Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-14 In directory se02.es.rpmfusion.net:/tmp/cvs-serv26534/F-14 Modified Files: freetype-freeworld.spec Added Files: freetype-2.4.2-CVE-2011-3256.patch Log Message: * Sun Oct 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.2-7 - Add freetype-2.4.2-CVE-2011-3256.patch from Fedora freetype (Handle some border cases) freetype-2.4.2-CVE-2011-3256.patch: base/ftbitmap.c | 6 +++++- psaux/t1decode.c | 7 +++++++ raster/ftrend1.c | 10 +++++++++- truetype/ttgxvar.c | 5 ++++- 4 files changed, 25 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.4.2-CVE-2011-3256.patch --- --- freetype-2.4.2/src/base/ftbitmap.c 2009-07-31 18:45:18.000000000 +0200 +++ freetype-2.4.2/src/base/ftbitmap.c 2011-10-20 17:39:09.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType utility functions for bitmaps (body). */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */ +/* Copyright 2004-2009, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -417,6 +417,10 @@ target->pitch = source->width + pad; + if ( target->pitch > 0 && + target->rows > FT_ULONG_MAX / target->pitch ) + return FT_Err_Invalid_Argument; + if ( target->rows * target->pitch > old_size && FT_QREALLOC( target->buffer, old_size, target->rows * target->pitch ) ) --- freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:38:34.000000000 +0200 +++ freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:39:09.000000000 +0200 @@ -754,6 +754,13 @@ if ( arg_cnt != 0 ) goto Unexpected_OtherSubr; + if ( decoder->flex_state == 0 ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" + " missing flex start\n" )); + goto Syntax_Error; + } + /* note that we should not add a point for index 0; */ /* this will move our current position to the flex */ /* point without adding any point to the outline */ --- freetype-2.4.2/src/raster/ftrend1.c 2009-07-03 15:28:24.000000000 +0200 +++ freetype-2.4.2/src/raster/ftrend1.c 2011-10-20 17:39:32.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* The FreeType glyph rasterizer interface (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */ +/* Copyright 1996-2003, 2005, 2006, 2011 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -25,6 +25,7 @@ #include "rasterrs.h" +#define FT_USHORT_MAX USHRT_MAX /* initialize renderer -- init its raster */ static FT_Error @@ -168,6 +169,13 @@ width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + + if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX ) + { + error = Raster_Err_Invalid_Argument; + goto Exit; + } + bitmap = &slot->bitmap; memory = render->root.memory; --- freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:38:34.000000000 +0200 +++ freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:39:09.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* TrueType GX Font Variation loader */ /* */ -/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 2004-2011 by */ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -1474,6 +1474,9 @@ { for ( j = 0; j < point_count; ++j ) { + if ( localpoints[j] >= n_points ) + continue; + delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply ); delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply ); } Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-14/freetype-freeworld.spec,v retrieving revision 1.14 retrieving revision 1.15 diff -u -r1.14 -r1.15 --- freetype-freeworld.spec 25 Jul 2011 11:33:08 -0000 1.14 +++ freetype-freeworld.spec 23 Oct 2011 00:08:49 -0000 1.15 @@ -6,7 +6,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.4.2 -Release: 6%{?dist} +Release: 7%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -32,6 +32,7 @@ Patch89: freetype-2.4.2-CVE-2010-3311.patch Patch90: freetype-2.4.2-CVE-2010-3855.patch Patch91: freetype-2.4.2-CVE-2011-0226.patch +Patch92: freetype-2.4.2-CVE-2011-3256.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -77,6 +78,7 @@ %patch89 -p1 -b .CVE-2010-3311 %patch90 -p1 -b .CVE-2010-3855 %patch91 -p1 -b .CVE-2011-0226 +%patch92 -p1 -b .CVE-2011-3256 %build @@ -121,6 +123,10 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Sun Oct 23 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.2-7 +- Add freetype-2.4.2-CVE-2011-3256.patch from Fedora freetype + (Handle some border cases) + * Mon Jul 25 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.2-6 - Add freetype-2.4.2-CVE-2011-0226.patch from Fedora freetype (rh#723469) (Add better argument check for `callothersubr'.)