rpms/freetype-freeworld/F-14 freetype-2.4.2-CVE-2011-0226.patch, NONE, 1.1 freetype-freeworld.spec, 1.13, 1.14

Mon Jul 25 13:33:08 CEST 2011

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/F-14
In directory se02.es.rpmfusion.net:/tmp/cvs-serv30284/F-14

Modified Files:
	freetype-freeworld.spec 
Added Files:
	freetype-2.4.2-CVE-2011-0226.patch 
Log Message:
* Mon Jul 25 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.2-6
- Add freetype-2.4.2-CVE-2011-0226.patch from Fedora freetype (rh#723469)
    (Add better argument check for `callothersubr'.)
    - based on patches by Werner Lemberg,
      Alexei Podtelezhnikov and Matthias Drochner

freetype-2.4.2-CVE-2011-0226.patch:
 t1decode.c |   34 ++++++++++++++++++++--------------
 1 file changed, 20 insertions(+), 14 deletions(-)

--- NEW FILE freetype-2.4.2-CVE-2011-0226.patch ---
--- freetype-2.4.2/src/psaux/t1decode.c	2010-05-11 00:05:58.000000000 +0200
+++ freetype-2.4.2/src/psaux/t1decode.c	2011-07-20 14:54:04.000000000 +0200
@@ -28,6 +28,8 @@
 
 #include "psauxerr.h"
 
+/* ensure proper sign extension */
+#define Fix2Int( f )  ( (FT_Int)(FT_Short)( (f) >> 16 ) )
 
   /*************************************************************************/
   /*                                                                       */
@@ -671,7 +673,7 @@
         if ( large_int )
           FT_TRACE4(( " %ld", value ));
         else
-          FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
+          FT_TRACE4(( " %ld", Fix2Int( value ) ));
 #endif
 
         *top++       = value;
@@ -693,8 +695,8 @@
 
         top -= 2;
 
-        subr_no = (FT_Int)( top[1] >> 16 );
-        arg_cnt = (FT_Int)( top[0] >> 16 );
+        subr_no = Fix2Int( top[1] );
+        arg_cnt = Fix2Int( top[0] );
 
         /***********************************************************/
         /*                                                         */
@@ -869,7 +871,7 @@
             if ( arg_cnt != 1 || blend == NULL )
               goto Unexpected_OtherSubr;
 
-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
 
             if ( idx < 0                                           ||
                  idx + blend->num_designs > decoder->len_buildchar )
@@ -937,7 +939,7 @@
             if ( arg_cnt != 2 || blend == NULL )
               goto Unexpected_OtherSubr;
 
-            idx = (FT_Int)( top[1] >> 16 );
+            idx = Fix2Int( top[1] );
 
             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
               goto Unexpected_OtherSubr;
@@ -958,7 +960,7 @@
             if ( arg_cnt != 1 || blend == NULL )
               goto Unexpected_OtherSubr;
 
-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
 
             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
               goto Unexpected_OtherSubr;
@@ -1016,11 +1018,15 @@
           break;
 
         default:
-          FT_ERROR(( "t1_decoder_parse_charstrings:"
-                     " unknown othersubr [%d %d], wish me luck\n",
-                     arg_cnt, subr_no ));
-          unknown_othersubr_result_cnt = arg_cnt;
-          break;
+          if ( arg_cnt >= 0 && subr_no >= 0 )
+          {
+            FT_ERROR(( "t1_decoder_parse_charstrings:"
+                       " unknown othersubr [%d %d], wish me luck\n",
+                       arg_cnt, subr_no ));
+            unknown_othersubr_result_cnt = arg_cnt;
+            break;
+          }
+          /* fall through */
 
         Unexpected_OtherSubr:
           FT_ERROR(( "t1_decoder_parse_charstrings:"
@@ -1146,8 +1152,8 @@
                                   top[0],
                                   top[1],
                                   top[2],
-                                  (FT_Int)( top[3] >> 16 ),
-                                  (FT_Int)( top[4] >> 16 ) );
+                                  Fix2Int( top[3] ),
+                                  Fix2Int( top[4] ) );
 
         case op_sbw:
           FT_TRACE4(( " sbw" ));
@@ -1321,7 +1327,7 @@
 
             FT_TRACE4(( " callsubr" ));
 
-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
             if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
             {
               FT_ERROR(( "t1_decoder_parse_charstrings:"


Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-14/freetype-freeworld.spec,v
retrieving revision 1.13
retrieving revision 1.14
diff -u -r1.13 -r1.14
--- freetype-freeworld.spec	8 Mar 2011 22:54:30 -0000	1.13
+++ freetype-freeworld.spec	25 Jul 2011 11:33:08 -0000	1.14
@@ -6,7 +6,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.4.2
-Release: 5%{?dist}
+Release: 6%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -31,6 +31,7 @@
 # Security patches
 Patch89:  freetype-2.4.2-CVE-2010-3311.patch
 Patch90:  freetype-2.4.2-CVE-2010-3855.patch
+Patch91:  freetype-2.4.2-CVE-2011-0226.patch
 
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -75,6 +76,7 @@
 
 %patch89 -p1 -b .CVE-2010-3311
 %patch90 -p1 -b .CVE-2010-3855
+%patch91 -p1 -b .CVE-2011-0226
 
 %build
 
@@ -119,6 +121,12 @@
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Mon Jul 25 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.2-6
+- Add freetype-2.4.2-CVE-2011-0226.patch from Fedora freetype (rh#723469)
+    (Add better argument check for `callothersubr'.)
+    - based on patches by Werner Lemberg,
+      Alexei Podtelezhnikov and Matthias Drochner
+
 * Tue Mar 08 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.2-5
 - Fix autohinting fallback (rh#547532): Ignore CFF-based OTFs.
 

