OpenPKG CVS Repository
http://cvs.openpkg.org/
____________________________________________________________________________
Server: cvs.openpkg.org Name: Ralf S. Engelschall
Root: /v/openpkg/cvs Email: r...@openpkg.org
Module: openpkg-src Date: 18-Apr-2009 16:15:24
Branch: HEAD Handle: 2009041815152400
Modified files:
openpkg-src/freetype freetype.patch freetype.spec
Log:
apply security fixes
Summary:
Revision Changes Path
1.13 +157 -4 openpkg-src/freetype/freetype.patch
1.77 +1 -1 openpkg-src/freetype/freetype.spec
____________________________________________________________________________
patch -p0 <<'@@ .'
Index: openpkg-src/freetype/freetype.patch
============================================================================
$ cvs diff -u -r1.12 -r1.13 freetype.patch
--- openpkg-src/freetype/freetype.patch 13 Mar 2009 20:43:17 -0000
1.12
+++ openpkg-src/freetype/freetype.patch 18 Apr 2009 14:15:24 -0000
1.13
@@ -1,6 +1,6 @@
Index: builds/unix/freetype-config.in
--- builds/unix/freetype-config.in.orig 2009-02-04 00:09:49 +0100
-+++ builds/unix/freetype-config.in 2009-03-13 08:22:08 +0100
++++ builds/unix/freetype-config.in 2009-04-18 16:09:28 +0200
@@ -131,7 +131,7 @@
fi
@@ -12,7 +12,7 @@
else
Index: builds/unix/freetype2.in
--- builds/unix/freetype2.in.orig 2009-03-12 09:10:23 +0100
-+++ builds/unix/freetype2.in 2009-03-13 21:39:02 +0100
++++ builds/unix/freetype2.in 2009-04-18 16:09:28 +0200
@@ -9,4 +9,4 @@
Requires:
Libs: -L${libdir} -lfreetype
@@ -21,7 +21,7 @@
+Cflags: -I${includedir}
Index: builds/unix/install.mk
--- builds/unix/install.mk.orig 2006-04-01 07:16:40 +0200
-+++ builds/unix/install.mk 2009-03-13 08:22:08 +0100
++++ builds/unix/install.mk 2009-04-18 16:09:28 +0200
@@ -30,30 +30,30 @@
install: $(PROJECT_LIBRARY)
$(MKINSTALLDIRS) $(DESTDIR)$(libdir) \
@@ -81,7 +81,7 @@
-$(DELETE) $(DESTDIR)$(datadir)/aclocal/freetype2.m4
Index: include/freetype/freetype.h
--- include/freetype/freetype.h.orig 2009-03-03 22:29:45 +0100
-+++ include/freetype/freetype.h 2009-03-13 21:39:22 +0100
++++ include/freetype/freetype.h 2009-04-18 16:09:28 +0200
@@ -16,15 +16,6 @@
/***************************************************************************/
@@ -98,3 +98,156 @@
#ifndef __FREETYPE_H__
#define __FREETYPE_H__
+------------------------------------------------------------------------------
+
+Upstream security fixes
+http://www.vuxml.org/freebsd/20b4f284-2bfc-11de-bdeb-0030843d3802.html
+
+An integer overflow error within the "cff_charset_compute_cids()"
+function in cff/cffload.c can be exploited to potentially cause
+a heap-based buffer overflow via a specially crafted font.
+
+Multiple integer overflow errors within validation functions in
+sfnt/ttcmap.c can be exploited to bypass length validations and
+potentially cause buffer overflows via specially crafted fonts.
+
+An integer overflow error within the "ft_smooth_render_generic()"
+function in smooth/ftsmooth.c can be exploited to potentially cause
+a heap-based buffer overflow via a specially crafted font.
+
+Index: src/cff/cffload.c
+--- src/cff/cffload.c.orig 2009-03-12 09:04:17 +0100
++++ src/cff/cffload.c 2009-04-18 16:09:28 +0200
+@@ -842,7 +842,20 @@
+ goto Exit;
+
+ for ( j = 1; j < num_glyphs; j++ )
+- charset->sids[j] = FT_GET_USHORT();
++ {
++ FT_UShort sid = FT_GET_USHORT();
++
++
++ /* this constant is given in the CFF specification */
++ if ( sid < 65000 )
++ charset->sids[j] = sid;
++ else
++ {
++ FT_ERROR(( "cff_charset_load:"
++ " invalid SID value %d set to zero\n", sid ));
++ charset->sids[j] = 0;
++ }
++ }
+
+ FT_FRAME_EXIT();
+ }
+@@ -875,6 +888,20 @@
+ goto Exit;
+ }
+
++ /* check whether the range contains at least one valid glyph; */
++ /* the constant is given in the CFF specification */
++ if ( glyph_sid >= 65000 ) {
++ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++ error = CFF_Err_Invalid_File_Format;
++ goto Exit;
++ }
++
++ /* try to rescue some of the SIDs if `nleft' is too large */
++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++ nleft = 65000 - 1 - glyph_sid;
++ }
++
+ /* Fill in the range of sids -- `nleft + 1' glyphs. */
+ for ( i = 0; j < num_glyphs && i <= nleft; i++, j++,
glyph_sid++ )
+ charset->sids[j] = glyph_sid;
+Index: src/lzw/ftzopen.c
+--- src/lzw/ftzopen.c.orig 2007-05-25 08:36:29 +0200
++++ src/lzw/ftzopen.c 2009-04-18 16:09:28 +0200
+@@ -332,6 +332,9 @@
+
+ while ( code >= 256U )
+ {
++ if ( !state->prefix )
++ goto Eof;
++
+ FTLZW_STACK_PUSH( state->suffix[code - 256] );
+ code = state->prefix[code - 256];
+ }
+Index: src/sfnt/ttcmap.c
+--- src/sfnt/ttcmap.c.orig 2009-03-09 08:29:09 +0100
++++ src/sfnt/ttcmap.c 2009-04-18 16:09:28 +0200
+@@ -1635,7 +1635,7 @@
+ FT_INVALID_TOO_SHORT;
+
+ length = TT_NEXT_ULONG( p );
+- if ( table + length > valid->limit || length < 8208 )
++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16
)
+ FT_INVALID_TOO_SHORT;
+
+ is32 = table + 12;
+@@ -1863,7 +1863,8 @@
+ p = table + 16;
+ count = TT_NEXT_ULONG( p );
+
+- if ( table + length > valid->limit || length < 20 + count * 2 )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 20 + count * 2 )
+ FT_INVALID_TOO_SHORT;
+
+ /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+ p = table + 12;
+ num_groups = TT_NEXT_ULONG( p );
+
+- if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 16 + 12 * num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+ FT_ULong num_selectors = TT_NEXT_ULONG( p );
+
+
+- if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 10 + 11 * num_selectors )
+ FT_INVALID_TOO_SHORT;
+
+ /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+ FT_ULong i, lastUni = 0;
+
+
+- if ( ndp + numMappings * 4 > valid->limit )
++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numMappings; ++i )
+Index: src/smooth/ftsmooth.c
+--- src/smooth/ftsmooth.c.orig 2009-01-12 20:12:35 +0100
++++ src/smooth/ftsmooth.c 2009-04-18 16:09:28 +0200
+@@ -153,7 +153,7 @@
+ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+ }
+
+- /* allocate new one, depends on pixel format */
++ /* allocate new one */
+ pitch = width;
+ if ( hmul )
+ {
+@@ -194,6 +194,13 @@
+
+ #endif
+
++ if ( pitch > 0xFFFF || height > 0xFFFF )
++ {
++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++ width, height ));
++ return Smooth_Err_Raster_Overflow;
++ }
++
+ bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+ bitmap->num_grays = 256;
+ bitmap->width = width;
@@ .
patch -p0 <<'@@ .'
Index: openpkg-src/freetype/freetype.spec
============================================================================
$ cvs diff -u -r1.76 -r1.77 freetype.spec
--- openpkg-src/freetype/freetype.spec 18 Apr 2009 13:10:26 -0000
1.76
+++ openpkg-src/freetype/freetype.spec 18 Apr 2009 14:15:24 -0000
1.77
@@ -32,7 +32,7 @@
Group: Graphics
License: GPL
Version: 2.3.9
-Release: 20090313
+Release: 20090418
# list of sources
Source0:
http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.gz
@@ .
______________________________________________________________________
OpenPKG http://openpkg.org
CVS Repository Commit List openpkg-cvs@openpkg.org
