Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-15 In directory se02.es.rpmfusion.net:/tmp/cvs-serv25039/F-15 Modified Files: freetype-freeworld.spec Added Files: freetype-2.4.4-CVE-2011-3439.patch Log Message: * Thu Nov 17 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.4-6 - Add freetype-2.4.4-CVE-2011-3439.patch from Fedora freetype (rh#753837) freetype-2.4.4-CVE-2011-3439.patch: cidload.c | 26 ++++++++++++++++++++++---- 1 file changed, 22 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.4.4-CVE-2011-3439.patch --- --- freetype-2.4.4/src/cid/cidload.c 2009-07-03 15:28:24.000000000 +0200 +++ freetype-2.4.4/src/cid/cidload.c 2011-11-15 17:25:38.000000000 +0100 @@ -4,7 +4,7 @@ /* */ /* CID-keyed Type1 font loader (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */ +/* Copyright 1996-2006, 2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -110,7 +110,7 @@ CID_FaceDict dict; - if ( parser->num_dict < 0 ) + if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts ) { FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n", keyword->ident )); @@ -158,7 +158,7 @@ FT_Fixed temp_scale; - if ( parser->num_dict >= 0 ) + if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { dict = face->cid.font_dicts + parser->num_dict; matrix = &dict->font_matrix; @@ -249,7 +249,7 @@ CID_FaceDict dict; - if ( parser->num_dict >= 0 ) + if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) { dict = face->cid.font_dicts + parser->num_dict; @@ -413,12 +413,25 @@ FT_Byte* p; + /* Check for possible overflow. */ + if ( num_subrs == FT_UINT_MAX ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + /* reallocate offsets array if needed */ if ( num_subrs + 1 > max_offsets ) { FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 ); + if ( new_max <= max_offsets ) + { + error = CID_Err_Syntax_Error; + goto Fail; + } + if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) ) goto Fail; @@ -436,6 +449,11 @@ FT_FRAME_EXIT(); + /* offsets must be ordered */ + for ( count = 1; count <= num_subrs; count++ ) + if ( offsets[count - 1] > offsets[count] ) + goto Fail; + /* now, compute the size of subrs charstrings, */ /* allocate, and read them */ data_len = offsets[num_subrs] - offsets[0]; Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-15/freetype-freeworld.spec,v retrieving revision 1.17 retrieving revision 1.18 diff -u -r1.17 -r1.18 --- freetype-freeworld.spec 23 Oct 2011 00:06:38 -0000 1.17 +++ freetype-freeworld.spec 17 Nov 2011 17:21:42 -0000 1.18 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.4.4 -Release: 5%{?dist} +Release: 6%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -16,16 +16,18 @@ # Fall back to autohinting if a TTF/OTF doesn't contain any bytecode. # Submitted by Kevin Kofler based on a patch from infinality.net, edited and # committed by Werner Lemberg. -# Should be in the next upstream release. +# Upstreamed in 2.4.5. Patch50: freetype-2.4.4-auto-autohint.patch # Fix the above autohinting fallback: Ignore CFF-based OTFs. -# Should be in the next upstream release. +# Upstreamed in 2.4.5. Patch51: freetype-2.4.4-auto-autohint-fix.patch # Security patches Patch89: freetype-2.4.2-CVE-2010-3311.patch +# patch numbers 90 and 91 reserved (Fedora freetype uses them for our 50 and 51) Patch92: freetype-2.4.4-CVE-2011-0226.patch Patch93: freetype-2.4.4-CVE-2011-3256.patch +Patch94: freetype-2.4.4-CVE-2011-3439.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -60,6 +62,7 @@ %patch89 -p1 -b .CVE-2010-3311 %patch92 -p1 -b .CVE-2011-0226 %patch93 -p1 -b .CVE-2011-3256 +%patch94 -p1 -b .CVE-2011-3439 %build @@ -104,8 +107,11 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Thu Nov 17 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.4-6 +- Add freetype-2.4.4-CVE-2011-3439.patch from Fedora freetype (rh#753837) + * Sun Oct 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.4-5 -- Add freetype-2.4.4-CVE-2011-3256.patch from Fedora freetype +- Add freetype-2.4.4-CVE-2011-3256.patch from Fedora freetype (rh#749174) (Handle some border cases) * Mon Jul 25 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.4-4