From c9e0ddd5319c89cc7deb08cf8d32125e1be25dff Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Mar 30 2012 14:25:41 +0000 Subject: Fix various CVEs Resolves: #806270 --- diff --git a/freetype-2.4.6-CVE-2012-1126.patch b/freetype-2.4.6-CVE-2012-1126.patch new file mode 100644 index 0000000..2279119 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1126.patch @@ -0,0 +1,20 @@ +--- a/src/bdf/bdflib.c ++++ b/src/bdf/bdflib.c +@@ -1,6 +1,6 @@ + /* + * Copyright 2000 Computing Research Labs, New Mexico State University +- * Copyright 2001-2011 ++ * Copyright 2001-2012 + * Francesco Zappa Nardelli + * + * Permission is hereby granted, free of charge, to any person obtaining a +@@ -1254,7 +1254,8 @@ + ep = line + linelen; + + /* Trim the leading whitespace if it exists. */ +- *sp++ = 0; ++ if ( *sp ) ++ *sp++ = 0; + while ( *sp && + ( *sp == ' ' || *sp == '\t' ) ) + sp++; diff --git a/freetype-2.4.6-CVE-2012-1127.patch b/freetype-2.4.6-CVE-2012-1127.patch new file mode 100644 index 0000000..837ef74 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1127.patch @@ -0,0 +1,43 @@ +--- a/src/bdf/bdflib.c ++++ b/src/bdf/bdflib.c +@@ -188,6 +188,7 @@ + #define ACMSG13 "Glyph %ld extra rows removed.\n" + #define ACMSG14 "Glyph %ld extra columns removed.\n" + #define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n" ++#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n" + + /* Error messages. */ + #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" +@@ -1725,18 +1726,31 @@ + for ( i = 0; i < nibbles; i++ ) + { + c = line[i]; ++ if ( !c ) ++ break; + *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); + if ( i + 1 < nibbles && ( i & 1 ) ) + *++bp = 0; + } + ++ /* If any line has not enough columns, */ ++ /* indicate they have been padded with zero bits. */ ++ if ( i < nibbles && ++ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) ++ { ++ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding )); ++ p->flags |= _BDF_GLYPH_WIDTH_CHECK; ++ font->modified = 1; ++ } ++ + /* Remove possible garbage at the right. */ + mask_index = ( glyph->bbx.width * p->font->bpp ) & 7; + if ( glyph->bbx.width ) + *bp &= nibble_mask[mask_index]; + + /* If any line has extra columns, indicate they have been removed. */ +- if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && ++ if ( i == nibbles && ++ ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && + !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + { + FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); diff --git a/freetype-2.4.6-CVE-2012-1128.patch b/freetype-2.4.6-CVE-2012-1128.patch new file mode 100644 index 0000000..254804c --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1128.patch @@ -0,0 +1,41 @@ +--- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100 ++++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200 +@@ -5788,7 +5788,7 @@ + FT_F26Dot6 dx, + dy; + +- FT_UShort last_point, i; ++ FT_UShort limit, i; + + + if ( BOUNDS( args[0], 2 ) ) +@@ -5805,24 +5805,15 @@ + /* Twilight zone has no contours, so use `n_points'. */ + /* Normal zone's `n_points' includes phantoms, so must */ + /* use end of last contour. */ +- if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 ) +- last_point = (FT_UShort)( CUR.zp2.n_points - 1 ); ++ if ( CUR.GS.gep2 == 0 ) ++ limit = (FT_UShort)CUR.zp2.n_points; + else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 ) +- { +- last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] ); +- +- if ( BOUNDS( last_point, CUR.zp2.n_points ) ) +- { +- if ( CUR.pedantic_hinting ) +- CUR.error = TT_Err_Invalid_Reference; +- return; +- } +- } ++ limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 ); + else +- last_point = 0; ++ limit = 0; + + /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */ +- for ( i = 0; i <= last_point; i++ ) ++ for ( i = 0; i < limit; i++ ) + { + if ( zp.cur != CUR.zp2.cur || refp != i ) + MOVE_Zp2_Point( i, dx, dy, FALSE ); diff --git a/freetype-2.4.6-CVE-2012-1130.patch b/freetype-2.4.6-CVE-2012-1130.patch new file mode 100644 index 0000000..aa7d40d --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1130.patch @@ -0,0 +1,22 @@ +--- a/src/pcf/pcfread.c ++++ b/src/pcf/pcfread.c +@@ -2,8 +2,7 @@ + + FreeType font driver for pcf fonts + +- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, +- 2010 by ++ Copyright 2000-2010, 2012 by + Francesco Zappa Nardelli + + Permission is hereby granted, free of charge, to any person obtaining a copy +@@ -496,7 +495,8 @@ THE SOFTWARE. + goto Bail; + } + +- if ( FT_NEW_ARRAY( strings, string_size ) ) ++ /* allocate one more byte so that we have a final null byte */ ++ if ( FT_NEW_ARRAY( strings, string_size + 1 ) ) + goto Bail; + + error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size ); diff --git a/freetype-2.4.6-CVE-2012-1131.patch b/freetype-2.4.6-CVE-2012-1131.patch new file mode 100644 index 0000000..9c72b07 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1131.patch @@ -0,0 +1,50 @@ +--- a/src/smooth/ftsmooth.c ++++ b/src/smooth/ftsmooth.c +@@ -4,7 +4,7 @@ + /* */ + /* Anti-aliasing renderer interface (body). */ + /* */ +-/* Copyright 2000-2006, 2009-2011 by */ ++/* Copyright 2000-2006, 2009-2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -105,9 +105,9 @@ + FT_Error error; + FT_Outline* outline = NULL; + FT_BBox cbox; +- FT_UInt width, height, pitch; ++ FT_Pos width, height, pitch; + #ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING +- FT_UInt height_org, width_org; ++ FT_Pos height_org, width_org; + #endif + FT_Bitmap* bitmap; + FT_Memory memory; +@@ -151,7 +151,7 @@ + return Smooth_Err_Raster_Overflow; + } + else +- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 ); ++ width = ( cbox.xMax - cbox.xMin ) >> 6; + + if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin ) + { +@@ -161,7 +161,7 @@ + return Smooth_Err_Raster_Overflow; + } + else +- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 ); ++ height = ( cbox.yMax - cbox.yMin ) >> 6; + + bitmap = &slot->bitmap; + memory = render->root.memory; +@@ -223,7 +223,7 @@ + + /* Required check is ( pitch * height < FT_ULONG_MAX ), */ + /* but we care realistic cases only. Always pitch <= width. */ +- if ( width > 0x7FFFU || height > 0x7FFFU ) ++ if ( width > 0x7FFF || height > 0x7FFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n", + width, height )); diff --git a/freetype-2.4.6-CVE-2012-1132.patch b/freetype-2.4.6-CVE-2012-1132.patch new file mode 100644 index 0000000..069295a --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1132.patch @@ -0,0 +1,130 @@ +--- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200 ++++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200 +@@ -4,7 +4,7 @@ + /* */ + /* Auxiliary functions for PostScript fonts (body). */ + /* */ +-/* Copyright 1996-2011 by */ ++/* Copyright 1996-2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -589,7 +589,7 @@ + } + + Exit: +- if ( cur == parser->cursor ) ++ if ( cur < limit && cur == parser->cursor ) + { + FT_ERROR(( "ps_parser_skip_PS_token:" + " current token is `%c' which is self-delimiting\n" +--- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200 ++++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200 +@@ -71,6 +71,13 @@ + #include "t1errors.h" + + ++#ifdef FT_CONFIG_OPTION_INCREMENTAL ++#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 ) ++#else ++#define IS_INCREMENTAL 0 ++#endif ++ ++ + /*************************************************************************/ + /* */ + /* The macro FT_COMPONENT is used in trace mode. It is an implicit */ +@@ -1030,7 +1037,8 @@ + static int + read_binary_data( T1_Parser parser, + FT_Long* size, +- FT_Byte** base ) ++ FT_Byte** base, ++ FT_Bool incremental ) + { + FT_Byte* cur; + FT_Byte* limit = parser->root.limit; +@@ -1065,8 +1073,12 @@ + } + } + +- FT_ERROR(( "read_binary_data: invalid size field\n" )); +- parser->root.error = T1_Err_Invalid_File_Format; ++ if( !incremental ) ++ { ++ FT_ERROR(( "read_binary_data: invalid size field\n" )); ++ parser->root.error = T1_Err_Invalid_File_Format; ++ } ++ + return 0; + } + +@@ -1387,15 +1399,17 @@ + FT_Byte* base; + + +- /* If the next token isn't `dup' we are done. */ +- if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) ++ /* If we are out of data, or if the next token isn't `dup', */ ++ /* we are done. */ ++ if ( parser->root.cursor + 4 >= parser->root.limit || ++ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 ) + break; + + T1_Skip_PS_Token( parser ); /* `dup' */ + + idx = T1_ToInt( parser ); + +- if ( !read_binary_data( parser, &size, &base ) ) ++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) + return; + + /* The binary string is followed by one token, e.g. `NP' */ +@@ -1407,7 +1421,8 @@ + return; + T1_Skip_Spaces ( parser ); + +- if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) ++ if ( parser->root.cursor + 4 < parser->root.limit && ++ ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 ) + { + T1_Skip_PS_Token( parser ); /* skip `put' */ + T1_Skip_Spaces ( parser ); +@@ -1580,7 +1595,7 @@ + cur++; /* skip `/' */ + len = parser->root.cursor - cur; + +- if ( !read_binary_data( parser, &size, &base ) ) ++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) ) + return; + + /* for some non-standard fonts like `Optima' which provides */ +@@ -1869,7 +1884,7 @@ + + + parser->root.cursor = start_binary; +- if ( !read_binary_data( parser, &s, &b ) ) ++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) + return T1_Err_Invalid_File_Format; + have_integer = 0; + } +@@ -1882,7 +1897,7 @@ + + + parser->root.cursor = start_binary; +- if ( !read_binary_data( parser, &s, &b ) ) ++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) ) + return T1_Err_Invalid_File_Format; + have_integer = 0; + } +@@ -2158,9 +2173,7 @@ + type1->subrs_len = loader.subrs.lengths; + } + +-#ifdef FT_CONFIG_OPTION_INCREMENTAL +- if ( !face->root.internal->incremental_interface ) +-#endif ++ if ( !IS_INCREMENTAL ) + if ( !loader.charstrings.init ) + { + FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" )); diff --git a/freetype-2.4.6-CVE-2012-1133.patch b/freetype-2.4.6-CVE-2012-1133.patch new file mode 100644 index 0000000..6b12ac1 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1133.patch @@ -0,0 +1,14 @@ +--- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200 ++++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200 +@@ -1587,6 +1587,11 @@ + + p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + ++ /* Normalize negative encoding values. The specification only */ ++ /* allows -1, but we can be more generous here. */ ++ if ( p->glyph_enc < -1 ) ++ p->glyph_enc = -1; ++ + /* Check that the encoding is in the range [0,65536] because */ + /* otherwise p->have (a bitmap with static size) overflows. */ + if ( p->glyph_enc > 0 && diff --git a/freetype-2.4.6-CVE-2012-1134.patch b/freetype-2.4.6-CVE-2012-1134.patch new file mode 100644 index 0000000..bd72640 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1134.patch @@ -0,0 +1,26 @@ +--- a/src/type1/t1parse.c ++++ b/src/type1/t1parse.c +@@ -4,7 +4,7 @@ + /* */ + /* Type 1 parser (body). */ + /* */ +-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */ ++/* Copyright 1996-2005, 2008, 2009, 2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -467,6 +467,14 @@ + /* we now decrypt the encoded binary private dictionary */ + psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U ); + ++ if ( parser->private_len < 4 ) ++ { ++ FT_ERROR(( "T1_Get_Private_Dict:" ++ " invalid private dictionary section\n" )); ++ error = T1_Err_Invalid_File_Format; ++ goto Fail; ++ } ++ + /* replace the four random bytes at the beginning with whitespace */ + parser->private_dict[0] = ' '; + parser->private_dict[1] = ' '; diff --git a/freetype-2.4.6-CVE-2012-1135.patch b/freetype-2.4.6-CVE-2012-1135.patch new file mode 100644 index 0000000..869b0df --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1135.patch @@ -0,0 +1,20 @@ +--- a/src/truetype/ttinterp.c ++++ b/src/truetype/ttinterp.c +@@ -4477,7 +4477,7 @@ + CUR.length = opcode_length[CUR.opcode]; + if ( CUR.length < 0 ) + { +- if ( CUR.IP + 1 > CUR.codeSize ) ++ if ( CUR.IP + 1 >= CUR.codeSize ) + goto Fail_Overflow; + CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; + } +@@ -7544,7 +7544,7 @@ + + if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 ) + { +- if ( CUR.IP + 1 > CUR.codeSize ) ++ if ( CUR.IP + 1 >= CUR.codeSize ) + goto LErrorCodeOverflow_; + + CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1]; diff --git a/freetype-2.4.6-CVE-2012-1136.patch b/freetype-2.4.6-CVE-2012-1136.patch new file mode 100644 index 0000000..ea472c9 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1136.patch @@ -0,0 +1,49 @@ +--- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200 ++++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200 +@@ -1749,12 +1749,7 @@ + if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) +- { +- /* Missing ENCODING field. */ +- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); +- error = BDF_Err_Missing_Encoding_Field; +- goto Exit; +- } ++ goto Missing_Encoding; + + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -1769,6 +1764,9 @@ + /* Expect the DWIDTH (scalable width) field next. */ + if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) + { ++ if ( !( p->flags & _BDF_ENCODING ) ) ++ goto Missing_Encoding; ++ + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) + goto Exit; +@@ -1794,6 +1792,9 @@ + /* Expect the BBX field next. */ + if ( ft_memcmp( line, "BBX", 3 ) == 0 ) + { ++ if ( !( p->flags & _BDF_ENCODING ) ) ++ goto Missing_Encoding; ++ + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) + goto Exit; +@@ -1893,6 +1894,12 @@ + } + + error = BDF_Err_Invalid_File_Format; ++ goto Exit; ++ ++ Missing_Encoding: ++ /* Missing ENCODING field. */ ++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" )); ++ error = BDF_Err_Missing_Encoding_Field; + + Exit: + if ( error && ( p->flags & _BDF_GLYPH ) ) diff --git a/freetype-2.4.6-CVE-2012-1137.patch b/freetype-2.4.6-CVE-2012-1137.patch new file mode 100644 index 0000000..fc13555 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1137.patch @@ -0,0 +1,11 @@ +--- a/src/bdf/bdflib.c ++++ b/src/bdf/bdflib.c +@@ -462,7 +462,7 @@ + if ( num_items > list->size ) + { + unsigned long oldsize = list->size; /* same as _bdf_list_t.size */ +- unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4; ++ unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5; + unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) ); + FT_Memory memory = list->memory; + diff --git a/freetype-2.4.6-CVE-2012-1138.patch b/freetype-2.4.6-CVE-2012-1138.patch new file mode 100644 index 0000000..33fe926 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1138.patch @@ -0,0 +1,11 @@ +--- a/src/truetype/ttinterp.c 2012-03-28 13:16:19.000000000 +0200 ++++ b/src/truetype/ttinterp.c 2012-03-28 13:19:39.000000000 +0200 +@@ -6223,7 +6223,7 @@ + TT_MulFix14( (FT_UInt32)cvt_dist, + CUR.GS.freeVector.y ); + +- CUR.zp1.cur[point] = CUR.zp0.cur[point]; ++ CUR.zp1.cur[point] = CUR.zp1.org[point]; + } + + org_dist = CUR_Func_dualproj( &CUR.zp1.org[point], diff --git a/freetype-2.4.6-CVE-2012-1139.patch b/freetype-2.4.6-CVE-2012-1139.patch new file mode 100644 index 0000000..e0be94c --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1139.patch @@ -0,0 +1,33 @@ +--- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 ++++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200 +@@ -791,7 +791,7 @@ + }; + + +-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) ++#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) ) + + + /* Routine to convert an ASCII string into an unsigned long integer. */ +@@ -1709,7 +1709,7 @@ + for ( i = 0; i < nibbles; i++ ) + { + c = line[i]; +- if ( !c ) ++ if ( !isdigok( hdigits, c ) ) + break; + *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] ); + if ( i + 1 < nibbles && ( i & 1 ) ) +@@ -1732,9 +1732,9 @@ + *bp &= nibble_mask[mask_index]; + + /* If any line has extra columns, indicate they have been removed. */ +- if ( i == nibbles && +- ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) && +- !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) ++ if ( i == nibbles && ++ isdigok( hdigits, line[nibbles] ) && ++ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) ) + { + FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding )); + p->flags |= _BDF_GLYPH_WIDTH_CHECK; diff --git a/freetype-2.4.6-CVE-2012-1140.patch b/freetype-2.4.6-CVE-2012-1140.patch new file mode 100644 index 0000000..98fd254 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1140.patch @@ -0,0 +1,53 @@ +--- a/src/psaux/psconv.c ++++ b/src/psaux/psconv.c +@@ -4,7 +4,7 @@ + /* */ + /* Some convenience conversions (body). */ + /* */ +-/* Copyright 2006, 2008, 2009 by */ ++/* Copyright 2006, 2008, 2009, 2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -79,7 +79,7 @@ + FT_Bool sign = 0; + + +- if ( p == limit || base < 2 || base > 36 ) ++ if ( p >= limit || base < 2 || base > 36 ) + return 0; + + if ( *p == '-' || *p == '+' ) +@@ -150,7 +150,7 @@ + FT_Bool sign = 0; + + +- if ( p == limit ) ++ if ( p >= limit ) + return 0; + + if ( *p == '-' || *p == '+' ) +@@ -346,7 +346,11 @@ + + #if 1 + +- p = *cursor; ++ p = *cursor; ++ ++ if ( p >= limit ) ++ return 0; ++ + if ( n > (FT_UInt)( limit - p ) ) + n = (FT_UInt)( limit - p ); + +@@ -434,6 +438,10 @@ + #if 1 + + p = *cursor; ++ ++ if ( p >= limit ) ++ return 0; ++ + if ( n > (FT_UInt)(limit - p) ) + n = (FT_UInt)(limit - p); + diff --git a/freetype-2.4.6-CVE-2012-1141.patch b/freetype-2.4.6-CVE-2012-1141.patch new file mode 100644 index 0000000..aac0f52 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1141.patch @@ -0,0 +1,17 @@ +--- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 ++++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200 +@@ -521,6 +521,14 @@ + + /* Initialize the list. */ + list->used = 0; ++ if ( list->size ) ++ { ++ list->field[0] = (char*)empty; ++ list->field[1] = (char*)empty; ++ list->field[2] = (char*)empty; ++ list->field[3] = (char*)empty; ++ list->field[4] = (char*)empty; ++ } + + /* If the line is empty, then simply return. */ + if ( linelen == 0 || line[0] == 0 ) diff --git a/freetype-2.4.6-CVE-2012-1142.patch b/freetype-2.4.6-CVE-2012-1142.patch new file mode 100644 index 0000000..8035837 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1142.patch @@ -0,0 +1,27 @@ +--- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200 ++++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200 +@@ -4,7 +4,7 @@ + /* */ + /* FreeType font driver for Windows FNT/FON files */ + /* */ +-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */ ++/* Copyright 1996-2004, 2006-2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* Copyright 2003 Huw D M Davies for Codeweavers */ + /* Copyright 2007 Dmitry Timoshkov for Codeweavers */ +@@ -827,7 +827,14 @@ + root->charmap = root->charmaps[0]; + } + +- /* setup remaining flags */ ++ /* set up remaining flags */ ++ ++ if ( font->header.last_char < font->header.first_char ) ++ { ++ FT_TRACE2(( "invalid number of glyphs\n" )); ++ error = FNT_Err_Invalid_File_Format; ++ goto Fail; ++ } + + /* reserve one slot for the .notdef glyph at index 0 */ + root->num_glyphs = font->header.last_char - diff --git a/freetype-2.4.6-CVE-2012-1143.patch b/freetype-2.4.6-CVE-2012-1143.patch new file mode 100644 index 0000000..43c3f11 --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1143.patch @@ -0,0 +1,67 @@ +--- a/src/base/ftcalc.c ++++ b/src/base/ftcalc.c +@@ -4,7 +4,7 @@ + /* */ + /* Arithmetic computations (body). */ + /* */ +-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */ ++/* Copyright 1996-2006, 2008, 2012 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -307,7 +307,7 @@ + q <<= 1; + r |= lo >> 31; + +- if ( r >= (FT_UInt32)y ) ++ if ( r >= y ) + { + r -= y; + q |= 1; +@@ -373,7 +373,7 @@ + if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 ) + a = ( a * b + ( c >> 1 ) ) / c; + +- else if ( c > 0 ) ++ else if ( (FT_Int32)c > 0 ) + { + FT_Int64 temp, temp2; + +@@ -412,7 +412,7 @@ + if ( a <= 46340L && b <= 46340L && c > 0 ) + a = a * b / c; + +- else if ( c > 0 ) ++ else if ( (FT_Int32)c > 0 ) + { + FT_Int64 temp; + +@@ -544,7 +544,7 @@ + s = (FT_Int32)a; a = FT_ABS( a ); + s ^= (FT_Int32)b; b = FT_ABS( b ); + +- if ( b == 0 ) ++ if ( (FT_UInt32)b == 0 ) + { + /* check for division by 0 */ + q = (FT_UInt32)0x7FFFFFFFL; +@@ -552,15 +552,16 @@ + else if ( ( a >> 16 ) == 0 ) + { + /* compute result directly */ +- q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b; ++ q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b; + } + else + { + /* we need more bits; we have to do it by hand */ + FT_Int64 temp, temp2; + +- temp.hi = (FT_Int32) (a >> 16); +- temp.lo = (FT_UInt32)(a << 16); ++ ++ temp.hi = (FT_Int32) ( a >> 16 ); ++ temp.lo = (FT_UInt32)( a << 16 ); + temp2.hi = 0; + temp2.lo = (FT_UInt32)( b >> 1 ); + FT_Add64( &temp, &temp2, &temp ); diff --git a/freetype-2.4.6-CVE-2012-1144.patch b/freetype-2.4.6-CVE-2012-1144.patch new file mode 100644 index 0000000..89ea94e --- /dev/null +++ b/freetype-2.4.6-CVE-2012-1144.patch @@ -0,0 +1,22 @@ +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -362,14 +362,17 @@ + if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit ) + goto Invalid_Outline; + +- prev_cont = FT_NEXT_USHORT( p ); ++ prev_cont = FT_NEXT_SHORT( p ); + + if ( n_contours > 0 ) + cont[0] = prev_cont; + ++ if ( prev_cont < 0 ) ++ goto Invalid_Outline; ++ + for ( cont++; cont < cont_limit; cont++ ) + { +- cont[0] = FT_NEXT_USHORT( p ); ++ cont[0] = FT_NEXT_SHORT( p ); + if ( cont[0] <= prev_cont ) + { + /* unordered contours: this is invalid */ diff --git a/freetype-2.4.6-bdf-overflow.patch b/freetype-2.4.6-bdf-overflow.patch new file mode 100644 index 0000000..53f3210 --- /dev/null +++ b/freetype-2.4.6-bdf-overflow.patch @@ -0,0 +1,11 @@ +--- a/src/bdf/bdflib.c ++++ b/src/bdf/bdflib.c +@@ -1912,7 +1912,7 @@ + glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; + + bitmap_size = glyph->bpr * glyph->bbx.height; +- if ( bitmap_size > 0xFFFFU ) ++ if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; diff --git a/freetype.spec b/freetype.spec index d958397..5c154c1 100644 --- a/freetype.spec +++ b/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.4.6 -Release: 4%{?dist} +Release: 5%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -28,6 +28,25 @@ Patch88: freetype-multilib.patch Patch89: freetype-2.4.2-CVE-2010-3311.patch Patch90: freetype-2.4.6-CVE-2011-3256.patch Patch91: freetype-2.4.6-CVE-2011-3439.patch +Patch92: freetype-2.4.6-CVE-2012-1126.patch +Patch93: freetype-2.4.6-CVE-2012-1127.patch +Patch94: freetype-2.4.6-CVE-2012-1128.patch +Patch95: freetype-2.4.6-CVE-2012-1130.patch +Patch96: freetype-2.4.6-CVE-2012-1131.patch +Patch97: freetype-2.4.6-CVE-2012-1132.patch +Patch98: freetype-2.4.6-CVE-2012-1133.patch +Patch99: freetype-2.4.6-CVE-2012-1134.patch +Patch100: freetype-2.4.6-CVE-2012-1135.patch +Patch101: freetype-2.4.6-CVE-2012-1136.patch +Patch102: freetype-2.4.6-CVE-2012-1137.patch +Patch103: freetype-2.4.6-CVE-2012-1138.patch +Patch104: freetype-2.4.6-CVE-2012-1139.patch +Patch105: freetype-2.4.6-CVE-2012-1140.patch +Patch106: freetype-2.4.6-CVE-2012-1141.patch +Patch107: freetype-2.4.6-CVE-2012-1142.patch +Patch108: freetype-2.4.6-CVE-2012-1143.patch +Patch109: freetype-2.4.6-CVE-2012-1144.patch +Patch110: freetype-2.4.6-bdf-overflow.patch Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -91,6 +110,25 @@ popd %patch89 -p1 -b .CVE-2010-3311 %patch90 -p1 -b .CVE-2011-3256 %patch91 -p1 -b .CVE-2011-3439 +%patch92 -p1 -b .CVE-2012-1126 +%patch93 -p1 -b .CVE-2012-1127 +%patch94 -p1 -b .CVE-2012-1128 +%patch95 -p1 -b .CVE-2012-1130 +%patch96 -p1 -b .CVE-2012-1131 +%patch97 -p1 -b .CVE-2012-1132 +%patch98 -p1 -b .CVE-2012-1133 +%patch99 -p1 -b .CVE-2012-1134 +%patch100 -p1 -b .CVE-2012-1135 +%patch101 -p1 -b .CVE-2012-1136 +%patch102 -p1 -b .CVE-2012-1137 +%patch103 -p1 -b .CVE-2012-1138 +%patch104 -p1 -b .CVE-2012-1139 +%patch105 -p1 -b .CVE-2012-1140 +%patch106 -p1 -b .CVE-2012-1141 +%patch107 -p1 -b .CVE-2012-1142 +%patch108 -p1 -b .CVE-2012-1143 +%patch109 -p1 -b .CVE-2012-1144 +%patch110 -p1 -b .bdf-overflow %build @@ -223,6 +261,10 @@ rm -rf $RPM_BUILD_ROOT %doc docs/tutorial %changelog +* Fri Mar 30 2012 Marek Kasik 2.4.6-5 +- Fixes various CVEs +- Resolves: #806270 + * Tue Nov 15 2011 Marek Kasik 2.4.6-4 - Fix CVE-2011-3439 - Resolves: #753837