Author: kkofler Update of /cvs/free/rpms/freetype-freeworld/devel In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv32326/devel Modified Files: freetype-freeworld.spec Added Files: freetype-2.5.3-CVE-2014-9656.patch freetype-2.5.3-CVE-2014-9657.patch freetype-2.5.3-CVE-2014-9658.patch freetype-2.5.3-CVE-2014-9660.patch freetype-2.5.3-CVE-2014-9661a.patch freetype-2.5.3-CVE-2014-9661b.patch freetype-2.5.3-CVE-2014-9662.patch freetype-2.5.3-CVE-2014-9663.patch freetype-2.5.3-CVE-2014-9664a.patch freetype-2.5.3-CVE-2014-9664b.patch freetype-2.5.3-CVE-2014-9665.patch freetype-2.5.3-CVE-2014-9666.patch freetype-2.5.3-CVE-2014-9667.patch freetype-2.5.3-CVE-2014-9668.patch freetype-2.5.3-CVE-2014-9669.patch freetype-2.5.3-CVE-2014-9670.patch freetype-2.5.3-CVE-2014-9671.patch freetype-2.5.3-CVE-2014-9672.patch freetype-2.5.3-CVE-2014-9673.patch freetype-2.5.3-CVE-2014-9674a.patch freetype-2.5.3-CVE-2014-9674b.patch freetype-2.5.3-CVE-2014-9675.patch freetype-2.5.3-unsigned-long.patch Log Message: * Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-4 - Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) (Check `p' before `num_glyphs'.) - Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099) (Check minimum size of `record_size'.) - Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099) (Use correct value for minimum table length test.) - Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193) (New macro that checks one character more than `strncmp'.) - Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099) (Check `_BDF_GLYPH_BITS'.) - Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) - Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) (Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array.) - Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099) (Handle return values of point allocation routines.) - Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099) (Fix order of validity tests.) - Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) (Add another boundary testing.) - Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) (Fix boundary testing.) - Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099) (Protect against too large bitmaps.) - Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099) (Protect against addition and multiplication overflow.) - Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099) (Protect against addition overflow.) - Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099) (Protect against addition overflow.) - Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099) (Protect against overflow in additions and multiplications.) - Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099) (Add sanity checks for row and column values.) - Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099) (Check `size' and `offset' values.) - Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095) (Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table.) - Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) (Fix integer overflow by a broken POST table in resource-fork.) - Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191) (Use unsigned long variables to read the lengths in POST fragments.) - Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) (Additional overflow check in the summation of POST fragment lengths.) freetype-2.5.3-CVE-2014-9656.patch: ttsbit.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9656.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Mon, 24 Nov 2014 09:51:21 +0000 Subject: [sfnt] Fix Savannah bug #43680. This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index b37bd7d..c2db96c 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -1147,7 +1147,8 @@ num_glyphs = FT_NEXT_ULONG( p ); /* overflow check for p + ( num_glyphs + 1 ) * 4 */ - if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + if ( p + 4 > p_limit || + num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) goto NoBitmap; for ( mm = 0; mm < num_glyphs; mm++ ) -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9657.patch: ttpload.c | 13 +++++++------ 1 file changed, 7 insertions(+), 6 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9657.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Mon, 24 Nov 2014 09:22:08 +0000 Subject: [truetype] Fix Savannah bug #43679. * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of `record_size'. --- diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 9723a51..9991925 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -508,9 +508,9 @@ record_size = FT_NEXT_ULONG( p ); /* The maximum number of bytes in an hdmx device record is the */ - /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ - /* the reason why `record_size' is a long (which we read as */ - /* unsigned long for convenience). In practice, two bytes */ + /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ + /* explaining why `record_size' is a long (which we read as */ + /* unsigned long for convenience). In practice, two bytes are */ /* sufficient to hold the size value. */ /* */ /* There are at least two fonts, HANNOM-A and HANNOM-B version */ @@ -522,8 +522,10 @@ record_size &= 0xFFFFU; /* The limit for `num_records' is a heuristic value. */ - - if ( version != 0 || num_records > 255 || record_size > 0x10001L ) + if ( version != 0 || + num_records > 255 || + record_size > 0x10001L || + record_size < 4 ) { error = FT_THROW( Invalid_File_Format ); goto Fail; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9658.patch: ttkern.c | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9658.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Mon, 24 Nov 2014 08:31:32 +0000 Subject: [sfnt] Fix Savannah bug #43672. * src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for minimum table length test. --- diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c index 32c4008..455e7b5 100644 --- a/src/sfnt/ttkern.c +++ b/src/sfnt/ttkern.c @@ -99,7 +99,7 @@ length = FT_NEXT_USHORT( p ); coverage = FT_NEXT_USHORT( p ); - if ( length <= 6 ) + if ( length <= 6 + 8 ) break; p_next += length; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9660.patch: bdflib.c | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9660.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 22 Nov 2014 12:29:10 +0000 Subject: [bdf] Fix Savannah bug #43660. * src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check `_BDF_GLYPH_BITS'. --- diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index c128526..369c111 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -1555,6 +1555,14 @@ /* Check for the ENDFONT field. */ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { + if ( p->flags & _BDF_GLYPH_BITS ) + { + /* Missing ENDCHAR field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); + error = FT_THROW( Corrupted_Font_Glyphs ); + goto Exit; + } + /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, font->glyphs_used, -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9661a.patch: t42objs.c | 6 ++++++ t42parse.c | 26 ++++++++++++-------------- 2 files changed, 18 insertions(+), 14 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9661a.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 22 Nov 2014 09:46:47 +0000 Subject: [type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 798ebdb..7a9cb57 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -47,6 +47,12 @@ if ( FT_ALLOC( face->ttf_data, 12 ) ) goto Exit; + /* while parsing the font we always update `face->ttf_size' so that */ + /* even in case of buggy data (which might lead to premature end of */ + /* scanning without causing an error) the call to `FT_Open_Face' in */ + /* `T42_Face_Init' passes the correct size */ + face->ttf_size = 12; + error = t42_parser_init( parser, face->root.stream, memory, diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index a60e216..daf304d 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -524,7 +524,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -617,7 +617,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -657,18 +657,18 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -687,24 +687,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9661b.patch: t42objs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9661b.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 22 Nov 2014 11:44:33 +0000 Subject: [type42] Allow only embedded TrueType fonts. This is a follow-up to Savannah bug #43659. * src/type42/t42objs.c (T42_Face_Init): Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c index 7a9cb57..915e81f 100644 --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -292,7 +292,9 @@ FT_Open_Args args; - args.flags = FT_OPEN_MEMORY; + args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; + args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), + "truetype" ); args.memory_base = face->ttf_data; args.memory_size = face->ttf_size; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9662.patch: cf2ft.c | 49 ++++++++++++++++++++++++++++++++++++++----------- 1 file changed, 38 insertions(+), 11 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9662.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 22 Nov 2014 08:16:39 +0000 Subject: [cff] Fix Savannah bug #43658. * src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle return values of point allocation routines. --- diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c index cb8d31c..ebba469 100644 --- a/src/cff/cf2ft.c +++ b/src/cff/cf2ft.c @@ -142,6 +142,8 @@ cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -156,15 +158,27 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* `cff_builder_add_point1' includes a check_points call for one point */ - cff_builder_add_point1( builder, - params->pt1.x, - params->pt1.y ); + error = cff_builder_add_point1( builder, + params->pt1.x, + params->pt1.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } @@ -172,6 +186,8 @@ cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -186,13 +202,25 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* prepare room for 3 points: 2 off-curve, 1 on-curve */ - cff_check_points( builder, 3 ); + error = cff_check_points( builder, 3 ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } cff_builder_add_point( builder, params->pt1.x, -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9663.patch: ttcmap.c | 7 +++---- 1 file changed, 3 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9663.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Sat, 22 Nov 2014 05:24:45 +0000 Subject: [sfnt] Fix Savannah bug #43656. * src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity tests. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 712bd4f..fb863c3 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -845,9 +845,6 @@ p = table + 2; /* skip format */ length = TT_NEXT_USHORT( p ); - if ( length < 16 ) - FT_INVALID_TOO_SHORT; - /* in certain fonts, the `length' field is invalid and goes */ /* out of bound. We try to correct this here... */ if ( table + length > valid->limit ) @@ -858,6 +855,9 @@ length = (FT_UInt)( valid->limit - table ); } + if ( length < 16 ) + FT_INVALID_TOO_SHORT; + p = table + 6; num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9664a.patch: type1/t1load.c | 5 +++++ type42/t42parse.c | 7 ++++++- 2 files changed, 11 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9664a.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Mon, 24 Nov 2014 06:30:05 +0000 Subject: [type1, type42] Another fix for Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Add another boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index caa75bd..24b14a8 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1596,6 +1596,11 @@ } T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index daf304d..d45c069 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -849,6 +849,12 @@ break; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9664b.patch: type1/t1load.c | 2 +- type42/t42parse.c | 3 +-- 2 files changed, 2 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9664b.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Fri, 21 Nov 2014 21:19:28 +0000 Subject: [type1, type42] Fix Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Fix boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c index fd06432..caa75bd 100644 --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1609,7 +1609,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { error = FT_THROW( Invalid_File_Format ); goto Fail; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index 9b66888..a60e216 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -863,7 +863,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); error = FT_THROW( Invalid_File_Format ); -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9665.patch: pngshim.c | 14 ++++++++++++++ 1 file changed, 14 insertions(+) --- NEW FILE freetype-2.5.3-CVE-2014-9665.patch --- --- freetype-2.5.3/src/sfnt/pngshim.c +++ freetype-2.5.3/src/sfnt/pngshim.c @@ -269,6 +269,20 @@ map->pitch = map->width * 4; map->num_grays = 256; + /* reject bitmaps with negative dimensions */ + if ( map->rows < 0 || map->width < 0 ) + { + error = FT_THROW( Invalid_Argument ); + goto DestroyExit; + } + + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + size = map->rows * map->pitch; error = ft_glyphslot_alloc_bitmap( slot, size ); freetype-2.5.3-CVE-2014-9666.patch: ttsbit.c | 9 +++++---- 1 file changed, 5 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9666.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Wed, 12 Nov 2014 20:42:13 +0000 Subject: [sfnt] Fix Savannah bug #43591. * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition and multiplication overflow. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index da6b01b..b37bd7d 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -380,9 +380,11 @@ p += 34; decoder->bit_depth = *p; - if ( decoder->strike_index_array > face->sbit_table_size || - decoder->strike_index_array + 8 * decoder->strike_index_count > - face->sbit_table_size ) + /* decoder->strike_index_array + */ + /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ + if ( decoder->strike_index_array > face->sbit_table_size || + decoder->strike_index_count > + ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) error = FT_THROW( Invalid_File_Format ); } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9667.patch: ttload.c | 13 +++++++++---- 1 file changed, 9 insertions(+), 4 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9667.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Wed, 12 Nov 2014 20:26:44 +0000 Subject: [sfnt] Fix Savannah bug #43590. * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): Protect against addition overflow. --- diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 0a3cd29..8338150 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -5,7 +5,7 @@ /* Load the basic TrueType tables, i.e., tables that can be either in */ /* TTF or OTF fonts (body). */ /* */ -/* Copyright 1996-2010, 2012, 2013 by */ +/* Copyright 1996-2010, 2012-2014 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -207,7 +207,10 @@ } /* we ignore invalid tables */ - if ( table.Offset + table.Length > stream->size ) + + /* table.Offset + table.Length > stream->size ? */ + if ( table.Length > stream->size || + table.Offset > stream->size - table.Length ) { FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); continue; @@ -395,7 +398,10 @@ entry->Length = FT_GET_ULONG(); /* ignore invalid tables */ - if ( entry->Offset + entry->Length > stream->size ) + + /* entry->Offset + entry->Length > stream->size ? */ + if ( entry->Length > stream->size || + entry->Offset > stream->size - entry->Length ) continue; else { -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9668.patch: sfobjs.c | 7 ++++--- 1 file changed, 4 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9668.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Wed, 12 Nov 2014 20:06:08 +0000 Subject: [sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow. --- diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c index cfea9cd..70b988d 100644 --- a/src/sfnt/sfobjs.c +++ b/src/sfnt/sfobjs.c @@ -574,8 +574,10 @@ if ( table->Offset != woff_offset || - table->Offset + table->CompLength > woff.length || - sfnt_offset + table->OrigLength > woff.totalSfntSize || + table->CompLength > woff.length || + table->Offset > woff.length - table->CompLength || + table->OrigLength > woff.totalSfntSize || + sfnt_offset > woff.totalSfntSize - table->OrigLength || table->CompLength > table->OrigLength ) { error = FT_THROW( Invalid_Table ); -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9669.patch: ttcmap.c | 40 ++++++++++++++++++++++++++++++---------- 1 file changed, 30 insertions(+), 10 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9669.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Wed, 12 Nov 2014 19:51:20 +0000 Subject: [sfnt] Fix Savannah bug #43588. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect against overflow in additions and multiplications. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index f9acf5d..712bd4f 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1669,7 +1669,8 @@ p = is32 + 8192; /* skip `is32' array */ num_groups = TT_NEXT_ULONG( p ); - if ( p + num_groups * 12 > valid->limit ) + /* p + num_groups * 12 > valid->limit ? */ + if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -1694,7 +1695,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; count = (FT_UInt32)( end - start + 1 ); @@ -1892,7 +1898,9 @@ count = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 20 + count * 2 ) + /* length < 20 + count * 2 ? */ + length < 20 || + ( length - 20 ) / 2 < count ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2079,7 +2087,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2101,7 +2111,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; } @@ -2401,7 +2416,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2787,7 +2804,9 @@ num_selectors = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 10 + 11 * num_selectors ) + /* length < 10 + 11 * num_selectors ? */ + length < 10 || + ( length - 10 ) / 11 < num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2823,7 +2842,8 @@ FT_ULong lastBase = 0; - if ( defp + numRanges * 4 > valid->limit ) + /* defp + numRanges * 4 > valid->limit ? */ + if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numRanges; ++i ) @@ -2850,7 +2870,8 @@ FT_ULong i, lastUni = 0; - if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ + if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9670.patch: pcfread.c | 10 +++++++++- 1 file changed, 9 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9670.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Thu, 06 Nov 2014 22:25:05 +0000 Subject: Fix Savannah bug #43548. * src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and column values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 8db31bd..668c962 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -812,6 +812,15 @@ THE SOFTWARE. if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) return FT_THROW( Invalid_File_Format ); + /* sanity checks */ + if ( firstCol < 0 || + firstCol > lastCol || + lastCol > 0xFF || + firstRow < 0 || + firstRow > lastRow || + lastRow > 0xFF ) + return FT_THROW( Invalid_Table ); + FT_TRACE4(( "pdf_get_encodings:\n" )); FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9671.patch: pcfread.c | 16 +++++++++++++++- 1 file changed, 15 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9671.patch --- From: Werner Lemberg <wl(a)gnu.org&gt; Date: Thu, 06 Nov 2014 21:32:46 +0000 Subject: Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index f63377b..8db31bd 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -151,6 +151,21 @@ THE SOFTWARE. break; } + /* we now check whether the `size' and `offset' values are reasonable: */ + /* `offset' + `size' must not exceed the stream size */ + tables = face->toc.tables; + for ( n = 0; n < toc->count; n++ ) + { + /* we need two checks to avoid overflow */ + if ( ( tables->size > stream->size ) || + ( tables->offset > stream->size - tables->size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + tables++; + } + #ifdef FT_DEBUG_LEVEL_TRACE { -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9672.patch: ftmac.c | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9672.patch --- From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp&gt; Date: Wed, 26 Nov 2014 07:11:38 +0000 Subject: Fix Savannah bug #43540. * src/base/ftmac.c (parse_fond): Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table. --- diff --git a/src/base/ftmac.c b/src/base/ftmac.c index 9b49da8..184a2e1 100644 --- a/src/base/ftmac.c +++ b/src/base/ftmac.c @@ -440,9 +440,10 @@ style = (StyleTable*)p; p += sizeof ( StyleTable ); string_count = EndianS16_BtoN( *(short*)(p) ); + string_count = FT_MIN( 64, string_count ); p += sizeof ( short ); - for ( i = 0; i < string_count && i < 64; i++ ) + for ( i = 0; i < string_count; i++ ) { names[i] = p; p += names[i][0]; @@ -459,7 +460,7 @@ ps_name[ps_name_len] = 0; } if ( style->indexes[face_index] > 1 && - style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) + style->indexes[face_index] <= string_count ) { unsigned char* suffixes = names[style->indexes[face_index] - 1]; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9673.patch: ftobjs.c | 18 +++++++++++++++++- 1 file changed, 17 insertions(+), 1 deletion(-) --- NEW FILE freetype-2.5.3-CVE-2014-9673.patch --- From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp&gt; Date: Wed, 26 Nov 2014 06:52:23 +0000 Subject: Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index ffbbc32..922216e 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1627,6 +1627,11 @@ goto Exit2; if ( FT_READ_LONG( rlen ) ) goto Exit; + if ( rlen < 0 ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", @@ -1644,7 +1649,14 @@ rlen = 0; if ( ( flags >> 8 ) == type ) + { + if ( 0x7FFFFFFFL - rlen < len ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } len += rlen; + } else { if ( pfb_lenpos + 3 > pfb_len + 2 ) @@ -1673,6 +1685,11 @@ } error = FT_ERR( Cannot_Open_Resource ); + if ( rlen > 0x7FFFFFFFL - pfb_pos ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9674a.patch: ftobjs.c | 16 ++++++++++++++-- 1 file changed, 14 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9674a.patch --- From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp&gt; Date: Wed, 26 Nov 2014 06:43:29 +0000 Subject: Fix Savannah bug #43538. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4d60e88..ffbbc32 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1603,10 +1603,23 @@ goto Exit; if ( FT_READ_LONG( temp ) ) goto Exit; + if ( 0 > temp ) + error = FT_THROW( Invalid_Offset ); + else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) + error = FT_THROW( Array_Too_Large ); + + if ( error ) + goto Exit; + pfb_len += temp + 6; } - if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + if ( 0x7FFFFFFFL - 2 < pfb_len ) + error = FT_THROW( Array_Too_Large ); + else + error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); + + if ( error ) goto Exit; pfb_data[0] = 0x80; -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9674b.patch: ftobjs.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9674b.patch --- From: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp&gt; Date: Wed, 26 Nov 2014 15:20:48 +0000 Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check in the summation of POST fragment lengths, suggested by Mateusz Jurczyk <mjurczyk(a)google.com&gt;. --- diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 4321126..b28216a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1604,8 +1604,10 @@ if ( FT_READ_ULONG( temp ) ) goto Exit; FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); - if ( 0x7FFFFFFFUL < temp ) + if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) { + FT_TRACE2(( " too long fragment length makes" + " pfb_len confused: temp=0x%08x\n", temp )); error = FT_THROW( Invalid_Offset ); goto Exit; } -- cgit v0.9.0.2 freetype-2.5.3-CVE-2014-9675.patch: bdflib.c | 62 +++++++++++++++++++++++++++++++++++++------------------------- 1 file changed, 37 insertions(+), 25 deletions(-) --- NEW FILE freetype-2.5.3-CVE-2014-9675.patch --- commit 2c4832d30939b45c05757f0a05128ce64c4cacc7 Author: Werner Lemberg <wl(a)gnu.org&gt; Date: Fri Nov 7 07:42:33 2014 +0100 Fix Savannah bug #43535. * src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one character more than `strncmp'. s/ft_strncmp/_bdf_strncmp/ everywhere. diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c index 2eda11c..c128526 100644 --- a/src/bdf/bdflib.c +++ b/src/bdf/bdflib.c @@ -169,6 +169,18 @@ sizeof ( _bdf_properties[0] ); + /* An auxiliary macro to parse properties, to be used in conditionals. */ + /* It behaves like `strncmp' but also tests the following character */ + /* whether it is a whitespace or NULL. */ + /* `property' is a constant string of length `n' to compare with. */ +#define _bdf_strncmp( name, property, n ) \ + ( ft_strncmp( name, property, n ) || \ + !( name[n] == ' ' || \ + name[n] == '\0' || \ + name[n] == '\n' || \ + name[n] == '\r' || \ + name[n] == '\t' ) ) + /* Auto correction messages. */ #define ACMSG1 "FONT_ASCENT property missing. " \ "Added `FONT_ASCENT %hd'.\n" @@ -1408,7 +1420,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1426,13 +1438,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1490,7 +1502,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1507,7 +1519,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1541,7 +1553,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, @@ -1555,7 +1567,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1571,7 +1583,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1605,7 +1617,7 @@ } /* Check for the ENCODING field. */ - if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1791,7 +1803,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1807,7 +1819,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1835,7 +1847,7 @@ } /* Expect the BBX field next. */ - if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1903,7 +1915,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1978,7 +1990,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2019,12 +2031,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2088,7 +2100,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2114,7 +2126,7 @@ { memory = p->memory; - if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2162,7 +2174,7 @@ } /* Check for the start of the properties. */ - if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2191,7 +2203,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2222,7 +2234,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2257,7 +2269,7 @@ } /* Check for the SIZE field. */ - if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2311,7 +2323,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128]; freetype-2.5.3-unsigned-long.patch: ftobjs.c | 59 ++++++++++++++++++++++++++++++----------------------------- 1 file changed, 30 insertions(+), 29 deletions(-) --- NEW FILE freetype-2.5.3-unsigned-long.patch --- commit 453316792fee912cfced48e9e270e9eb19892e64 Author: suzuki toshiya <mpsuzuki(a)hiroshima-u.ac.jp&gt; Date: Wed Nov 26 16:02:17 2014 +0900 * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. Suggested by Mateusz Jurczyk <mjurczyk(a)google.com&gt;. diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c index 922216e..dfad24a 100644 --- a/src/base/ftobjs.c +++ b/src/base/ftobjs.c @@ -1583,9 +1583,9 @@ FT_Memory memory = library->memory; FT_Byte* pfb_data = NULL; int i, type, flags; - FT_Long len; - FT_Long pfb_len, pfb_pos, pfb_lenpos; - FT_Long rlen, temp; + FT_ULong len; + FT_ULong pfb_len, pfb_pos, pfb_lenpos; + FT_ULong rlen, temp; if ( face_index == -1 ) @@ -1601,25 +1601,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit; - if ( FT_READ_LONG( temp ) ) + if ( FT_READ_ULONG( temp ) ) goto Exit; - if ( 0 > temp ) + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { error = FT_THROW( Invalid_Offset ); - else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) - error = FT_THROW( Array_Too_Large ); - - if ( error ) goto Exit; + } pfb_len += temp + 6; } - if ( 0x7FFFFFFFL - 2 < pfb_len ) + FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { error = FT_THROW( Array_Too_Large ); - else - error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); - - if ( error ) + goto Exit; + } + if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) goto Exit; pfb_data[0] = 0x80; @@ -1638,21 +1640,25 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit2; - if ( FT_READ_LONG( rlen ) ) + if ( FT_READ_ULONG( rlen ) ) goto Exit; - if ( rlen < 0 ) + if ( 0x7FFFFFFFUL < rlen ) { error = FT_THROW( Invalid_Offset ); goto Exit2; } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + error = FT_ERR( Array_Too_Large ); /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + { + FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); continue; + } /* the flags are part of the resource, so rlen >= 2. */ /* but some fonts declare rlen = 0 for empty fragment */ @@ -1662,16 +1670,10 @@ rlen = 0; if ( ( flags >> 8 ) == type ) - { - if ( 0x7FFFFFFFL - rlen < len ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } len += rlen; - } else { + FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); if ( pfb_lenpos + 3 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); @@ -1682,6 +1684,7 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); if ( pfb_pos + 6 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1697,21 +1700,17 @@ pfb_data[pfb_pos++] = 0; } - error = FT_ERR( Cannot_Open_Resource ); - if ( rlen > 0x7FFFFFFFL - pfb_pos ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; + FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); if ( error ) goto Exit2; pfb_pos += rlen; } + error = FT_ERR( Array_Too_Large ); if ( pfb_pos + 2 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1732,6 +1731,12 @@ aface ); Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) + FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) + error = FT_ERR( Cannot_Open_Resource ); FT_FREE( pfb_data ); Exit: Index: freetype-freeworld.spec =================================================================== RCS file: /cvs/free/rpms/freetype-freeworld/devel/freetype-freeworld.spec,v retrieving revision 1.37 retrieving revision 1.38 diff -u -r1.37 -r1.38 --- freetype-freeworld.spec 12 Dec 2014 03:58:15 -0000 1.37 +++ freetype-freeworld.spec 18 Feb 2015 01:32:07 -0000 1.38 @@ -1,7 +1,7 @@ Summary: A free and portable font rendering engine Name: freetype-freeworld Version: 2.5.3 -Release: 3%{?dist} +Release: 4%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.ta... @@ -12,10 +12,37 @@ Patch46: freetype-2.2.1-enable-valid.patch ## Security fixes: -# https://bugzilla.gnome.org/show_bug.cgi?id=1172634 +# https://bugzilla.redhat.com/show_bug.cgi?id=1172634 Patch93: freetype-2.5.3-hintmask.patch Patch94: freetype-2.5.3-hintmap.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1191099 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191191 +# https://bugzilla.redhat.com/show_bug.cgi?id=1191193 +Patch95: freetype-2.5.3-CVE-2014-9656.patch +Patch96: freetype-2.5.3-CVE-2014-9657.patch +Patch97: freetype-2.5.3-CVE-2014-9658.patch +Patch98: freetype-2.5.3-CVE-2014-9675.patch +Patch99: freetype-2.5.3-CVE-2014-9660.patch +Patch100: freetype-2.5.3-CVE-2014-9661a.patch +Patch101: freetype-2.5.3-CVE-2014-9661b.patch +Patch102: freetype-2.5.3-CVE-2014-9662.patch +Patch103: freetype-2.5.3-CVE-2014-9663.patch +Patch104: freetype-2.5.3-CVE-2014-9664a.patch +Patch105: freetype-2.5.3-CVE-2014-9664b.patch +Patch106: freetype-2.5.3-CVE-2014-9665.patch +Patch107: freetype-2.5.3-CVE-2014-9666.patch +Patch108: freetype-2.5.3-CVE-2014-9667.patch +Patch109: freetype-2.5.3-CVE-2014-9668.patch +Patch110: freetype-2.5.3-CVE-2014-9669.patch +Patch111: freetype-2.5.3-CVE-2014-9670.patch +Patch112: freetype-2.5.3-CVE-2014-9671.patch +Patch113: freetype-2.5.3-CVE-2014-9672.patch +Patch114: freetype-2.5.3-CVE-2014-9673.patch +Patch115: freetype-2.5.3-CVE-2014-9674a.patch +Patch116: freetype-2.5.3-unsigned-long.patch +Patch117: freetype-2.5.3-CVE-2014-9674b.patch + Provides: freetype-bytecode Provides: freetype-subpixel @@ -47,6 +74,30 @@ %patch93 -p1 -b .hintmask %patch94 -p1 -b .hintmap +%patch95 -p1 -b .CVE-2014-9656 +%patch96 -p1 -b .CVE-2014-9657 +%patch97 -p1 -b .CVE-2014-9658 +%patch98 -p1 -b .CVE-2014-9675 +%patch99 -p1 -b .CVE-2014-9660 +%patch100 -p1 -b .CVE-2014-9661a +%patch101 -p1 -b .CVE-2014-9661b +%patch102 -p1 -b .CVE-2014-9662 +%patch103 -p1 -b .CVE-2014-9663 +%patch104 -p1 -b .CVE-2014-9664a +%patch105 -p1 -b .CVE-2014-9664b +%patch106 -p1 -b .CVE-2014-9665 +%patch107 -p1 -b .CVE-2014-9666 +%patch108 -p1 -b .CVE-2014-9667 +%patch109 -p1 -b .CVE-2014-9668 +%patch110 -p1 -b .CVE-2014-9669 +%patch111 -p1 -b .CVE-2014-9670 +%patch112 -p1 -b .CVE-2014-9671 +%patch113 -p1 -b .CVE-2014-9672 +%patch114 -p1 -b .CVE-2014-9673 +%patch115 -p1 -b .CVE-2014-9674a +%patch116 -p1 -b .unsigned-long +%patch117 -p1 -b .CVE-2014-9674b + %build %configure --disable-static @@ -85,6 +136,56 @@ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Wed Feb 18 2015 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-4 +- Add freetype-2.5.3-CVE-2014-9656.patch from Fedora freetype (rh#1191099) + (Check `p' before `num_glyphs'.) +- Add freetype-2.5.3-CVE-2014-9657.patch from Fedora freetype (rh#1191099) + (Check minimum size of `record_size'.) +- Add freetype-2.5.3-CVE-2014-9658.patch from Fedora freetype (rh#1191099) + (Use correct value for minimum table length test.) +- Add freetype-2.5.3-CVE-2014-9675.patch from Fedora freetype (rh#1191193) + (New macro that checks one character more than `strncmp'.) +- Add freetype-2.5.3-CVE-2014-9660.patch from Fedora freetype (rh#1191099) + (Check `_BDF_GLYPH_BITS'.) +- Add freetype-2.5.3-CVE-2014-9661a.patch from Fedora freetype (rh#1191099) + (Initialize `face->ttf_size'. Always set `face->ttf_size' directly.) +- Add freetype-2.5.3-CVE-2014-9661b.patch from Fedora freetype (rh#1191099) + (Exclusively use the `truetype' font driver for loading the font contained + in the `sfnts' array.) +- Add freetype-2.5.3-CVE-2014-9662.patch from Fedora freetype (rh#1191099) + (Handle return values of point allocation routines.) +- Add freetype-2.5.3-CVE-2014-9663.patch from Fedora freetype (rh#1191099) + (Fix order of validity tests.) +- Add freetype-2.5.3-CVE-2014-9664a.patch from Fedora freetype (rh#1191099) + (Add another boundary testing.) +- Add freetype-2.5.3-CVE-2014-9664b.patch from Fedora freetype (rh#1191099) + (Fix boundary testing.) +- Add freetype-2.5.3-CVE-2014-9665.patch from Fedora freetype (rh#1191099) + (Protect against too large bitmaps.) +- Add freetype-2.5.3-CVE-2014-9666.patch from Fedora freetype (rh#1191099) + (Protect against addition and multiplication overflow.) +- Add freetype-2.5.3-CVE-2014-9667.patch from Fedora freetype (rh#1191099) + (Protect against addition overflow.) +- Add freetype-2.5.3-CVE-2014-9668.patch from Fedora freetype (rh#1191099) + (Protect against addition overflow.) +- Add freetype-2.5.3-CVE-2014-9669.patch from Fedora freetype (rh#1191099) + (Protect against overflow in additions and multiplications.) +- Add freetype-2.5.3-CVE-2014-9670.patch from Fedora freetype (rh#1191099) + (Add sanity checks for row and column values.) +- Add freetype-2.5.3-CVE-2014-9671.patch from Fedora freetype (rh#1191099) + (Check `size' and `offset' values.) +- Add freetype-2.5.3-CVE-2014-9672.patch from Fedora freetype (rh#1191095) + (Prevent a buffer overrun caused by a font including too many (> 63) strings + to store names[] table.) +- Add freetype-2.5.3-CVE-2014-9673.patch from Fedora freetype (rh#1191096) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.3-CVE-2014-9674a.patch from Fedora freetype (rh#1191191) + (Fix integer overflow by a broken POST table in resource-fork.) +- Add freetype-2.5.3-unsigned-long.patch from Fedora freetype (rh#1191191) + (Use unsigned long variables to read the lengths in POST fragments.) +- Add freetype-2.5.3-CVE-2014-9674b.patch from Fedora freetype (rh#1191191) + (Additional overflow check in the summation of POST fragment lengths.) + * Fri Dec 12 2014 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; 2.5.3-3 - Add freetype-2.5.3-hintmask.patch from Fedora freetype (rh#1172634) (Don't append to stem arrays after hintmask is constructed.)