Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/F-16 In directory se02.es.rpmfusion.net:/tmp/cvs-serv29418/F-16 Modified Files: freetype-freeworld.spec Added Files: freetype-2.4.6-CVE-2012-1126.patch freetype-2.4.6-CVE-2012-1127.patch freetype-2.4.6-CVE-2012-1128.patch freetype-2.4.6-CVE-2012-1130.patch freetype-2.4.6-CVE-2012-1131.patch freetype-2.4.6-CVE-2012-1132.patch freetype-2.4.6-CVE-2012-1133.patch freetype-2.4.6-CVE-2012-1134.patch freetype-2.4.6-CVE-2012-1135.patch freetype-2.4.6-CVE-2012-1136.patch freetype-2.4.6-CVE-2012-1137.patch freetype-2.4.6-CVE-2012-1138.patch freetype-2.4.6-CVE-2012-1139.patch freetype-2.4.6-CVE-2012-1140.patch freetype-2.4.6-CVE-2012-1141.patch freetype-2.4.6-CVE-2012-1142.patch freetype-2.4.6-CVE-2012-1143.patch freetype-2.4.6-CVE-2012-1144.patch freetype-2.4.6-bdf-overflow.patch Log Message: * Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.6-5 - Add security patches from Fedora freetype-2.4.6-5 (rh#806270) freetype-2.4.6-CVE-2012-1126.patch: bdflib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1126.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1,6 +1,6 @@ /* * Copyright 2000 Computing Research Labs, New Mexico State University - * Copyright 2001-2011 + * Copyright 2001-2012 * Francesco Zappa Nardelli * * Permission is hereby granted, free of charge, to any person obtaining a @@ -1254,7 +1254,8 @@ ep = line + linelen; /* Trim the leading whitespace if it exists. */ - *sp++ = 0; + if ( *sp ) + *sp++ = 0; while ( *sp && ( *sp == ' ' || *sp == '\t' ) ) sp++; freetype-2.4.6-CVE-2012-1127.patch: bdflib.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1127.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -188,6 +188,7 @@ #define ACMSG13 "Glyph %ld extra rows removed.\n" #define ACMSG14 "Glyph %ld extra columns removed.\n" #define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n" +#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n" /* Error messages. */ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" @@ -1725,18 +1726,31 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; + if ( !c ) + break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) *++bp = 0; } + /* If any line has not enough columns, */ + /* indicate they have been padded with zero bits. */ + if ( i < nibbles && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + { + FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding )); + p->flags |= _BDF_GLYPH_WIDTH_CHECK; + font->modified = 1; + } + /* Remove possible garbage at the right. */ mask_index = ( glyph->bbx.width * p->font->bpp ) & 7; if ( glyph->bbx.width ) *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && + if ( i == nibbles && + ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); freetype-2.4.6-CVE-2012-1128.patch: ttinterp.c | 21 ++++++--------------- 1 file changed, 6 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1128.patch --- --- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100 +++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200 @@ -5788,7 +5788,7 @@ FT_F26Dot6 dx, dy; - FT_UShort last_point, i; + FT_UShort limit, i; if ( BOUNDS( args[0], 2 ) ) @@ -5805,24 +5805,15 @@ /* Twilight zone has no contours, so use `n_points'. */ /* Normal zone's `n_points' includes phantoms, so must */ /* use end of last contour. */ - if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) - last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); + if ( CUR.GS.gep2 == 0 ) + limit = (FT_UShort)CUR.zp2.n_points; else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) - { - last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); - - if ( BOUNDS( last_point, CUR.zp2.n_points ) ) - { - if ( CUR.pedantic_hinting ) - CUR.error = TT_Err_Invalid_Reference; - return; - } - } + limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 ); else - last_point = 0; + limit = 0; /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */ - for ( i = 0; i <= last_point; i++ ) + for ( i = 0; i < limit; i++ ) { if ( zp.cur != CUR.zp2.cur || refp != i ) MOVE_Zp2_Point( i, dx, dy, FALSE ); freetype-2.4.6-CVE-2012-1130.patch: pcfread.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1130.patch --- --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,8 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, - 2010 by + Copyright 2000-2010, 2012 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -496,7 +495,8 @@ THE SOFTWARE. goto Bail; } - if ( FT_NEW_ARRAY( strings, string_size ) ) + /* allocate one more byte so that we have a final null byte */ + if ( FT_NEW_ARRAY( strings, string_size + 1 ) ) goto Bail; error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size ); freetype-2.4.6-CVE-2012-1131.patch: ftsmooth.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1131.patch --- --- a/src/smooth/ftsmooth.c +++ b/src/smooth/ftsmooth.c @@ -4,7 +4,7 @@ /* */ /* Anti-aliasing renderer interface (body). */ /* */ -/* Copyright 2000-2006, 2009-2011 by */ +/* Copyright 2000-2006, 2009-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -105,9 +105,9 @@ FT_Error error; FT_Outline* outline = NULL; FT_BBox cbox; - FT_UInt width, height, pitch; + FT_Pos width, height, pitch; #ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING - FT_UInt height_org, width_org; + FT_Pos height_org, width_org; #endif FT_Bitmap* bitmap; FT_Memory memory; @@ -151,7 +151,7 @@ return Smooth_Err_Raster_Overflow; } else - width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); + width = ( cbox.xMax - cbox.xMin ) >> 6; if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin ) { @@ -161,7 +161,7 @@ return Smooth_Err_Raster_Overflow; } else - height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); + height = ( cbox.yMax - cbox.yMin ) >> 6; bitmap = &slot->bitmap; memory = render->root.memory; @@ -223,7 +223,7 @@ /* Required check is ( pitch * height < FT_ULONG_MAX ), */ /* but we care realistic cases only. Always pitch <= width. */ - if ( width > 0x7FFFU || height > 0x7FFFU ) + if ( width > 0x7FFF || height > 0x7FFF ) { FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n", width, height )); freetype-2.4.6-CVE-2012-1132.patch: psaux/psobjs.c | 4 ++-- type1/t1load.c | 39 ++++++++++++++++++++++++++------------- 2 files changed, 28 insertions(+), 15 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1132.patch --- --- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200 +++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* Auxiliary functions for PostScript fonts (body). */ /* */ -/* Copyright 1996-2011 by */ +/* Copyright 1996-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -589,7 +589,7 @@ } Exit: - if ( cur == parser->cursor ) + if ( cur < limit && cur == parser->cursor ) { FT_ERROR(( "ps_parser_skip_PS_token:" " current token is `%c' which is self-delimiting\n" --- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200 +++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200 @@ -71,6 +71,13 @@ #include "t1errors.h" +#ifdef FT_CONFIG_OPTION_INCREMENTAL +#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 ) +#else +#define IS_INCREMENTAL 0 +#endif + + /*************************************************************************/ /* */ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ @@ -1030,7 +1037,8 @@ static int read_binary_data( T1_Parser parser, FT_Long* size, - FT_Byte** base ) + FT_Byte** base, + FT_Bool incremental ) { FT_Byte* cur; FT_Byte* limit = parser->root.limit; @@ -1065,8 +1073,12 @@ } } - FT_ERROR(( "read_binary_data: invalid size field\n" )); - parser->root.error = T1_Err_Invalid_File_Format; + if( !incremental ) + { + FT_ERROR(( "read_binary_data: invalid size field\n" )); + parser->root.error = T1_Err_Invalid_File_Format; + } + return 0; } @@ -1387,15 +1399,17 @@ FT_Byte* base; - /* If the next token isn't `dup' we are done. */ - if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) + /* If we are out of data, or if the next token isn't `dup', */ + /* we are done. */ + if ( parser->root.cursor + 4 >= parser->root.limit || + ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) break; T1_Skip_PS_Token( parser ); /* `dup' */ idx = T1_ToInt( parser ); - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* The binary string is followed by one token, e.g. `NP' */ @@ -1407,7 +1421,8 @@ return; T1_Skip_Spaces ( parser ); - if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) + if ( parser->root.cursor + 4 < parser->root.limit && + ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) { T1_Skip_PS_Token( parser ); /* skip `put' */ T1_Skip_Spaces ( parser ); @@ -1580,7 +1595,7 @@ cur++; /* skip `/' */ len = parser->root.cursor - cur; - if ( !read_binary_data( parser, &size, &base ) ) + if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) return; /* for some non-standard fonts like `Optima' which provides */ @@ -1869,7 +1884,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -1882,7 +1897,7 @@ parser->root.cursor = start_binary; - if ( !read_binary_data( parser, &s, &b ) ) + if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) return T1_Err_Invalid_File_Format; have_integer = 0; } @@ -2158,9 +2173,7 @@ type1->subrs_len = loader.subrs.lengths; } -#ifdef FT_CONFIG_OPTION_INCREMENTAL - if ( !face->root.internal->incremental_interface ) -#endif + if ( !IS_INCREMENTAL ) if ( !loader.charstrings.init ) { FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" )); freetype-2.4.6-CVE-2012-1133.patch: bdflib.c | 5 +++++ 1 file changed, 5 insertions(+) --- NEW FILE freetype-2.4.6-CVE-2012-1133.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200 @@ -1587,6 +1587,11 @@ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + /* Normalize negative encoding values. The specification only */ + /* allows -1, but we can be more generous here. */ + if ( p->glyph_enc < -1 ) + p->glyph_enc = -1; + /* Check that the encoding is in the range [0,65536] because */ /* otherwise p->have (a bitmap with static size) overflows. */ if ( p->glyph_enc > 0 && freetype-2.4.6-CVE-2012-1134.patch: t1parse.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1134.patch --- --- a/src/type1/t1parse.c +++ b/src/type1/t1parse.c @@ -4,7 +4,7 @@ /* */ /* Type 1 parser (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */ +/* Copyright 1996-2005, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -467,6 +467,14 @@ /* we now decrypt the encoded binary private dictionary */ psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U ); + if ( parser->private_len < 4 ) + { + FT_ERROR(( "T1_Get_Private_Dict:" + " invalid private dictionary section\n" )); + error = T1_Err_Invalid_File_Format; + goto Fail; + } + /* replace the four random bytes at the beginning with whitespace */ parser->private_dict[0] = ' '; parser->private_dict[1] = ' '; freetype-2.4.6-CVE-2012-1135.patch: ttinterp.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1135.patch --- --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -4477,7 +4477,7 @@ CUR.length = opcode_length[CUR.opcode]; if ( CUR.length < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto Fail_Overflow; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; } @@ -7544,7 +7544,7 @@ if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 ) { - if ( CUR.IP + 1 > CUR.codeSize ) + if ( CUR.IP + 1 >= CUR.codeSize ) goto LErrorCodeOverflow_; CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; freetype-2.4.6-CVE-2012-1136.patch: bdflib.c | 19 +++++++++++++------ 1 file changed, 13 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1136.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200 @@ -1749,12 +1749,7 @@ if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) - { - /* Missing ENCODING field. */ - FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); - error = BDF_Err_Missing_Encoding_Field; - goto Exit; - } + goto Missing_Encoding; error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -1769,6 +1764,9 @@ /* Expect the DWIDTH (scalable width) field next. */ if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1794,6 +1792,9 @@ /* Expect the BBX field next. */ if ( ft_memcmp( line, "BBX", 3 ) == 0 ) { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) goto Exit; @@ -1893,6 +1894,12 @@ } error = BDF_Err_Invalid_File_Format; + goto Exit; + + Missing_Encoding: + /* Missing ENCODING field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); + error = BDF_Err_Missing_Encoding_Field; Exit: if ( error && ( p->flags & _BDF_GLYPH ) ) freetype-2.4.6-CVE-2012-1137.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1137.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -462,7 +462,7 @@ if ( num_items > list->size ) { unsigned long oldsize = list->size; /* same as _bdf_list_t.size */ - unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4; + unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5; unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) ); FT_Memory memory = list->memory; freetype-2.4.6-CVE-2012-1138.patch: ttinterp.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-CVE-2012-1138.patch --- --- a/src/truetype/ttinterp.c 2012-03-28 13:16:19.000000000 +0200 +++ b/src/truetype/ttinterp.c 2012-03-28 13:19:39.000000000 +0200 @@ -6223,7 +6223,7 @@ TT_MulFix14( (FT_UInt32)cvt_dist, CUR.GS.freeVector.y ); - CUR.zp1.cur[point] = CUR.zp0.cur[point]; + CUR.zp1.cur[point] = CUR.zp1.org[point]; } org_dist = CUR_Func_dualproj( &CUR.zp1.org[point], freetype-2.4.6-CVE-2012-1139.patch: bdflib.c | 10 +++++----- 1 file changed, 5 insertions(+), 5 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1139.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 @@ -791,7 +791,7 @@ }; -#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) +#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) /* Routine to convert an ASCII string into an unsigned long integer. */ @@ -1709,7 +1709,7 @@ for ( i = 0; i < nibbles; i++ ) { c = line[i]; - if ( !c ) + if ( !isdigok( hdigits, c ) ) break; *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); if ( i + 1 < nibbles && ( i & 1 ) ) @@ -1732,9 +1732,9 @@ *bp &= nibble_mask[mask_index]; /* If any line has extra columns, indicate they have been removed. */ - if ( i == nibbles && - ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && - !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + if ( i == nibbles && + isdigok( hdigits, line[nibbles] ) && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) { FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); p->flags |= _BDF_GLYPH_WIDTH_CHECK; freetype-2.4.6-CVE-2012-1140.patch: psconv.c | 16 ++++++++++++---- 1 file changed, 12 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1140.patch --- --- a/src/psaux/psconv.c +++ b/src/psaux/psconv.c @@ -4,7 +4,7 @@ /* */ /* Some convenience conversions (body). */ /* */ -/* Copyright 2006, 2008, 2009 by */ +/* Copyright 2006, 2008, 2009, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -79,7 +79,7 @@ FT_Bool sign = 0; - if ( p == limit || base < 2 || base > 36 ) + if ( p >= limit || base < 2 || base > 36 ) return 0; if ( *p == '-' || *p == '+' ) @@ -150,7 +150,7 @@ FT_Bool sign = 0; - if ( p == limit ) + if ( p >= limit ) return 0; if ( *p == '-' || *p == '+' ) @@ -346,7 +346,11 @@ #if 1 - p = *cursor; + p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)( limit - p ) ) n = (FT_UInt)( limit - p ); @@ -434,6 +438,10 @@ #if 1 p = *cursor; + + if ( p >= limit ) + return 0; + if ( n > (FT_UInt)(limit - p) ) n = (FT_UInt)(limit - p); freetype-2.4.6-CVE-2012-1141.patch: bdflib.c | 8 ++++++++ 1 file changed, 8 insertions(+) --- NEW FILE freetype-2.4.6-CVE-2012-1141.patch --- --- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 +++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 @@ -521,6 +521,14 @@ /* Initialize the list. */ list->used = 0; + if ( list->size ) + { + list->field[0] = (char*)empty; + list->field[1] = (char*)empty; + list->field[2] = (char*)empty; + list->field[3] = (char*)empty; + list->field[4] = (char*)empty; + } /* If the line is empty, then simply return. */ if ( linelen == 0 || line[0] == 0 ) freetype-2.4.6-CVE-2012-1142.patch: winfnt.c | 11 +++++++++-- 1 file changed, 9 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1142.patch --- --- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200 +++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType font driver for Windows FNT/FON files */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */ +/* Copyright 1996-2004, 2006-2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* Copyright 2003 Huw D M Davies for Codeweavers */ /* Copyright 2007 Dmitry Timoshkov for Codeweavers */ @@ -827,7 +827,14 @@ root->charmap = root->charmaps[0]; } - /* setup remaining flags */ + /* set up remaining flags */ + + if ( font->header.last_char < font->header.first_char ) + { + FT_TRACE2(( "invalid number of glyphs\n" )); + error = FNT_Err_Invalid_File_Format; + goto Fail; + } /* reserve one slot for the .notdef glyph at index 0 */ root->num_glyphs = font->header.last_char - freetype-2.4.6-CVE-2012-1143.patch: ftcalc.c | 17 +++++++++-------- 1 file changed, 9 insertions(+), 8 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1143.patch --- --- a/src/base/ftcalc.c +++ b/src/base/ftcalc.c @@ -4,7 +4,7 @@ /* */ /* Arithmetic computations (body). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */ +/* Copyright 1996-2006, 2008, 2012 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -307,7 +307,7 @@ q <<= 1; r |= lo >> 31; - if ( r >= (FT_UInt32)y ) + if ( r >= y ) { r -= y; q |= 1; @@ -373,7 +373,7 @@ if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 ) a = ( a * b + ( c >> 1 ) ) / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp, temp2; @@ -412,7 +412,7 @@ if ( a <= 46340L && b <= 46340L && c > 0 ) a = a * b / c; - else if ( c > 0 ) + else if ( (FT_Int32)c > 0 ) { FT_Int64 temp; @@ -544,7 +544,7 @@ s = (FT_Int32)a; a = FT_ABS( a ); s ^= (FT_Int32)b; b = FT_ABS( b ); - if ( b == 0 ) + if ( (FT_UInt32)b == 0 ) { /* check for division by 0 */ q = (FT_UInt32)0x7FFFFFFFL; @@ -552,15 +552,16 @@ else if ( ( a >> 16 ) == 0 ) { /* compute result directly */ - q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b; + q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b; } else { /* we need more bits; we have to do it by hand */ FT_Int64 temp, temp2; - temp.hi = (FT_Int32) (a >> 16); - temp.lo = (FT_UInt32)(a << 16); + + temp.hi = (FT_Int32) ( a >> 16 ); + temp.lo = (FT_UInt32)( a << 16 ); temp2.hi = 0; temp2.lo = (FT_UInt32)( b >> 1 ); FT_Add64( &temp, &temp2, &temp ); freetype-2.4.6-CVE-2012-1144.patch: ttgload.c | 7 +++++-- 1 file changed, 5 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.4.6-CVE-2012-1144.patch --- --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c @@ -362,14 +362,17 @@ if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit ) goto Invalid_Outline; - prev_cont = FT_NEXT_USHORT( p ); + prev_cont = FT_NEXT_SHORT( p ); if ( n_contours > 0 ) cont[0] = prev_cont; + if ( prev_cont < 0 ) + goto Invalid_Outline; + for ( cont++; cont < cont_limit; cont++ ) { - cont[0] = FT_NEXT_USHORT( p ); + cont[0] = FT_NEXT_SHORT( p ); if ( cont[0] <= prev_cont ) { /* unordered contours: this is invalid */ freetype-2.4.6-bdf-overflow.patch: bdflib.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) --- NEW FILE freetype-2.4.6-bdf-overflow.patch --- --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1912,7 +1912,7 @@ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; bitmap_size = glyph->bpr * glyph->bbx.height; - if ( bitmap_size > 0xFFFFU ) + if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); error = BDF_Err_Bbx_Too_Big; Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/F-16/freetype-freeworld.spec,v retrieving revision 1.20 retrieving revision 1.21 diff -u -r1.20 -r1.21 --- freetype-freeworld.spec 17 Nov 2011 17:13:05 -0000 1.20 +++ freetype-freeworld.spec 2 Apr 2012 00:38:09 -0000 1.21 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.4.6 -Release: 4%{?dist} +Release: 5%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -16,6 +16,25 @@ Patch89: freetype-2.4.2-CVE-2010-3311.patch Patch90: freetype-2.4.6-CVE-2011-3256.patch Patch91: freetype-2.4.6-CVE-2011-3439.patch +Patch92: freetype-2.4.6-CVE-2012-1126.patch +Patch93: freetype-2.4.6-CVE-2012-1127.patch +Patch94: freetype-2.4.6-CVE-2012-1128.patch +Patch95: freetype-2.4.6-CVE-2012-1130.patch +Patch96: freetype-2.4.6-CVE-2012-1131.patch +Patch97: freetype-2.4.6-CVE-2012-1132.patch +Patch98: freetype-2.4.6-CVE-2012-1133.patch +Patch99: freetype-2.4.6-CVE-2012-1134.patch +Patch100: freetype-2.4.6-CVE-2012-1135.patch +Patch101: freetype-2.4.6-CVE-2012-1136.patch +Patch102: freetype-2.4.6-CVE-2012-1137.patch +Patch103: freetype-2.4.6-CVE-2012-1138.patch +Patch104: freetype-2.4.6-CVE-2012-1139.patch +Patch105: freetype-2.4.6-CVE-2012-1140.patch +Patch106: freetype-2.4.6-CVE-2012-1141.patch +Patch107: freetype-2.4.6-CVE-2012-1142.patch +Patch108: freetype-2.4.6-CVE-2012-1143.patch +Patch109: freetype-2.4.6-CVE-2012-1144.patch +Patch110: freetype-2.4.6-bdf-overflow.patch BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -47,6 +66,25 @@ %patch89 -p1 -b .CVE-2010-3311 %patch90 -p1 -b .CVE-2011-3256 %patch91 -p1 -b .CVE-2011-3439 +%patch92 -p1 -b .CVE-2012-1126 +%patch93 -p1 -b .CVE-2012-1127 +%patch94 -p1 -b .CVE-2012-1128 +%patch95 -p1 -b .CVE-2012-1130 +%patch96 -p1 -b .CVE-2012-1131 +%patch97 -p1 -b .CVE-2012-1132 +%patch98 -p1 -b .CVE-2012-1133 +%patch99 -p1 -b .CVE-2012-1134 +%patch100 -p1 -b .CVE-2012-1135 +%patch101 -p1 -b .CVE-2012-1136 +%patch102 -p1 -b .CVE-2012-1137 +%patch103 -p1 -b .CVE-2012-1138 +%patch104 -p1 -b .CVE-2012-1139 +%patch105 -p1 -b .CVE-2012-1140 +%patch106 -p1 -b .CVE-2012-1141 +%patch107 -p1 -b .CVE-2012-1142 +%patch108 -p1 -b .CVE-2012-1143 +%patch109 -p1 -b .CVE-2012-1144 +%patch110 -p1 -b .bdf-overflow %build @@ -91,6 +129,9 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Mon Apr 02 2012 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.6-5 +- Add security patches from Fedora freetype-2.4.6-5 (rh#806270) + * Thu Nov 17 2011 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.4.6-4 - Add freetype-2.4.6-CVE-2011-3439.patch from Fedora freetype (rh#753837)