rpms/freetype-freeworld/F-12 freetype-2.3.11-CVE-2010-3855.patch, NONE, 1.1 freetype-freeworld.spec, 1.10, 1.11

Kevin Kofler kkofler at rpmfusion.org
Mon Nov 15 13:46:43 CET 2010 

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/F-12
In directory se02.es.rpmfusion.net:/tmp/cvs-serv27073/F-12

Modified Files:
	freetype-freeworld.spec 
Added Files:
	freetype-2.3.11-CVE-2010-3855.patch 
Log Message:
* Mon Nov 15 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-3
- Add freetype-2.3.11-CVE-2010-3855.patch
    (Protect against invalid `runcnt' values.)
- Resolves: rh#651764

freetype-2.3.11-CVE-2010-3855.patch:
 ttgxvar.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-3855.patch ---
--- freetype-2.3.11/src/truetype/ttgxvar.c	2009-07-31 18:45:19.000000000 +0200
+++ freetype-2.3.11/src/truetype/ttgxvar.c	2010-11-15 10:26:22.517444003 +0100
@@ -157,7 +157,7 @@
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
@@ -168,7 +168,7 @@
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )


Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-12/freetype-freeworld.spec,v
retrieving revision 1.10
retrieving revision 1.11
diff -u -r1.10 -r1.11
--- freetype-freeworld.spec	5 Oct 2010 14:46:15 -0000	1.10
+++ freetype-freeworld.spec	15 Nov 2010 12:46:42 -0000	1.11
@@ -8,7 +8,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.3.11
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -32,6 +32,7 @@
 Patch98:  freetype-2.3.11-CVE-2010-2806.patch
 Patch99:  freetype-2.3.11-CVE-2010-2808.patch
 Patch100:  freetype-2.3.11-CVE-2010-3311.patch
+Patch101:  freetype-2.3.11-CVE-2010-3855.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -82,6 +83,7 @@
 %patch98 -p1 -b .CVE-2010-2806
 %patch99 -p1 -b .CVE-2010-2808
 %patch100 -p1 -b .CVE-2010-3311
+%patch101 -p1 -b .CVE-2010-3855
 
 %build
 
@@ -131,6 +133,11 @@
 %config(noreplace) %{_sysconfdir}/fonts/conf.d/*.conf
 
 %changelog
+* Mon Nov 15 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-3
+- Add freetype-2.3.11-CVE-2010-3855.patch
+    (Protect against invalid `runcnt' values.)
+- Resolves: rh#651764
+
 * Tue Oct 05 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-2
 - Update the description to reflect that the bytecode interpreter is no longer
   patented (but still disabled in the stock Fedora freetype).

More information about the rpmfusion-commits mailing list