rpms/freetype-freeworld/F-20 freetype-2.5.0-pcf-read-a.patch, NONE, 1.1 freetype-2.5.0-pcf-read-b.patch, NONE, 1.1 freetype-freeworld.spec, 1.34, 1.35

Kevin Kofler kkofler at rpmfusion.org
Tue Feb 24 18:52:52 CET 2015 

Author: kkofler

Update of /cvs/free/rpms/freetype-freeworld/F-20
In directory old02.ovh.rpmfusion.lan:/tmp/cvs-serv21522/F-20

Modified Files:
	freetype-freeworld.spec 
Added Files:
	freetype-2.5.0-pcf-read-a.patch 
	freetype-2.5.0-pcf-read-b.patch 
Log Message:
* Tue Feb 24 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.0.1-7
- Add freetype-2.5.0-pcf-read-a.patch and freetype-2.5.0-pcf-read-b.patch ("Work
  around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from
  Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652)

freetype-2.5.0-pcf-read-a.patch:
 pcfread.c |   55 +++++++++++++++++++++++++++++++++++++++++++------------
 1 file changed, 43 insertions(+), 12 deletions(-)

--- NEW FILE freetype-2.5.0-pcf-read-a.patch ---
>From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Mon, 8 Dec 2014 16:01:50 +0100
Subject: [PATCH] [pcf] Fix Savannah bug #43774.

Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
functions.  Since the PCF format doesn't have an official
specification, we have to exactly follow these functions' behaviour.

The problem was unveiled with a patch from 2014-11-06, fixing issue #43547.

* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
element.  Instead, assign real size.
---
 ChangeLog         | 14 ++++++++++++++
 src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++-----------
 2 files changed, 57 insertions(+), 11 deletions(-)

diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index 998cbed..e3caf82 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -2,7 +2,7 @@
 
     FreeType font driver for pcf fonts
 
-  Copyright 2000-2010, 2012, 2013 by
+  Copyright 2000-2010, 2012-2014 by
   Francesco Zappa Nardelli
 
 Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -78,7 +78,7 @@ THE SOFTWARE.
     FT_FRAME_START( 16  ),
       FT_FRAME_ULONG_LE( type ),
       FT_FRAME_ULONG_LE( format ),
-      FT_FRAME_ULONG_LE( size ),
+      FT_FRAME_ULONG_LE( size ),   /* rounded up to a multiple of 4 */
       FT_FRAME_ULONG_LE( offset ),
     FT_FRAME_END
   };
@@ -95,9 +95,11 @@ THE SOFTWARE.
     FT_Memory  memory = FT_FACE( face )->memory;
     FT_UInt    n;
 
+    FT_ULong   size;
 
-    if ( FT_STREAM_SEEK ( 0 )                          ||
-         FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) )
+
+    if ( FT_STREAM_SEEK( 0 )                          ||
+         FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
       return FT_THROW( Cannot_Open_Resource );
 
     if ( toc->version != PCF_FILE_VERSION                 ||
@@ -151,14 +153,35 @@ THE SOFTWARE.
         break;
     }
 
-    /* we now check whether the `size' and `offset' values are reasonable: */
-    /* `offset' + `size' must not exceed the stream size                   */
+    /*
+     *  We now check whether the `size' and `offset' values are reasonable:
+     *  `offset' + `size' must not exceed the stream size.
+     *
+     *  Note, however, that X11's `pcfWriteFont' routine (used by the
+     *  `bdftopcf' program to create PDF font files) has two special
+     *  features.
+     *
+     *  - It always assigns the accelerator table a size of 100 bytes in the
+     *    TOC, regardless of its real size, which can vary between 34 and 72
+     *    bytes.
+     *
+     *  - Due to the way the routine is designed, it ships out the last font
+     *    table with its real size, ignoring the TOC's size value.  Since
+     *    the TOC size values are always rounded up to a multiple of 4, the
+     *    difference can be up to three bytes for all tables except the
+     *    accelerator table, for which the difference can be as large as 66
+     *    bytes.
+     *
+     */
+
     tables = face->toc.tables;
-    for ( n = 0; n < toc->count; n++ )
+    size   = stream->size;
+
+    for ( n = 0; n < toc->count - 1; n++ )
     {
       /* we need two checks to avoid overflow */
-      if ( ( tables->size   > stream->size                ) ||
-           ( tables->offset > stream->size - tables->size ) )
+      if ( ( tables->size   > size                ) ||
+           ( tables->offset > size - tables->size ) )
       {
         error = FT_THROW( Invalid_Table );
         goto Exit;
@@ -166,6 +189,15 @@ THE SOFTWARE.
       tables++;
     }
 
+    /* no check of `tables->size' for last table element ... */
+    if ( ( tables->offset > size ) )
+    {
+      error = FT_THROW( Invalid_Table );
+      goto Exit;
+    }
+    /* ... instead, we adjust `tables->size' to the real value */
+    tables->size = size - tables->offset;
+
 #ifdef FT_DEBUG_LEVEL_TRACE
 
     {
@@ -714,8 +746,8 @@ THE SOFTWARE.
 
     FT_TRACE4(( "  number of bitmaps: %d\n", nbitmaps ));
 
-    /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */
-    if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics )
+    /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */
+    if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics )
       return FT_THROW( Invalid_File_Format );
 
     if ( FT_NEW_ARRAY( offsets, nbitmaps ) )
-- 
2.1.0


freetype-2.5.0-pcf-read-b.patch:
 pcfread.c |    8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

--- NEW FILE freetype-2.5.0-pcf-read-b.patch ---
>From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl at gnu.org>
Date: Sat, 13 Dec 2014 07:42:51 +0100
Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from
 2014-12-08.

---
 ChangeLog         | 4 ++++
 src/pcf/pcfread.c | 7 ++++---
 2 files changed, 8 insertions(+), 3 deletions(-)

diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index e3caf82..a29a9e3 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -189,14 +189,15 @@ THE SOFTWARE.
       tables++;
     }
 
-    /* no check of `tables->size' for last table element ... */
+    /* only check `tables->offset' for last table element ... */
     if ( ( tables->offset > size ) )
     {
       error = FT_THROW( Invalid_Table );
       goto Exit;
     }
-    /* ... instead, we adjust `tables->size' to the real value */
-    tables->size = size - tables->offset;
+    /* ... and adjust `tables->size' to the real value if necessary */
+    if ( tables->size > size - tables->offset )
+      tables->size = size - tables->offset;
 
 #ifdef FT_DEBUG_LEVEL_TRACE
 
-- 
2.1.0



Index: freetype-freeworld.spec
===================================================================
RCS file: /cvs/free/rpms/freetype-freeworld/F-20/freetype-freeworld.spec,v
retrieving revision 1.34
retrieving revision 1.35
diff -u -r1.34 -r1.35
--- freetype-freeworld.spec	18 Feb 2015 01:57:37 -0000	1.34
+++ freetype-freeworld.spec	24 Feb 2015 17:52:52 -0000	1.35
@@ -1,7 +1,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype-freeworld
 Version: 2.5.0.1
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -50,6 +50,11 @@
 Patch116:  freetype-2.5.0-CVE-2014-9674a.patch
 Patch118:  freetype-2.5.0-CVE-2014-9674b.patch
 
+# fix regression from CVE-2014-9671 fix
+# https://bugzilla.redhat.com/show_bug.cgi?id=1195652
+Patch119:  freetype-2.5.0-pcf-read-a.patch
+Patch120:  freetype-2.5.0-pcf-read-b.patch
+
 BuildRoot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 Provides: freetype-bytecode
@@ -109,6 +114,9 @@
 %patch117 -p1 -b .CVE-2014-9674a
 %patch118 -p1 -b .CVE-2014-9674b
 
+%patch119 -p1 -b .pcf-read-a
+%patch120 -p1 -b .pcf-read-b
+
 
 %build
 
@@ -153,6 +161,11 @@
 %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf
 
 %changelog
+* Tue Feb 24 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.0.1-7
+- Add freetype-2.5.0-pcf-read-a.patch and freetype-2.5.0-pcf-read-b.patch ("Work
+  around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions") from
+  Fedora freetype, fixes regression from CVE-2014-9671 fix (rh#1195652)
+
 * Wed Feb 18 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> 2.5.0.1-6
 - Add freetype-2.5.0-CVE-2014-9656.patch from Fedora freetype (rh#1191099)
     (Check `p' before `num_glyphs'.)

More information about the rpmfusion-commits mailing list