Fix the follow CVE. CVE-2017-7864 CVE-2017-7858 CVE-2017-7857 CVE-2017-8105 CVE-2017-8287
Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> --- ...01-truetype-Fix-MVAR-post-action-handling.patch | 68 +++++++++++++++++++ ...mprove-handling-for-buggy-variation-fonts.patch | 74 +++++++++++++++++++++ ...fnt-Another-fix-for-buggy-variation-fonts.patch | 63 ++++++++++++++++++ .../0004-psaux-Better-protect-flex-handling.patch | 77 ++++++++++++++++++++++ ...sobjs.c-t1_builder_close_contour-Add-safe.patch | 59 +++++++++++++++++ meta/recipes-graphics/freetype/freetype_2.7.1.bb | 8 ++- 6 files changed, 348 insertions(+), 1 deletion(-) create mode 100644 meta/recipes-graphics/freetype/freetype/0001-truetype-Fix-MVAR-post-action-handling.patch create mode 100644 meta/recipes-graphics/freetype/freetype/0002-sfnt-Improve-handling-for-buggy-variation-fonts.patch create mode 100644 meta/recipes-graphics/freetype/freetype/0003-sfnt-Another-fix-for-buggy-variation-fonts.patch create mode 100644 meta/recipes-graphics/freetype/freetype/0004-psaux-Better-protect-flex-handling.patch create mode 100644 meta/recipes-graphics/freetype/freetype/0005-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch diff --git a/meta/recipes-graphics/freetype/freetype/0001-truetype-Fix-MVAR-post-action-handling.patch b/meta/recipes-graphics/freetype/freetype/0001-truetype-Fix-MVAR-post-action-handling.patch new file mode 100644 index 0000000..8bb78f1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0001-truetype-Fix-MVAR-post-action-handling.patch @@ -0,0 +1,68 @@ +From 00af09fabe6ccef97a162be304d475c0544062b9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Thu, 25 May 2017 16:15:53 +0800 +Subject: [PATCH 1/5] [truetype] Fix MVAR post-action handling. + +Reported as + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 + +* src/truetype/ttobjs.c (tt_size_reset): Do nothing for CFF2. This +is important to make `tt_size_reset_iterator' (called in +`tt_apply_mvar') always work. + +This patch comes from git://git.savannah.gnu.org/freetype/freetype2.git, +the commit is e6699596af5c5d6f0ae0ea06e19df87dce088df8. + +Upsteam-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + ChangeLog | 12 ++++++++++++ + src/truetype/ttobjs.c | 8 ++++++-- + 2 files changed, 18 insertions(+), 2 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index 23f5748..b0239ec 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,15 @@ ++ [truetype] Fix MVAR post-action handling. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=509 ++ ++ * src/truetype/ttobjs.c (tt_size_reset): Do nothing for CFF2. This ++ is important to make `tt_size_reset_iterator' (called in ++ `tt_apply_mvar') always work. ++ ++2017-02-02 Werner Lemberg <w...@gnu.org> ++ + 2016-09-08 Werner Lemberg <w...@gnu.org> + + * Version 2.7.1 released. +diff --git a/src/truetype/ttobjs.c b/src/truetype/ttobjs.c +index 7e37113..3d760b8 100644 +--- a/src/truetype/ttobjs.c ++++ b/src/truetype/ttobjs.c +@@ -1194,10 +1194,14 @@ + FT_Size_Metrics* metrics; + + +- size->ttmetrics.valid = FALSE; +- + face = (TT_Face)size->root.face; + ++ /* nothing to do for CFF2 */ ++ if ( face->isCFF2 ) ++ return FT_Err_Ok; ++ ++ size->ttmetrics.valid = FALSE; ++ + metrics = &size->metrics; + + /* copy the result from base layer */ +-- +1.9.1 + diff --git a/meta/recipes-graphics/freetype/freetype/0002-sfnt-Improve-handling-for-buggy-variation-fonts.patch b/meta/recipes-graphics/freetype/freetype/0002-sfnt-Improve-handling-for-buggy-variation-fonts.patch new file mode 100644 index 0000000..7940fb4 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0002-sfnt-Improve-handling-for-buggy-variation-fonts.patch @@ -0,0 +1,74 @@ +From b642aa8f590658cfd394bfaa9db5e138d6013938 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Thu, 25 May 2017 16:23:09 +0800 +Subject: [PATCH 2/5] [sfnt] Improve handling for buggy variation fonts. + +Reported as + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738 + +* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of +instances to zero for `CFF' fonts table, ensure that there is no `glyf' +present also (which gets priority). + +This patch comes from git://git.savannah.gnu.org/freetype/freetype2.git, +the commit is 779309744222a736eba0f1731e8162fce6288d4e. + +Upstream-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + ChangeLog | 12 ++++++++++++ + src/sfnt/sfobjs.c | 9 +++++---- + 2 files changed, 17 insertions(+), 4 deletions(-) + +diff --git a/ChangeLog b/ChangeLog +index b0239ec..1fe66f3 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,15 @@ ++2017-03-07 Werner Lemberg <w...@gnu.org> ++ ++ [sfnt] Improve handling for buggy variation fonts. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=738 ++ ++ * src/sfnt/sfobjs.c (sfnt_init_face): While setting number of ++ instances to zero for `CFF' fonts table, ensure that there is no `glyf' ++ present also (which gets priority). ++ + [truetype] Fix MVAR post-action handling. + + Reported as +diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c +index 818009e..a3a4f42 100644 +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -985,10 +985,6 @@ + else + face->variation_support |= TT_FACE_FLAG_VAR_FVAR; + +- /* we don't support Multiple Master CFFs yet */ +- if ( !face->goto_table( face, TTAG_CFF, stream, 0 ) ) +- num_instances = 0; +- + /* we support at most 2^15 - 1 instances */ + if ( num_instances >= ( 1U << 15 ) - 1 ) + { +@@ -998,6 +994,11 @@ + num_instances = 0; + } + ++ /* we don't support Multiple Master CFFs yet */ ++ if ( face->goto_table( face, TTAG_glyf, stream, 0 ) && ++ !face->goto_table( face, TTAG_CFF, stream, 0 ) ) ++ num_instances = 0; ++ + /* instance indices in `face_instance_index' start with index 1, */ + /* thus `>' and not `>=' */ + if ( instance_index > num_instances ) +-- +1.9.1 + diff --git a/meta/recipes-graphics/freetype/freetype/0003-sfnt-Another-fix-for-buggy-variation-fonts.patch b/meta/recipes-graphics/freetype/freetype/0003-sfnt-Another-fix-for-buggy-variation-fonts.patch new file mode 100644 index 0000000..7c7cd9b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0003-sfnt-Another-fix-for-buggy-variation-fonts.patch @@ -0,0 +1,63 @@ +From 5e696da661d311f042fe0f136c67b3e5df0b9ed5 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Thu, 25 May 2017 16:28:28 +0800 +Subject: [PATCH 3/5] [sfnt] Another fix for buggy variation fonts. + +Reported as + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759 + +* src/sfnt/sfobjs.c (sfnt_init_face): While setting number of +instances to zero for `CFF' fonts table, ensure that there is no +`CFF2' present also (which gets priority). + +This patch comes from git://git.savannah.gnu.org/freetype/freetype2.git, +the commit is 7bbb91fbf47fc0775cc9705673caf0c47a81f94b. + +Upsteam-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + ChangeLog | 12 ++++++++++++ + src/sfnt/sfobjs.c | 4 +++- + 2 files changed, 15 insertions(+), 1 deletion(-) + +diff --git a/ChangeLog b/ChangeLog +index 1fe66f3..7f72ca9 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,15 @@ ++2017-03-08 Werner Lemberg <w...@gnu.org> ++ ++ [sfnt] Another fix for buggy variation fonts. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=759 ++ ++ * src/sfnt/sfobjs.c (sfnt_init_face): While setting number of ++ instances to zero for `CFF' fonts table, ensure that there is no ++ `CFF2' present also (which gets priority). ++ + 2017-03-07 Werner Lemberg <w...@gnu.org> + + [sfnt] Improve handling for buggy variation fonts. +diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c +index a3a4f42..b660f33 100644 +--- a/src/sfnt/sfobjs.c ++++ b/src/sfnt/sfobjs.c +@@ -994,8 +994,10 @@ + num_instances = 0; + } + +- /* we don't support Multiple Master CFFs yet */ ++ /* we don't support Multiple Master CFFs yet; */ ++ /* note that `glyf' or `CFF2' have precedence */ + if ( face->goto_table( face, TTAG_glyf, stream, 0 ) && ++ face->goto_table( face, TTAG_CFF2, stream, 0 ) && + !face->goto_table( face, TTAG_CFF, stream, 0 ) ) + num_instances = 0; + +-- +1.9.1 + diff --git a/meta/recipes-graphics/freetype/freetype/0004-psaux-Better-protect-flex-handling.patch b/meta/recipes-graphics/freetype/freetype/0004-psaux-Better-protect-flex-handling.patch new file mode 100644 index 0000000..776465c --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0004-psaux-Better-protect-flex-handling.patch @@ -0,0 +1,77 @@ +From c74936d2747ca188cfaa7b15177da11b0e1b8223 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Thu, 25 May 2017 16:33:50 +0800 +Subject: [PATCH 4/5] [psaux] Better protect `flex' handling. + +Reported as + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +<callothersubr>: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. + +This patch comes from git://git.savannah.gnu.org/freetype/freetype2.git, +the commit is f958c48ee431bef8d4d466b40c9cb2d4dbcb7791. + +Upsteam-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index 7f72ca9..db9be9a 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,18 @@ ++ [psaux] Better protect `flex' handling. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 ++ ++ * src/psaux/t1decode.c (t1_decoder_parse_charstrings) ++ <callothersubr>: Since there is not a single flex operator but a ++ series of subroutine calls, malformed fonts can call arbitrary other ++ operators after the start of a flex, possibly adding points. For ++ this reason we have to check the available number of points before ++ inserting a point. ++ ++2017-03-23 Werner Lemberg <w...@gnu.org> ++ + 2017-03-08 Werner Lemberg <w...@gnu.org> + + [sfnt] Another fix for buggy variation fonts. +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index 1cd9d73..bc5e3d2 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +1.9.1 + diff --git a/meta/recipes-graphics/freetype/freetype/0005-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch b/meta/recipes-graphics/freetype/freetype/0005-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch new file mode 100644 index 0000000..ea40f65 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/0005-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch @@ -0,0 +1,59 @@ +From fe786d2dfd829707206c6d105d9227521a36e263 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <w...@gnu.org> +Date: Thu, 25 May 2017 16:38:46 +0800 +Subject: [PATCH 5/5] * src/psaux/psobjs.c (t1_builder_close_contour): Add + safety guard. + +Reported as + +https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 + +This patch comes from git://git.savannah.gnu.org/freetype/freetype2.git, +the commit is 3774fc08b502c3e685afca098b6e8a195aded6a0. + +Upsteam-Status: Backport + +Signed-off-by: Wenlin Kang <wenlin.k...@windriver.com> +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index db9be9a..b3abcd9 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,11 @@ ++2017-03-26 Werner Lemberg <w...@gnu.org> ++ ++ * src/psaux/psobjs.c (t1_builder_close_contour): Add safety guard. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 ++ + [psaux] Better protect `flex' handling. + + Reported as +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index 6e528d4..475df45 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +1.9.1 + diff --git a/meta/recipes-graphics/freetype/freetype_2.7.1.bb b/meta/recipes-graphics/freetype/freetype_2.7.1.bb index 544f835..dec81dd 100644 --- a/meta/recipes-graphics/freetype/freetype_2.7.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.7.1.bb @@ -13,7 +13,13 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1 file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec" SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \ - file://use-right-libtool.patch" + file://use-right-libtool.patch \ + file://0001-truetype-Fix-MVAR-post-action-handling.patch \ + file://0002-sfnt-Improve-handling-for-buggy-variation-fonts.patch \ + file://0003-sfnt-Another-fix-for-buggy-variation-fonts.patch \ + file://0004-psaux-Better-protect-flex-handling.patch \ + file://0005-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch \ +" UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/freetype/files/freetype2/" UPSTREAM_CHECK_REGEX = "(?P<pver>\d+(\.\d+)+)" -- 1.9.1 -- _______________________________________________ Openembedded-core mailing list Openembedded-core@lists.openembedded.org http://lists.openembedded.org/mailman/listinfo/openembedded-core