rpms/freetype-freeworld/F-15 freetype-2.4.4-CVE-2011-3256.patch,
NONE, 1.1 freetype-freeworld.spec, 1.16, 1.17
Kevin Kofler
kkofler at rpmfusion.org
Sun Oct 23 02:06:38 CEST 2011
Author: kkofler
Update of /cvs/free/rpms/freetype-freeworld/F-15
In directory se02.es.rpmfusion.net:/tmp/cvs-serv26362/F-15
Modified Files:
freetype-freeworld.spec
Added Files:
freetype-2.4.4-CVE-2011-3256.patch
Log Message:
* Sun Oct 23 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.4-5
- Add freetype-2.4.4-CVE-2011-3256.patch from Fedora freetype
(Handle some border cases)
freetype-2.4.4-CVE-2011-3256.patch:
base/ftbitmap.c | 6 +++++-
psaux/t1decode.c | 7 +++++++
raster/ftrend1.c | 10 +++++++++-
truetype/ttgxvar.c | 5 ++++-
4 files changed, 25 insertions(+), 3 deletions(-)
--- NEW FILE freetype-2.4.4-CVE-2011-3256.patch ---
--- freetype-2.4.4/src/base/ftbitmap.c 2009-07-31 18:45:18.000000000 +0200
+++ freetype-2.4.4/src/base/ftbitmap.c 2011-10-20 17:10:49.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* FreeType utility functions for bitmaps (body). */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */
+/* Copyright 2004-2009, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -417,6 +417,10 @@
target->pitch = source->width + pad;
+ if ( target->pitch > 0 &&
+ target->rows > FT_ULONG_MAX / target->pitch )
+ return FT_Err_Invalid_Argument;
+
if ( target->rows * target->pitch > old_size &&
FT_QREALLOC( target->buffer,
old_size, target->rows * target->pitch ) )
--- freetype-2.4.4/src/psaux/t1decode.c 2011-10-20 17:08:42.000000000 +0200
+++ freetype-2.4.4/src/psaux/t1decode.c 2011-10-20 17:10:49.000000000 +0200
@@ -747,6 +747,13 @@
if ( arg_cnt != 0 )
goto Unexpected_OtherSubr;
+ if ( decoder->flex_state == 0 )
+ {
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
+ " missing flex start\n" ));
+ goto Syntax_Error;
+ }
+
/* note that we should not add a point for index 0; */
/* this will move our current position to the flex */
/* point without adding any point to the outline */
--- freetype-2.4.4/src/raster/ftrend1.c 2009-07-03 15:28:24.000000000 +0200
+++ freetype-2.4.4/src/raster/ftrend1.c 2011-10-20 17:13:47.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* The FreeType glyph rasterizer interface (body). */
/* */
-/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */
+/* Copyright 1996-2003, 2005, 2006, 2011 by */
/* David Turner, Robert Wilhelm, and Werner Lemberg. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -25,6 +25,7 @@
#include "rasterrs.h"
+#define FT_USHORT_MAX USHRT_MAX
/* initialize renderer -- init its raster */
static FT_Error
@@ -168,6 +169,13 @@
width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
+ if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+ {
+ error = Raster_Err_Invalid_Argument;
+ goto Exit;
+ }
+
bitmap = &slot->bitmap;
memory = render->root.memory;
--- freetype-2.4.4/src/truetype/ttgxvar.c 2010-10-12 07:46:44.000000000 +0200
+++ freetype-2.4.4/src/truetype/ttgxvar.c 2011-10-20 17:10:49.000000000 +0200
@@ -4,7 +4,7 @@
/* */
/* TrueType GX Font Variation loader */
/* */
-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
+/* Copyright 2004-2011 by */
/* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
/* */
/* This file is part of the FreeType project, and may only be used, */
@@ -1474,6 +1474,9 @@
{
for ( j = 0; j < point_count; ++j )
{
+ if ( localpoints[j] >= n_points )
+ continue;
+
delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
}
Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-15/freetype-freeworld.spec,v
retrieving revision 1.16
retrieving revision 1.17
diff -u -r1.16 -r1.17
--- freetype-freeworld.spec 25 Jul 2011 11:25:29 -0000 1.16
+++ freetype-freeworld.spec 23 Oct 2011 00:06:38 -0000 1.17
@@ -1,7 +1,7 @@
Summary: A free and portable font rendering engine
Name: freetype-freeworld
Version: 2.4.4
-Release: 4%{?dist}
+Release: 5%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -12,19 +12,20 @@
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
-# Security patches
-Patch89: freetype-2.4.2-CVE-2010-3311.patch
-Patch90: freetype-2.4.4-CVE-2011-0226.patch
-
# Backport from upstream git:
# Fall back to autohinting if a TTF/OTF doesn't contain any bytecode.
# Submitted by Kevin Kofler based on a patch from infinality.net, edited and
# committed by Werner Lemberg.
# Should be in the next upstream release.
-Patch100: freetype-2.4.4-auto-autohint.patch
+Patch50: freetype-2.4.4-auto-autohint.patch
# Fix the above autohinting fallback: Ignore CFF-based OTFs.
# Should be in the next upstream release.
-Patch101: freetype-2.4.4-auto-autohint-fix.patch
+Patch51: freetype-2.4.4-auto-autohint-fix.patch
+
+# Security patches
+Patch89: freetype-2.4.2-CVE-2010-3311.patch
+Patch92: freetype-2.4.4-CVE-2011-0226.patch
+Patch93: freetype-2.4.4-CVE-2011-3256.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -53,11 +54,12 @@
%patch46 -p1 -b .enable-valid
-%patch89 -p1 -b .CVE-2010-3311
-%patch90 -p1 -b .CVE-2011-0226
+%patch50 -p1 -b .auto-autohint
+%patch51 -p1 -b .auto-autohint-fix
-%patch100 -p1 -b .auto-autohint
-%patch101 -p1 -b .auto-autohint-fix
+%patch89 -p1 -b .CVE-2010-3311
+%patch92 -p1 -b .CVE-2011-0226
+%patch93 -p1 -b .CVE-2011-3256
%build
@@ -102,6 +104,10 @@
%config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
%changelog
+* Sun Oct 23 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.4-5
+- Add freetype-2.4.4-CVE-2011-3256.patch from Fedora freetype
+ (Handle some border cases)
+
* Mon Jul 25 2011 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.4.4-4
- Add freetype-2.4.4-CVE-2011-0226.patch from Fedora freetype (rh#723469)
(Add better argument check for `callothersubr'.)
More information about the rpmfusion-commits
mailing list