Control: tag 679105 + patch

Hi,

I could reproduce #679105, #672336, #680277 and #682673 with cairo
1.12.2-2 from Wheezy, using the sample PDF files provided by
the submitters.

I could reproduce none of these bugs with cairo built with the
attached patches.

Dear maintainer, what do you think of bumping these bugs' severity to
important, and gently asking the release team if they would be happy
to grant a freeze exception to fix this in Wheezy? (Note that the
changes don't satisfy the current freeze policy, so insisting would
not be in order :)

FWIW, these patches have been shipped in Ubuntu since 1.12.2-1ubuntu2,
along with a Valgrind warning fix that I did not feel was worth
a freeze exception.

Cheers,
--
  intrigeri
  | GnuPG key @ https://gaffer.ptitcanardnoir.org/intrigeri/intrigeri.asc
  | OTR fingerprint @ https://gaffer.ptitcanardnoir.org/intrigeri/otr.asc

>From d60b93b305832316c8e88694e2119935edde0178 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Tue, 22 Jan 2013 15:56:36 +0100
Subject: [PATCH 1/2] Fix Evince crash when printing certain PDF files
 (Closes: #682673)

Cherry-picked from upstream:

  5dd0f2e cff subsetting: widths can be floating point
  49c8e1b cff: use correct size for buffer
  77106a0 cff: convert '.' to locale specific decimal point before using sscanf
  2f1d6b2 cff-subsetting: Ignore charset for non cid fonts

FWIW, these patches have been shipped in Ubuntu since 1.12.2-1ubuntu2, along
with a Valgrind warning fix that I did not feel was worth a freeze exception.
---
 ...bsetting-Ignore-charset-for-non-cid-fonts.patch |   37 ++++++++++
 ..._._to_locale_specific_decimal_point_befor.patch |   68 +++++++++++++++++
 .../09_cff_use_correct_size_for_buffer.patch       |   22 ++++++
 ...f_subsetting_widths_can_be_floating_point.patch |   78 ++++++++++++++++++++
 debian/patches/series                              |    4 +
 5 files changed, 209 insertions(+)
 create mode 100644 debian/patches/07_cff-subsetting-Ignore-charset-for-non-cid-fonts.patch
 create mode 100644 debian/patches/08_cff_convert_._to_locale_specific_decimal_point_befor.patch
 create mode 100644 debian/patches/09_cff_use_correct_size_for_buffer.patch
 create mode 100644 debian/patches/10_cff_subsetting_widths_can_be_floating_point.patch

diff --git a/debian/patches/07_cff-subsetting-Ignore-charset-for-non-cid-fonts.patch b/debian/patches/07_cff-subsetting-Ignore-charset-for-non-cid-fonts.patch
new file mode 100644
index 0000000..f64cdba
--- /dev/null
+++ b/debian/patches/07_cff-subsetting-Ignore-charset-for-non-cid-fonts.patch
@@ -0,0 +1,37 @@
+From: Adrian Johnson <ajohn...@redneon.com>
+Date: Thu, 7 Jun 2012 19:18:52 +0930
+Subject: cff-subsetting: Ignore charset for non cid fonts
+
+Fixes crash in https://bugzilla.gnome.org/show_bug.cgi?id=677422
+---
+ src/cairo-cff-subset.c |   16 +++++++++-------
+ 1 file changed, 9 insertions(+), 7 deletions(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index db6fdf7..6f0cd66 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -1178,14 +1178,16 @@ cairo_cff_font_read_top_dict (cairo_cff_font_t *font)
+         goto fail;
+     font->num_glyphs = _cairo_array_num_elements (&font->charstrings_index);
+ 
+-    operand = cff_dict_get_operands (font->top_dict, CHARSET_OP, &size);
+-    if (font->is_cid && !operand)
+-	return CAIRO_INT_STATUS_UNSUPPORTED;
++    if (font->is_cid) {
++	 operand = cff_dict_get_operands (font->top_dict, CHARSET_OP, &size);
++	 if (!operand)
++	      return CAIRO_INT_STATUS_UNSUPPORTED;
+ 
+-    decode_integer (operand, &offset);
+-    font->charset = font->data + offset;
+-    if (font->charset >= font->data_end)
+-	return CAIRO_INT_STATUS_UNSUPPORTED;
++	 decode_integer (operand, &offset);
++	 font->charset = font->data + offset;
++	 if (font->charset >= font->data_end)
++	      return CAIRO_INT_STATUS_UNSUPPORTED;
++    }
+ 
+     if (!font->is_opentype)
+         cairo_cff_font_read_font_metrics (font, font->top_dict);
diff --git a/debian/patches/08_cff_convert_._to_locale_specific_decimal_point_befor.patch b/debian/patches/08_cff_convert_._to_locale_specific_decimal_point_befor.patch
new file mode 100644
index 0000000..be88949
--- /dev/null
+++ b/debian/patches/08_cff_convert_._to_locale_specific_decimal_point_befor.patch
@@ -0,0 +1,68 @@
+From: Adrian Johnson <ajohn...@redneon.com>
+Date: Wed, 4 Jul 2012 19:54:18 +0930
+Subject: cff: convert '.' to locale specific decimal point before using
+ sscanf
+
+to fix bug when decoding cff real numbers.
+
+Bug 51443
+---
+ src/cairo-cff-subset.c |   26 +++++++++++++++++++++++++-
+ 1 file changed, 25 insertions(+), 1 deletion(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index 6f0cd66..aeaf5b1 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -51,6 +51,7 @@
+ #include "cairo-scaled-font-subsets-private.h"
+ #include "cairo-truetype-subset-private.h"
+ #include <string.h>
++#include <locale.h>
+ 
+ /* CFF Dict Operators. If the high byte is 0 the command is encoded
+  * with a single byte. */
+@@ -293,11 +294,23 @@ decode_nibble (int n, char *buf)
+ static unsigned char *
+ decode_real (unsigned char *p, double *real)
+ {
++    struct lconv *locale_data;
++    const char *decimal_point;
++    int decimal_point_len;
+     int n;
+     char buffer[100];
++    char buffer2[200];
++    char *q;
+     char *buf = buffer;
+     char *buf_end = buffer + sizeof (buf);
+ 
++    locale_data = localeconv ();
++    decimal_point = locale_data->decimal_point;
++    decimal_point_len = strlen (decimal_point);
++
++    assert (decimal_point_len != 0);
++    assert (sizeof(buffer) + decimal_point_len < sizeof(buffer2));
++
+     p++;
+     while (buf + 2 < buf_end) {
+ 	n = *p >> 4;
+@@ -312,7 +325,18 @@ decode_real (unsigned char *p, double *real)
+     };
+     *buf = 0;
+ 
+-    if (sscanf(buffer, "%lf", real) != 1)
++    buf = buffer;
++    if (strchr (buffer, '.')) {
++	 q = strchr (buffer, '.');
++	 strncpy (buffer2, buffer, q - buffer);
++	 buf = buffer2 + (q - buffer);
++	 strncpy (buf, decimal_point, decimal_point_len);
++	 buf += decimal_point_len;
++	 strcpy (buf, q + 1);
++	 buf = buffer2;
++    }
++
++    if (sscanf(buf, "%lf", real) != 1)
+         *real = 0.0;
+ 
+     return p;
diff --git a/debian/patches/09_cff_use_correct_size_for_buffer.patch b/debian/patches/09_cff_use_correct_size_for_buffer.patch
new file mode 100644
index 0000000..d5b0f1f
--- /dev/null
+++ b/debian/patches/09_cff_use_correct_size_for_buffer.patch
@@ -0,0 +1,22 @@
+From: Adrian Johnson <ajohn...@redneon.com>
+Date: Thu, 5 Jul 2012 21:59:33 +0930
+Subject: cff: use correct size for buffer
+
+Bug 51443
+---
+ src/cairo-cff-subset.c |    2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index aeaf5b1..b3b6026 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -302,7 +302,7 @@ decode_real (unsigned char *p, double *real)
+     char buffer2[200];
+     char *q;
+     char *buf = buffer;
+-    char *buf_end = buffer + sizeof (buf);
++    char *buf_end = buffer + sizeof (buffer);
+ 
+     locale_data = localeconv ();
+     decimal_point = locale_data->decimal_point;
diff --git a/debian/patches/10_cff_subsetting_widths_can_be_floating_point.patch b/debian/patches/10_cff_subsetting_widths_can_be_floating_point.patch
new file mode 100644
index 0000000..b8bd051
--- /dev/null
+++ b/debian/patches/10_cff_subsetting_widths_can_be_floating_point.patch
@@ -0,0 +1,78 @@
+From: Adrian Johnson <ajohn...@redneon.com>
+Date: Tue, 31 Jul 2012 22:52:09 +0930
+Subject: cff subsetting: widths can be floating point
+
+Bug 52972
+---
+ src/cairo-cff-subset.c |   22 +++++++++++-----------
+ 1 file changed, 11 insertions(+), 11 deletions(-)
+
+diff --git a/src/cairo-cff-subset.c b/src/cairo-cff-subset.c
+index b3b6026..21c1a0b 100644
+--- a/src/cairo-cff-subset.c
++++ b/src/cairo-cff-subset.c
+@@ -1,3 +1,4 @@
++/* -*- Mode: c; tab-width: 8; c-basic-offset: 4; indent-tabs-mode: t; -*- */
+ /* cairo - a vector graphics library with display and print output
+  *
+  * Copyright © 2006 Adrian Johnson
+@@ -152,8 +153,8 @@ typedef struct _cairo_cff_font {
+     int  		 units_per_em;
+     int 		 global_sub_bias;
+     int			 local_sub_bias;
+-    int                  default_width;
+-    int                  nominal_width;
++    double               default_width;
++    double               nominal_width;
+ 
+     /* CID Font Data */
+     int                 *fdselect;
+@@ -162,8 +163,8 @@ typedef struct _cairo_cff_font {
+     cairo_hash_table_t **fd_private_dict;
+     cairo_array_t       *fd_local_sub_index;
+     int			*fd_local_sub_bias;
+-    int                 *fd_default_width;
+-    int                 *fd_nominal_width;
++    double              *fd_default_width;
++    double              *fd_nominal_width;
+ 
+     /* Subsetted Font Data */
+     char                *subset_font_name;
+@@ -910,8 +911,8 @@ cairo_cff_font_read_private_dict (cairo_cff_font_t   *font,
+                                   cairo_array_t      *local_sub_index,
+                                   int                *local_sub_bias,
+                                   cairo_bool_t      **local_subs_used,
+-                                  int                *default_width,
+-                                  int                *nominal_width,
++                                  double             *default_width,
++                                  double             *nominal_width,
+                                   unsigned char      *ptr,
+                                   int                 size)
+ {
+@@ -946,12 +947,12 @@ cairo_cff_font_read_private_dict (cairo_cff_font_t   *font,
+     *default_width = 0;
+     operand = cff_dict_get_operands (private_dict, DEFAULTWIDTH_OP, &i);
+     if (operand)
+-        decode_integer (operand, default_width);
++        decode_number (operand, default_width);
+ 
+     *nominal_width = 0;
+     operand = cff_dict_get_operands (private_dict, NOMINALWIDTH_OP, &i);
+     if (operand)
+-        decode_integer (operand, nominal_width);
++	 decode_number (operand, nominal_width);
+ 
+     num_subs = _cairo_array_num_elements (local_sub_index);
+     *local_subs_used = calloc (num_subs, sizeof (cairo_bool_t));
+@@ -1468,9 +1469,8 @@ type2_decode_integer (unsigned char *p, int *integer)
+         *integer = -(p[0] - 251) * 256 - p[1] - 108;
+         p += 2;
+     } else { /* *p == 255 */
+-    /* This actually a 16.16 fixed-point number however we are not interested in
+-     * the value of fixed-point numbers. */
+-        *integer = (p[1] << 24) | (p[2] << 16) | (p[3] << 8) | p[4];
++	 /* 16.16 fixed-point number. The fraction is ignored. */
++	 *integer = (int16_t)((p[1] << 8) | p[2]);
+         p += 5;
+     }
+     return p;
diff --git a/debian/patches/series b/debian/patches/series
index 4575527..e262ef1 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,3 +3,7 @@
 03_export-symbols.patch
 05-flto.patch
 06_hurd-map-noreserve.patch
+07_cff-subsetting-Ignore-charset-for-non-cid-fonts.patch
+08_cff_convert_._to_locale_specific_decimal_point_befor.patch
+09_cff_use_correct_size_for_buffer.patch
+10_cff_subsetting_widths_can_be_floating_point.patch
-- 
1.7.10.4

>From 90fd20ad500252a9f79b94023d7783861b0e5c43 Mon Sep 17 00:00:00 2001
From: intrigeri <intrig...@debian.org>
Date: Tue, 22 Jan 2013 16:04:00 +0100
Subject: [PATCH 2/2] cairo (1.12.2-2+deb7u1)

---
 debian/changelog |   12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/debian/changelog b/debian/changelog
index f27991c..5efde1d 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,15 @@
+cairo (1.12.2-2+deb7u1) UNRELEASED; urgency=low
+
+  * Fix Evince crash when printing certain PDF files (Closes: #682673)
+    Cherry-picked from upstream:
+      - 5dd0f2e cff subsetting: widths can be floating point
+      - 49c8e1b cff: use correct size for buffer
+      - 77106a0 cff: convert '.' to locale specific decimal point before
+        using sscanf
+      - 2f1d6b2 cff-subsetting: Ignore charset for non cid fonts
+
+ -- intrigeri <intrig...@debian.org>  Tue, 22 Jan 2013 16:02:56 +0100
+
 cairo (1.12.2-2) unstable; urgency=low
 
   * debian/libcairo2-udeb.install:
-- 
1.7.10.4

Reply via email to