Tue Oct 5 16:03:18 CEST 2010

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/F-12
In directory se02.es.rpmfusion.net:/tmp/cvs-serv9917/F-12

Modified Files:
	freetype-freeworld.spec 
Added Files:
	freetype-2.3.11-CVE-2010-1797.patch 
	freetype-2.3.11-CVE-2010-2498.patch 
	freetype-2.3.11-CVE-2010-2499.patch 
	freetype-2.3.11-CVE-2010-2500.patch 
	freetype-2.3.11-CVE-2010-2519.patch 
	freetype-2.3.11-CVE-2010-2520.patch 
	freetype-2.3.11-CVE-2010-2527.patch 
	freetype-2.3.11-CVE-2010-2541.patch 
	freetype-2.3.11-CVE-2010-2805.patch 
	freetype-2.3.11-CVE-2010-2806.patch 
	freetype-2.3.11-CVE-2010-2808.patch 
	freetype-2.3.11-CVE-2010-3311.patch 
Log Message:
* Tue Oct 05 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-2
- Update the description to reflect that the bytecode interpreter is no longer
  patented (but still disabled in the stock Fedora freetype).
- Add freetype-2.3.11-CVE-2010-2805.patch
    (Fix comparison.)
- Add freetype-2.3.11-CVE-2010-2806.patch
    (Protect against negative string_size. Fix comparison.)
- Add freetype-2.3.11-CVE-2010-2808.patch
    (Check the total length of collected POST segments.)
- Add freetype-2.3.11-CVE-2010-3311.patch
    (Don't seek behind end of stream.)
- Resolves: rh#638522
- Add freetype-2.3.11-CVE-2010-1797.patch
    (Check stack after execution of operations too.
     Skip the evaluations of the values in decoder, if
     cff_decoder_parse_charstrings() returns any error.)
- Resolves: rh#621627
- Add freetype-2.3.11-CVE-2010-2498.patch
    (Assure that `end_point' is not larger than `glyph->num_points')
- Add freetype-2.3.11-CVE-2010-2499.patch
    (Check the buffer size during gathering PFB fragments)
- Add freetype-2.3.11-CVE-2010-2500.patch
    (Use smaller threshold values for `width' and `height')
- Add freetype-2.3.11-CVE-2010-2519.patch
    (Check `rlen' the length of fragment declared in the POST fragment header)
- Add freetype-2.3.11-CVE-2010-2520.patch
    (Fix bounds check)
- Add freetype-2.3.11-CVE-2010-2527.patch
    (Use precision for `%s' where appropriate to avoid buffer overflows)
- Add freetype-2.3.11-CVE-2010-2541.patch
    (Avoid overflow when dealing with names of axes)
- Resolves: rh#613299

freetype-2.3.11-CVE-2010-1797.patch:
 cffgload.c |   73 ++++++++++++++++++++++++++++++++++---------------------------
 1 file changed, 41 insertions(+), 32 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-1797.patch ---
--- freetype-2.3.11/src/cff/cffgload.c	2009-09-10 17:52:21.000000000 +0200
+++ freetype-2.3.11/src/cff/cffgload.c	2010-08-11 13:39:32.000000000 +0200
@@ -2358,8 +2358,11 @@
           return CFF_Err_Unimplemented_Feature;
         }
 
-      decoder->top = args;
+        decoder->top = args;
 
+        if ( decoder->top - stack >= CFF_MAX_OPERANDS )
+          goto Stack_Overflow;
+ 
       } /* general operator processing */
 
     } /* while ip < limit */
@@ -2627,48 +2630,54 @@
       /* now load the unscaled outline */
       error = cff_get_glyph_data( face, glyph_index,
                                   &charstring, &charstring_len );
-      if ( !error )
-      {
-        error = cff_decoder_prepare( &decoder, size, glyph_index );
-        if ( !error )
-        {
-          error = cff_decoder_parse_charstrings( &decoder,
-                                                 charstring,
-                                                 charstring_len );
+      if ( error )
+        goto Glyph_Build_Finished;
+
+      error = cff_decoder_prepare( &decoder, size, glyph_index );
+      if ( error )
+        goto Glyph_Build_Finished;
 
-          cff_free_glyph_data( face, &charstring, charstring_len );
+      error = cff_decoder_parse_charstrings( &decoder,
+                                             charstring,
+                                             charstring_len );
+
+      cff_free_glyph_data( face, &charstring, charstring_len );
+
+      if ( error )
+        goto Glyph_Build_Finished;
 
 
 #ifdef FT_CONFIG_OPTION_INCREMENTAL
-          /* Control data and length may not be available for incremental */
-          /* fonts.                                                       */
-          if ( face->root.internal->incremental_interface )
-          {
-            glyph->root.control_data = 0;
-            glyph->root.control_len = 0;
-          }
-          else
+      /* Control data and length may not be available for incremental */
+      /* fonts.                                                       */
+      if ( face->root.internal->incremental_interface )
+      {
+        glyph->root.control_data = 0;
+        glyph->root.control_len = 0;
+      }
+      else
 #endif /* FT_CONFIG_OPTION_INCREMENTAL */
 
-          /* We set control_data and control_len if charstrings is loaded. */
-          /* See how charstring loads at cff_index_access_element() in     */
-          /* cffload.c.                                                    */
-          {
-            CFF_Index  csindex = &cff->charstrings_index;
+      /* We set control_data and control_len if charstrings is loaded. */
+      /* See how charstring loads at cff_index_access_element() in     */
+      /* cffload.c.                                                    */
+      {
+        CFF_Index  csindex = &cff->charstrings_index;
 
 
-            if ( csindex->offsets )
-            {
-              glyph->root.control_data = csindex->bytes +
-                                           csindex->offsets[glyph_index] - 1;
-              glyph->root.control_len  = charstring_len;
-            }
-          }
+        if ( csindex->offsets )
+        {
+          glyph->root.control_data = csindex->bytes +
+                                     csindex->offsets[glyph_index] - 1;
+          glyph->root.control_len  = charstring_len;
         }
       }
 
-      /* save new glyph tables */
-      cff_builder_done( &decoder.builder );
+  Glyph_Build_Finished:
+      /* save new glyph tables, if no error */
+      if ( !error )
+        cff_builder_done( &decoder.builder );
+      /* XXX: anything to do for broken glyph entry? */
     }
 
 #ifdef FT_CONFIG_OPTION_INCREMENTAL

freetype-2.3.11-CVE-2010-2498.patch:
 pshalgo.c |   12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2498.patch ---
--- freetype-2.3.11/src/pshinter/pshalgo.c	2009-07-03 15:28:24.000000000 +0200
+++ freetype-2.3.11/src/pshinter/pshalgo.c	2010-07-13 13:14:22.000000000 +0200
@@ -4,7 +4,8 @@
 /*                                                                         */
 /*    PostScript hinting algorithm (body).                                 */
 /*                                                                         */
-/*  Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by      */
+/*  Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010   */
+/*            by                                                           */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used        */
@@ -1690,7 +1691,10 @@
     /* process secondary hints to `selected' points */
     if ( num_masks > 1 && glyph->num_points > 0 )
     {
-      first = mask->end_point;
+      /* the `endchar' op can reduce the number of points */
+      first = mask->end_point > glyph->num_points
+                ? glyph->num_points
+                : mask->end_point;
       mask++;
       for ( ; num_masks > 1; num_masks--, mask++ )
       {
@@ -1698,7 +1702,9 @@
         FT_Int   count;
 
 
-        next  = mask->end_point;
+        next  = mask->end_point > glyph->num_points
+                  ? glyph->num_points
+                  : mask->end_point;
         count = next - first;
         if ( count > 0 )
         {

freetype-2.3.11-CVE-2010-2499.patch:
 ftobjs.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

--- NEW FILE freetype-2.3.11-CVE-2010-2499.patch ---
--- freetype-2.3.11/src/base/ftobjs.c	2009-09-02 08:42:41.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c	2010-07-12 16:39:13.000000000 +0200
@@ -1531,6 +1531,8 @@
         len += rlen;
       else
       {
+        if ( pfb_lenpos + 3 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
         pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
         pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
@@ -1539,6 +1541,8 @@
         if ( ( flags >> 8 ) == 5 )      /* End of font mark */
           break;
 
+        if ( pfb_pos + 6 > pfb_len + 2 )
+          goto Exit2;
         pfb_data[pfb_pos++] = 0x80;
 
         type = flags >> 8;
@@ -1553,12 +1557,18 @@
       }
 
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+      if ( error )
+        goto Exit2;
       pfb_pos += rlen;
     }
 
+    if ( pfb_pos + 2 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_pos++] = 0x80;
     pfb_data[pfb_pos++] = 3;
 
+    if ( pfb_lenpos + 3 > pfb_len + 2 )
+      goto Exit2;
     pfb_data[pfb_lenpos    ] = (FT_Byte)( len );
     pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
     pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );

freetype-2.3.11-CVE-2010-2500.patch:
 ftgrays.c  |    2 +-
 ftsmooth.c |    4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2500.patch ---
--- freetype-2.3.11/src/smooth/ftgrays.c	2009-07-31 18:45:19.000000000 +0200
+++ freetype-2.3.11/src/smooth/ftgrays.c	2010-07-13 10:26:58.000000000 +0200
@@ -1189,7 +1189,7 @@
     /* first of all, compute the scanline offset */
     p = (unsigned char*)map->buffer - y * map->pitch;
     if ( map->pitch >= 0 )
-      p += ( map->rows - 1 ) * map->pitch;
+      p += (unsigned)( ( map->rows - 1 ) * map->pitch );
 
     for ( ; count > 0; count--, spans++ )
     {
--- freetype-2.3.11/src/smooth/ftsmooth.c	2009-07-31 18:45:19.000000000 +0200
+++ freetype-2.3.11/src/smooth/ftsmooth.c	2010-07-13 10:26:58.000000000 +0200
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Anti-aliasing renderer interface (body).                             */
 /*                                                                         */
-/*  Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by             */
+/*  Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by       */
 /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -200,7 +200,7 @@
 
     /* Required check is ( pitch * height < FT_ULONG_MAX ),     */
     /* but we care realistic cases only. Always pitch <= width. */
-    if ( width > 0xFFFFU || height > 0xFFFFU )
+    if ( width > 0x7FFFU || height > 0x7FFFU )
     {
       FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
                  width, height ));

freetype-2.3.11-CVE-2010-2519.patch:
 ftobjs.c |   14 +++++++++++++-
 1 file changed, 13 insertions(+), 1 deletion(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2519.patch ---
--- freetype-2.3.11/src/base/ftobjs.c	2010-07-12 17:03:47.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c	2010-07-12 17:07:06.000000000 +0200
@@ -1526,7 +1526,19 @@
         goto Exit;
       if ( FT_READ_USHORT( flags ) )
         goto Exit;
-      rlen -= 2;                    /* the flags are part of the resource */
+      FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+                   i, offsets[i], rlen, flags ));
+
+      if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
+        continue;
+
+      /* the flags are part of the resource, so rlen >= 2.  */
+      /* but some fonts declare rlen = 0 for empty fragment */
+      if ( rlen > 2 )
+        rlen -= 2;
+      else
+        rlen = 0;
+
       if ( ( flags >> 8 ) == type )
         len += rlen;
       else

freetype-2.3.11-CVE-2010-2520.patch:
 ttinterp.c |    4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2520.patch ---
--- freetype-2.3.11/src/truetype/ttinterp.c	2009-07-31 18:45:19.000000000 +0200
+++ freetype-2.3.11/src/truetype/ttinterp.c	2010-07-15 14:44:23.000000000 +0200
@@ -6466,8 +6466,8 @@
       end_point   = CUR.pts.contours[contour] - CUR.pts.first_point;
       first_point = point;
 
-      if ( CUR.pts.n_points <= end_point )
-        end_point = CUR.pts.n_points;
+      if ( BOUNDS ( end_point, CUR.pts.n_points ) )
+        end_point = CUR.pts.n_points - 1;
 
       while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 )
         point++;

freetype-2.3.11-CVE-2010-2527.patch:
 ftdiff.c   |    4 ++--
 ftgrid.c   |   10 +++++-----
 ftmulti.c  |    8 ++++----
 ftstring.c |   11 ++++++-----
 ftview.c   |    8 ++++----
 5 files changed, 21 insertions(+), 20 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2527.patch ---
--- freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c	2009-04-30 18:07:48.000000000 +0200
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c	2010-07-22 18:18:06.000000000 +0200
@@ -1054,11 +1054,11 @@
 
       state->message = state->message0;
       if ( total > 1 )
-        sprintf( state->message0, "%s %d/%d @ %5.1fpt",
+        sprintf( state->message0, "%.100s %d/%d @ %5.1fpt",
                  state->filename, idx + 1, total,
                  state->char_size );
       else
-        sprintf( state->message0, "%s @ %5.1fpt",
+        sprintf( state->message0, "%.100s @ %5.1fpt",
                  state->filename,
                  state->char_size );
     }
--- freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c	2009-04-30 18:15:21.000000000 +0200
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c	2010-07-22 18:18:06.000000000 +0200
@@ -2,7 +2,7 @@
 /*                                                                          */
 /*  The FreeType project -- a free and portable quality TrueType renderer.  */
 /*                                                                          */
-/*  Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009 by              */
+/*  Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by        */
 /*  D. Turner, R.Wilhelm, and W. Lemberg                                    */
 /*                                                                          */
 /*                                                                          */
@@ -787,22 +787,22 @@ grid_status_draw_outline( GridStatus    
       switch ( error_code )
       {
       case FT_Err_Ok:
-        sprintf( status.header_buffer, "%s %s (file `%s')",
+        sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
                  face->family_name, face->style_name, basename );
         break;
 
       case FT_Err_Invalid_Pixel_Size:
-        sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
+        sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
                  basename );
         break;
 
       case FT_Err_Invalid_PPem:
-        sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
+        sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
                  basename );
         break;
 
       default:
-        sprintf( status.header_buffer, "File `%s': error 0x%04x",
+        sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
                  basename, (FT_UShort)error_code );
         break;
       }
--- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c	2009-03-14 14:58:28.000000000 +0100
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c	2010-07-22 18:18:39.000000000 +0200
@@ -2,7 +2,7 @@
 /*                                                                          */
 /*  The FreeType project -- a free and portable quality TrueType renderer.  */
 /*                                                                          */
-/*  Copyright 1996-2000, 2003, 2004, 2005 by                                */
+/*  Copyright 1996-2000, 2003, 2004, 2005, 2010 by                          */
 /*  D. Turner, R.Wilhelm, and W. Lemberg                                    */
 /*                                                                          */
 /*                                                                          */
@@ -34,7 +34,7 @@
 
 #define  MAXPTSIZE  500                 /* dtp */
 
-  char  Header[128];
+  char  Header[256];
   char* new_header = 0;
 
   const unsigned char*  Text = (unsigned char*)
@@ -795,7 +795,7 @@
           Render_All( Num, ptsize );
         }
 
-        sprintf( Header, "%s %s (file %s)",
+        sprintf( Header, "%.50s %.50s (file %.100s)",
                          face->family_name,
                          face->style_name,
                          ft_basename( argv[file] ) );
@@ -830,7 +830,7 @@
       }
       else
       {
-        sprintf( Header, "%s: not an MM font file, or could not be opened",
+        sprintf( Header, "%.100s: not an MM font file, or could not be opened",
                          ft_basename( argv[file] ) );
       }
 
--- freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c	2009-03-14 14:58:28.000000000 +0100
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c	2010-07-22 18:18:06.000000000 +0200
@@ -2,7 +2,7 @@
 /*                                                                          */
 /*  The FreeType project -- a free and portable quality TrueType renderer.  */
 /*                                                                          */
-/*  Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009 by              */
+/*  Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by        */
 /*  D. Turner, R.Wilhelm, and W. Lemberg                                    */
 /*                                                                          */
 /*                                                                          */
@@ -413,19 +413,20 @@
       switch ( error_code )
       {
       case FT_Err_Ok:
-        sprintf( status.header_buffer, "%s %s (file `%s')", face->family_name,
+        sprintf( status.header_buffer,
+                 "%.50s %.50s (file `%.100s')", face->family_name,
                  face->style_name, basename );
         break;
       case FT_Err_Invalid_Pixel_Size:
-        sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
+        sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
                  basename );
         break;
       case FT_Err_Invalid_PPem:
-        sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
+        sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
                  basename );
         break;
       default:
-        sprintf( status.header_buffer, "File `%s': error 0x%04x", basename,
+        sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename,
             (FT_UShort)error_code );
         break;
       }
--- freetype-2.3.11/ft2demos-2.3.11/src/ftview.c	2009-04-30 20:08:25.000000000 +0200
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftview.c	2010-07-22 18:18:06.000000000 +0200
@@ -1086,19 +1086,19 @@
       switch ( error_code )
       {
       case FT_Err_Ok:
-        sprintf( status.header_buffer, "%s %s (file `%s')",
+        sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
                  face->family_name, face->style_name, basename );
         break;
       case FT_Err_Invalid_Pixel_Size:
-        sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
+        sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
                  basename );
         break;
       case FT_Err_Invalid_PPem:
-        sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
+        sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
                  basename );
         break;
       default:
-        sprintf( status.header_buffer, "File `%s': error 0x%04x",
+        sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
                  basename, (FT_UShort)error_code );
         break;
       }

freetype-2.3.11-CVE-2010-2541.patch:
 ftmulti.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2541.patch ---
--- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c	2010-07-22 19:11:50.000000000 +0200
+++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c	2010-07-22 19:12:41.000000000 +0200
@@ -813,13 +813,13 @@
 
           for ( n = 0; n < (int)multimaster->num_axis; n++ )
           {
-            char  temp[32];
+            char  temp[100];
 
 
-            sprintf( temp, "  %s:%g",
+            sprintf( temp, "  %.50s:%g",
                            multimaster->axis[n].name,
-                           design_pos[n]/65536. );
-            strcat( Header, temp );
+                           design_pos[n] / 65536.0 );
+            strncat( Header, temp, sizeof( Header ) - strlen( Header ) - 1 );
           }
         }
         grWriteCellString( &bit, 0, 16, Header, fore_color );

freetype-2.3.11-CVE-2010-2805.patch:
 ftstream.c |    2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2805.patch ---
--- freetype-2.3.11/src/base/ftstream.c	2009-08-03 19:51:40.000000000 +0200
+++ freetype-2.3.11/src/base/ftstream.c	2010-09-30 13:46:08.000000000 +0200
@@ -275,7 +275,7 @@
     {
       /* check current and new position */
       if ( stream->pos >= stream->size        ||
-           stream->pos + count > stream->size )
+           stream->size - stream->pos < count )
       {
         FT_ERROR(( "FT_Stream_EnterFrame:"
                    " invalid i/o; pos = 0x%lx, count = %lu, size = 0x%lx\n",

freetype-2.3.11-CVE-2010-2806.patch:
 t42parse.c |   13 ++++++++++---
 1 file changed, 10 insertions(+), 3 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-2806.patch ---
--- freetype-2.3.11/src/type42/t42parse.c	2009-07-03 15:28:24.000000000 +0200
+++ freetype-2.3.11/src/type42/t42parse.c	2010-09-23 12:15:56.000000000 +0200
@@ -4,7 +4,7 @@
 /*                                                                         */
 /*    Type 42 font parser (body).                                          */
 /*                                                                         */
-/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by            */
+/*  Copyright 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 by      */
 /*  Roberto Alameda.                                                       */
 /*                                                                         */
 /*  This file is part of the FreeType project, and may only be used,       */
@@ -575,6 +575,12 @@
         }
 
         string_size = T1_ToInt( parser );
+        if ( string_size < 0 )
+        {
+          FT_ERROR(( "t42_parse_sfnts: invalid string size\n" ));
+          error = T42_Err_Invalid_File_Format;
+          goto Fail;
+        }
 
         T1_Skip_PS_Token( parser );             /* `RD' */
         if ( parser->root.error )
@@ -582,13 +588,14 @@
 
         string_buf = parser->root.cursor + 1;   /* one space after `RD' */
 
-        parser->root.cursor += string_size + 1;
-        if ( parser->root.cursor >= limit )
+        if ( limit - parser->root.cursor < string_size )
         {
           FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
           error = T42_Err_Invalid_File_Format;
           goto Fail;
         }
+        else
+          parser->root.cursor += string_size + 1;
       }
 
       if ( !string_buf )

freetype-2.3.11-CVE-2010-2808.patch:
 ftobjs.c |    5 +++++
 1 file changed, 5 insertions(+)

--- NEW FILE freetype-2.3.11-CVE-2010-2808.patch ---
--- freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:58:50.000000000 +0200
+++ freetype-2.3.11/src/base/ftobjs.c	2010-09-30 13:59:31.000000000 +0200
@@ -1529,6 +1529,7 @@
       FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
                    i, offsets[i], rlen, flags ));
 
+      /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
       if ( ( flags >> 8 ) == 0 )        /* Comment, should not be loaded */
         continue;
 
@@ -1568,6 +1569,10 @@
         pfb_data[pfb_pos++] = 0;
       }
 
+      error = FT_Err_Cannot_Open_Resource;
+      if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+        goto Exit2;
+
       error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
       if ( error )
         goto Exit2;

freetype-2.3.11-CVE-2010-3311.patch:
 ftstream.c |   20 ++++++++++----------
 1 file changed, 10 insertions(+), 10 deletions(-)

--- NEW FILE freetype-2.3.11-CVE-2010-3311.patch ---
--- freetype-2.3.11/src/base/ftstream.c	2010-09-30 14:12:38.000000000 +0200
+++ freetype-2.3.11/src/base/ftstream.c	2010-09-30 14:12:59.000000000 +0200
@@ -59,8 +59,17 @@
   {
     FT_Error  error = FT_Err_Ok;
 
+    /* note that seeking to the first position after the file is valid */
+    if ( pos > stream->size )
+    {
+      FT_ERROR(( "FT_Stream_Seek:"
+                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
+                 pos, stream->size ));
 
-    if ( stream->read )
+      error = FT_Err_Invalid_Stream_Operation;
+    }
+
+    if ( !error && stream->read )
     {
       if ( stream->read( stream, pos, 0, 0 ) )
       {
@@ -71,15 +80,6 @@
         error = FT_Err_Invalid_Stream_Operation;
       }
     }
-    /* note that seeking to the first position after the file is valid */
-    else if ( pos > stream->size )
-    {
-      FT_ERROR(( "FT_Stream_Seek:"
-                 " invalid i/o; pos = 0x%lx, size = 0x%lx\n",
-                 pos, stream->size ));
-
-      error = FT_Err_Invalid_Stream_Operation;
-    }
 
     if ( !error )
       stream->pos = pos;


Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-12/freetype-freeworld.spec,v
retrieving revision 1.7
retrieving revision 1.8
diff -u -r1.7 -r1.8
--- freetype-freeworld.spec	16 Dec 2009 23:50:48 -0000	1.7
+++ freetype-freeworld.spec	5 Oct 2010 14:03:18 -0000	1.8
@@ -8,7 +8,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.3.11
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -21,6 +21,20 @@
 # Enable otvalid and gxvalid modules
 Patch46:  freetype-2.2.1-enable-valid.patch
 
+# Security patches
+Patch89:  freetype-2.3.11-CVE-2010-2498.patch
+Patch90:  freetype-2.3.11-CVE-2010-2499.patch
+Patch91:  freetype-2.3.11-CVE-2010-2500.patch
+Patch92:  freetype-2.3.11-CVE-2010-2519.patch
+Patch93:  freetype-2.3.11-CVE-2010-2520.patch
+Patch94:  freetype-2.3.11-CVE-2010-2527.patch
+Patch95:  freetype-2.3.11-CVE-2010-2541.patch
+Patch96:  freetype-2.3.11-CVE-2010-1797.patch
+Patch97:  freetype-2.3.11-CVE-2010-2805.patch
+Patch98:  freetype-2.3.11-CVE-2010-2806.patch
+Patch99:  freetype-2.3.11-CVE-2010-2808.patch
+Patch100:  freetype-2.3.11-CVE-2010-3311.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 %if !0%{?without_bytecode_interpreter}
@@ -41,24 +55,10 @@
 individual glyphs. FreeType is not a font server or a complete
 text-rendering library.
 
-This version is compiled with the patented bytecode interpreter and subpixel
-rendering enabled. It transparently overrides the system library using
-ld.so.conf.d.
-
-
-%package devel
-Summary: FreeType development libraries and header files
-Group: Development/Libraries
-Requires: %{name} = %{version}-%{release}
-Requires: zlib-devel
-Requires: pkgconfig
-
-%description devel
-The freetype-devel package includes the static libraries and header files
-for the FreeType font rendering engine.
-
-Install freetype-devel if you want to develop programs which will use
-FreeType.
+This version is compiled with the patented subpixel rendering and the formerly
+patented bytecode interpreter (which is still disabled in the stock Fedora
+packages for technical reasons) enabled. It transparently overrides the system
+library using ld.so.conf.d.
 
 
 %prep
@@ -74,6 +74,19 @@
 
 %patch46  -p1 -b .enable-valid
 
+%patch89 -p1 -b .CVE-2010-2498
+%patch90 -p1 -b .CVE-2010-2499
+%patch91 -p1 -b .CVE-2010-2500
+%patch92 -p1 -b .CVE-2010-2519
+%patch93 -p1 -b .CVE-2010-2520
+%patch94 -p1 -b .CVE-2010-2527
+%patch95 -p1 -b .CVE-2010-2541
+%patch96 -p1 -b .CVE-2010-1797
+%patch97 -p1 -b .CVE-2010-2805
+%patch98 -p1 -b .CVE-2010-2806
+%patch99 -p1 -b .CVE-2010-2808
+%patch100 -p1 -b .CVE-2010-3311
+
 %build
 
 %configure --disable-static
@@ -122,6 +135,39 @@
 %config(noreplace) %{_sysconfdir}/fonts/conf.d/*.conf
 
 %changelog
+* Tue Oct 05 2010 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-2
+- Update the description to reflect that the bytecode interpreter is no longer
+  patented (but still disabled in the stock Fedora freetype).
+- Add freetype-2.3.11-CVE-2010-2805.patch
+    (Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2806.patch
+    (Protect against negative string_size. Fix comparison.)
+- Add freetype-2.3.11-CVE-2010-2808.patch
+    (Check the total length of collected POST segments.)
+- Add freetype-2.3.11-CVE-2010-3311.patch
+    (Don't seek behind end of stream.)
+- Resolves: rh#638522
+- Add freetype-2.3.11-CVE-2010-1797.patch
+    (Check stack after execution of operations too.
+     Skip the evaluations of the values in decoder, if
+     cff_decoder_parse_charstrings() returns any error.)
+- Resolves: rh#621627
+- Add freetype-2.3.11-CVE-2010-2498.patch
+    (Assure that `end_point' is not larger than `glyph->num_points')
+- Add freetype-2.3.11-CVE-2010-2499.patch
+    (Check the buffer size during gathering PFB fragments)
+- Add freetype-2.3.11-CVE-2010-2500.patch
+    (Use smaller threshold values for `width' and `height')
+- Add freetype-2.3.11-CVE-2010-2519.patch
+    (Check `rlen' the length of fragment declared in the POST fragment header)
+- Add freetype-2.3.11-CVE-2010-2520.patch
+    (Fix bounds check)
+- Add freetype-2.3.11-CVE-2010-2527.patch
+    (Use precision for `%s' where appropriate to avoid buffer overflows)
+- Add freetype-2.3.11-CVE-2010-2541.patch
+    (Avoid overflow when dealing with names of axes)
+- Resolves: rh#613299
+
 * Wed Dec 16 2009 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.3.11-1
 - Update to 2.3.11 (matches Fedora freetype, fixes aliasing issue rh#513582)
 - Drop upstreamed memcpy-fix patch

