.4.8-3 (rh#806270)
+
* Wed Nov 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org> 2.4.8-2
- Rebuild for #2031