rpms/freetype-freeworld/F-13 freetype-2.3.11-CVE-2010-3855.patch, NONE, 1.1 freetype-freeworld.spec, 1.11, 1.12

Kevin Kofler kkofler at rpmfusion.org
Mon Nov 15 13:46:19 CET 2010 

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/F-13
In directory se02.es.rpmfusion.net:/tmp/cvs-serv27043/F-13

Modified Files:
	freetype-freeworld.spec 
Added Files:
	freetype-2.3.11-CVE-2010-3855.patch 
Log Message:
* Mon Nov 15 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-4
- Add freetype-2.3.11-CVE-2010-3855.patch
    (Protect against invalid `runcnt' values.)
- Resolves: rh#651764

freetype-2.3.11-CVE-2010-3855.patch:
 ttgxvar.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-3855.patch ---
--- freetype-2.3.11/src/truetype/ttgxvar.c	2009-07-31 18:45:19.000000000 +0200
+++ freetype-2.3.11/src/truetype/ttgxvar.c	2010-11-15 10:26:22.517444003 +0100
@@ -157,7 +157,7 @@
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
@@ -168,7 +168,7 @@
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )


Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-13/freetype-freeworld.spec,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- freetype-freeworld.spec	5 Oct 2010 14:46:16 -0000	1.11
+++ freetype-freeworld.spec	15 Nov 2010 12:46:19 -0000	1.12
@@ -8,7 +8,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.3.11
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -31,6 +31,7 @@
 Patch98:  freetype-2.3.11-CVE-2010-2806.patch
 Patch99:  freetype-2.3.11-CVE-2010-2808.patch
 Patch100:  freetype-2.3.11-CVE-2010-3311.patch
+Patch101:  freetype-2.3.11-CVE-2010-3855.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -81,6 +82,7 @@
 %patch98 -p1 -b .CVE-2010-2806
 %patch99 -p1 -b .CVE-2010-2808
 %patch100 -p1 -b .CVE-2010-3311
+%patch101 -p1 -b .CVE-2010-3855
 
 %build
 
@@ -125,6 +127,11 @@
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Mon Nov 15 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-4
+- Add freetype-2.3.11-CVE-2010-3855.patch
+    (Protect against invalid `runcnt' values.)
+- Resolves: rh#651764
+
 * Tue Oct 05 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-3
 - Update the description to reflect that the bytecode interpreter was disabled
   in Fedora again.

More information about the rpmfusion-commits mailing list