OpenPKG CVS Repository http://cvs.openpkg.org/ ____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall Root: /v/openpkg/cvs Email: r...@openpkg.org Module: openpkg-src Date: 18-Apr-2009 16:15:24 Branch: HEAD Handle: 2009041815152400 Modified files: openpkg-src/freetype freetype.patch freetype.spec Log: apply security fixes Summary: Revision Changes Path 1.13 +157 -4 openpkg-src/freetype/freetype.patch 1.77 +1 -1 openpkg-src/freetype/freetype.spec ____________________________________________________________________________ patch -p0 <<'@@ .' Index: openpkg-src/freetype/freetype.patch ============================================================================ $ cvs diff -u -r1.12 -r1.13 freetype.patch --- openpkg-src/freetype/freetype.patch 13 Mar 2009 20:43:17 -0000 1.12 +++ openpkg-src/freetype/freetype.patch 18 Apr 2009 14:15:24 -0000 1.13 @@ -1,6 +1,6 @@ Index: builds/unix/freetype-config.in --- builds/unix/freetype-config.in.orig 2009-02-04 00:09:49 +0100 -+++ builds/unix/freetype-config.in 2009-03-13 08:22:08 +0100 ++++ builds/unix/freetype-config.in 2009-04-18 16:09:28 +0200 @@ -131,7 +131,7 @@ fi @@ -12,7 +12,7 @@ else Index: builds/unix/freetype2.in --- builds/unix/freetype2.in.orig 2009-03-12 09:10:23 +0100 -+++ builds/unix/freetype2.in 2009-03-13 21:39:02 +0100 ++++ builds/unix/freetype2.in 2009-04-18 16:09:28 +0200 @@ -9,4 +9,4 @@ Requires: Libs: -L${libdir} -lfreetype @@ -21,7 +21,7 @@ +Cflags: -I${includedir} Index: builds/unix/install.mk --- builds/unix/install.mk.orig 2006-04-01 07:16:40 +0200 -+++ builds/unix/install.mk 2009-03-13 08:22:08 +0100 ++++ builds/unix/install.mk 2009-04-18 16:09:28 +0200 @@ -30,30 +30,30 @@ install: $(PROJECT_LIBRARY) $(MKINSTALLDIRS) $(DESTDIR)$(libdir) \ @@ -81,7 +81,7 @@ -$(DELETE) $(DESTDIR)$(datadir)/aclocal/freetype2.m4 Index: include/freetype/freetype.h --- include/freetype/freetype.h.orig 2009-03-03 22:29:45 +0100 -+++ include/freetype/freetype.h 2009-03-13 21:39:22 +0100 ++++ include/freetype/freetype.h 2009-04-18 16:09:28 +0200 @@ -16,15 +16,6 @@ /***************************************************************************/ @@ -98,3 +98,156 @@ #ifndef __FREETYPE_H__ #define __FREETYPE_H__ +------------------------------------------------------------------------------ + +Upstream security fixes +http://www.vuxml.org/freebsd/20b4f284-2bfc-11de-bdeb-0030843d3802.html + +An integer overflow error within the "cff_charset_compute_cids()" +function in cff/cffload.c can be exploited to potentially cause +a heap-based buffer overflow via a specially crafted font. + +Multiple integer overflow errors within validation functions in +sfnt/ttcmap.c can be exploited to bypass length validations and +potentially cause buffer overflows via specially crafted fonts. + +An integer overflow error within the "ft_smooth_render_generic()" +function in smooth/ftsmooth.c can be exploited to potentially cause +a heap-based buffer overflow via a specially crafted font. + +Index: src/cff/cffload.c +--- src/cff/cffload.c.orig 2009-03-12 09:04:17 +0100 ++++ src/cff/cffload.c 2009-04-18 16:09:28 +0200 +@@ -842,7 +842,20 @@ + goto Exit; + + for ( j = 1; j < num_glyphs; j++ ) +- charset->sids[j] = FT_GET_USHORT(); ++ { ++ FT_UShort sid = FT_GET_USHORT(); ++ ++ ++ /* this constant is given in the CFF specification */ ++ if ( sid < 65000 ) ++ charset->sids[j] = sid; ++ else ++ { ++ FT_ERROR(( "cff_charset_load:" ++ " invalid SID value %d set to zero\n", sid )); ++ charset->sids[j] = 0; ++ } ++ } + + FT_FRAME_EXIT(); + } +@@ -875,6 +888,20 @@ + goto Exit; + } + ++ /* check whether the range contains at least one valid glyph; */ ++ /* the constant is given in the CFF specification */ ++ if ( glyph_sid >= 65000 ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); ++ error = CFF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ ++ /* try to rescue some of the SIDs if `nleft' is too large */ ++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); ++ nleft = 65000 - 1 - glyph_sid; ++ } ++ + /* Fill in the range of sids -- `nleft + 1' glyphs. */ + for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) + charset->sids[j] = glyph_sid; +Index: src/lzw/ftzopen.c +--- src/lzw/ftzopen.c.orig 2007-05-25 08:36:29 +0200 ++++ src/lzw/ftzopen.c 2009-04-18 16:09:28 +0200 +@@ -332,6 +332,9 @@ + + while ( code >= 256U ) + { ++ if ( !state->prefix ) ++ goto Eof; ++ + FTLZW_STACK_PUSH( state->suffix[code - 256] ); + code = state->prefix[code - 256]; + } +Index: src/sfnt/ttcmap.c +--- src/sfnt/ttcmap.c.orig 2009-03-09 08:29:09 +0100 ++++ src/sfnt/ttcmap.c 2009-04-18 16:09:28 +0200 +@@ -1635,7 +1635,7 @@ + FT_INVALID_TOO_SHORT; + + length = TT_NEXT_ULONG( p ); +- if ( table + length > valid->limit || length < 8208 ) ++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) + FT_INVALID_TOO_SHORT; + + is32 = table + 12; +@@ -1863,7 +1863,8 @@ + p = table + 16; + count = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 20 + count * 2 ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 20 + count * 2 ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2048,7 +2049,8 @@ + p = table + 12; + num_groups = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 16 + 12 * num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2429,7 +2431,8 @@ + FT_ULong num_selectors = TT_NEXT_ULONG( p ); + + +- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 10 + 11 * num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2491,7 +2494,7 @@ + FT_ULong i, lastUni = 0; + + +- if ( ndp + numMappings * 4 > valid->limit ) ++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) +Index: src/smooth/ftsmooth.c +--- src/smooth/ftsmooth.c.orig 2009-01-12 20:12:35 +0100 ++++ src/smooth/ftsmooth.c 2009-04-18 16:09:28 +0200 +@@ -153,7 +153,7 @@ + slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; + } + +- /* allocate new one, depends on pixel format */ ++ /* allocate new one */ + pitch = width; + if ( hmul ) + { +@@ -194,6 +194,13 @@ + + #endif + ++ if ( pitch > 0xFFFF || height > 0xFFFF ) ++ { ++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", ++ width, height )); ++ return Smooth_Err_Raster_Overflow; ++ } ++ + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; + bitmap->num_grays = 256; + bitmap->width = width; @@ . patch -p0 <<'@@ .' Index: openpkg-src/freetype/freetype.spec ============================================================================ $ cvs diff -u -r1.76 -r1.77 freetype.spec --- openpkg-src/freetype/freetype.spec 18 Apr 2009 13:10:26 -0000 1.76 +++ openpkg-src/freetype/freetype.spec 18 Apr 2009 14:15:24 -0000 1.77 @@ -32,7 +32,7 @@ Group: Graphics License: GPL Version: 2.3.9 -Release: 20090313 +Release: 20090418 # list of sources Source0: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.gz @@ . ______________________________________________________________________ OpenPKG http://openpkg.org CVS Repository Commit List openpkg-cvs@openpkg.org