[freetype-freeworld/f25] Add CVE-2016-10244 fix from Fedora freetype (rh#1429965)

Saturday, 11 March 2017

commit 146f3ff89661dec3b9b3156276c69a55296ef7fd
Author: Kevin Kofler <kevin.kofler(a)chello.at&gt;
Date:   Sat Mar 11 15:40:47 2017 +0100

    Add CVE-2016-10244 fix from Fedora freetype (rh#1429965)
    
    * Sat Mar 11 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-2
    - Add CVE-2016-10244 (heap buffer overflow, rh#1429965) fix from Fedora freetype

 freetype-2.6.5-heap-buffer-overflow.patch | 29 +++++++++++++++++++++++++++++
 freetype-freeworld.spec                   | 10 ++++++++--
 2 files changed, 37 insertions(+), 2 deletions(-)
---

diff --git a/freetype-2.6.5-heap-buffer-overflow.patch
b/freetype-2.6.5-heap-buffer-overflow.patch
new file mode 100644
index 0000000..e7c7264
--- /dev/null
+++ b/freetype-2.6.5-heap-buffer-overflow.patch
@@ -0,0 +1,29 @@
+From a660e3de422731b94d4a134d27555430cbb6fb39 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl(a)gnu.org&gt;
+Date: Fri, 26 Aug 2016 00:23:27 +0200
+Subject: [type1] Fix heap buffer overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
+
+* src/type1/t1load.c (parse_charstrings): Reject fonts that don't
+contain glyph names.
+
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index c981adc..f8bf313 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1776,6 +1776,12 @@
+       }
+     }
+ 
++    if ( !n )
++    {
++      error = FT_THROW( Invalid_File_Format );
++      goto Fail;
++    }
++
+     loader->num_glyphs = n;
+ 
+     /* if /.notdef is found but does not occupy index 0, do our magic. */
diff --git a/freetype-freeworld.spec b/freetype-freeworld.spec
index f90db2b..1bed447 100644
--- a/freetype-freeworld.spec
+++ b/freetype-freeworld.spec
@@ -1,7 +1,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.6.5
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL: http://www.freetype.org
 Source:  http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta...
@@ -12,7 +12,8 @@ Patch21:  freetype-2.3.0-enable-spr.patch
 Patch46:  freetype-2.2.1-enable-valid.patch
 
 ## Security fixes:
-# none needed yet
+# https://bugzilla.redhat.com/show_bug.cgi?id=1429965
+Patch94:  freetype-2.6.5-heap-buffer-overflow.patch
 
 Provides: freetype-bytecode
 Provides: freetype-subpixel
@@ -42,6 +43,8 @@ It transparently overrides the system library using ld.so.conf.d.
 
 %patch46 -p1 -b .enable-valid
 
+%patch94 -p1 -b .heap-buffer-overflow
+
 
 %build
 %configure --disable-static \
@@ -85,6 +88,9 @@ echo "%{_libdir}/%{name}" \
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Sat Mar 11 2017 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-2
+- Add CVE-2016-10244 (heap buffer overflow, rh#1429965) fix from Fedora freetype
+
 * Sun Nov 13 2016 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.6.5-1
 - Update to 2.6.5 (matches Fedora freetype, rh#1355743)
 
    

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008