Bug#780143:
Axel's patch from upstream git fixes the issue (tested with fixedsc font in terminator).
Bug#780143:
severity 780143 serious retitle 780143 libfreetype6_2.5.2-3 makes some fonts unusable I'm not sure what fonts are affected by this bug, but the package bump should not be released with a bug that makes some unknown number of fonts unusable. Retitle as it is not clear that this bug affects only fixed fonts.
Bug#780143: Backport of the PCF fix from 2.5.5
I have successfully backported a patch coming from libfreetype6 upstream into the current version of debian. I've tested it with Dina which is affected by this bug (pcf version) and it works fine. I have made a small change to the upstream patch: the Changelog file differs thus I had to change the two lines of context. I took the debian source, added one line at the end of debian/patches-freetype/series: 0001-pcf-Fix-Savannah-bug-43774.patch Then wrote the adapted upstream patch (attached to this email, commit 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2) into debian/patches-freetype/0001-pcf-Fix-Savannah-bug-43774.patch I proceed to compile my package with dpkg-buildpackage and installed it successfully with dpkg -i that's all. I suggest to test this change and include it in the jessie release. Thank you. signature.asc Description: Digital signature
Bug#780143: Backport of the PCF fix from 2.5.5
The patch.
From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001
From: Werner Lemberg
Date: Mon, 8 Dec 2014 16:01:50 +0100
Subject: [PATCH] [pcf] Fix Savannah bug #43774.
Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
functions. Since the PCF format doesn't have an official
specification, we have to exactly follow these functions' behaviour.
The problem was unveiled with a patch from 2014-11-06, fixing issue #43547.
* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
element. Instead, assign real size.
---
ChangeLog | 14 ++
src/pcf/pcfread.c | 54 +++---
2 files changed, 57 insertions(+), 11 deletions(-)
diff --git a/ChangeLog b/ChangeLog
index afc342f..e560b4f 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,3 +1,17 @@
+2014-12-08 Werner Lemberg
+
+ [pcf] Fix Savannah bug #43774.
+
+ Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
+ functions. Since the PCF format doesn't have an official
+ specification, we have to exactly follow these functions' behaviour.
+
+ The problem was unveiled with a patch from 2014-11-06, fixing issue
+ #43547.
+
+ * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
+ element. Instead, assign real size.
+
2014-04-20 Werner Lemberg
[autofit] Fix Savannah bug #42148.
diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
index 998cbed..e3caf82 100644
--- a/src/pcf/pcfread.c
+++ b/src/pcf/pcfread.c
@@ -2,7 +2,7 @@
FreeType font driver for pcf fonts
- Copyright 2000-2010, 2012, 2013 by
+ Copyright 2000-2010, 2012-2014 by
Francesco Zappa Nardelli
Permission is hereby granted, free of charge, to any person obtaining a copy
@@ -78,7 +78,7 @@ THE SOFTWARE.
FT_FRAME_START( 16 ),
FT_FRAME_ULONG_LE( type ),
FT_FRAME_ULONG_LE( format ),
- FT_FRAME_ULONG_LE( size ),
+ FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */
FT_FRAME_ULONG_LE( offset ),
FT_FRAME_END
};
@@ -95,9 +95,11 @@ THE SOFTWARE.
FT_Memory memory = FT_FACE( face )->memory;
FT_UIntn;
+FT_ULong size;
-if ( FT_STREAM_SEEK ( 0 ) ||
- FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) )
+
+if ( FT_STREAM_SEEK( 0 ) ||
+ FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
return FT_THROW( Cannot_Open_Resource );
if ( toc->version != PCF_FILE_VERSION ||
@@ -154,14 +156,35 @@ THE SOFTWARE.
break;
}
-/* we now check whether the `size' and `offset' values are reasonable: */
-/* `offset' + `size' must not exceed the stream size */
+/*
+ * We now check whether the `size' and `offset' values are reasonable:
+ * `offset' + `size' must not exceed the stream size.
+ *
+ * Note, however, that X11's `pcfWriteFont' routine (used by the
+ * `bdftopcf' program to create PDF font files) has two special
+ * features.
+ *
+ * - It always assigns the accelerator table a size of 100 bytes in the
+ *TOC, regardless of its real size, which can vary between 34 and 72
+ *bytes.
+ *
+ * - Due to the way the routine is designed, it ships out the last font
+ *table with its real size, ignoring the TOC's size value. Since
+ *the TOC size values are always rounded up to a multiple of 4, the
+ *difference can be up to three bytes for all tables except the
+ *accelerator table, for which the difference can be as large as 66
+ *bytes.
+ *
+ */
+
tables = face->toc.tables;
-for ( n = 0; n < toc->count; n++ )
+size = stream->size;
+
+for ( n = 0; n < toc->count - 1; n++ )
{
/* we need two checks to avoid overflow */
- if ( ( tables->size > stream->size) ||
- ( tables->offset > stream->size - tables->size ) )
+ if ( ( tables->size > size) ||
+ ( tables->offset > size - tables->size ) )
{
error = FT_THROW( Invalid_Table );
goto Exit;
@@ -169,6 +192,15 @@ THE SOFTWARE.
tables++;
}
+/* no check of `tables->size' for last table element ... */
+if ( ( tables->offset > size ) )
+{
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+}
+/* ... instead, we adjust `tables->size' to the real value */
+tables->size = size - tables->offset;
+
#ifdef FT_DEBUG_LEVEL_TRACE
{
@@ -733,8 +765,8 @@ THE SOFTWARE.
FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps ));
-/* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */
-if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics )
+/* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */
+if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics )
return FT_THROW( Invalid_File_Format );
if ( FT
Bug#780143:
Upstream: "The problem you are describing in this bug report has already been fixed in version 2.5.5"
Bug#780143: libfreetype6:amd64: libfreetype6_2.5.2-3 breaks fixed font in terminal
Package: libfreetype6
Version: 2.5.2-3
Severity: important
Dear Maintainer,
Using font FixedSC from http://pts-mini-
gpl.googlecode.com/svn/trunk/fonts/fixedsc.tgz
(libfreetype6_2.5.2-2 was ok)
upgrade to libfreetype6_2.5.2-3
run gnome terminal or terminator
terminal text is corrupt: http://imgur.com/DQZtDBb
downgrade back to libfreetype6_2.5.2-2: terminal text is now ok
The bad patch seems to be: 0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch:
+/* we now check whether the `size' and `offset' values are reasonable: */
+/* `offset' + `size' must not exceed the stream size */
+tables = face->toc.tables;
+for ( n = 0; n < toc->count; n++ )
+{
+ /* we need two checks to avoid overflow */
+ if ( ( tables->size > stream->size) ||
+ ( tables->offset > stream->size - tables->size ) )
+ {
+error = FT_THROW( Invalid_Table );
+goto Exit;
+ }
+ tables++;
+}
+
This fails when:
tables->size=100
tables->offset=339968
stream->size=340040
tables->offset > stream->size - tables->size
339968 > 340040-100(=339940)
..xsession-errors:
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: failed to
create cairo scaled font, expect ugly output. the offending font is 'FixedSC
11'
self.present()
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: font_face
status is: out of memory
self.present()
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: scaled_font
status is: out of memory
self.present()
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: shaping
failure, expect ugly output. shape-engine='BasicEngineFc', font='FixedSC 11',
text='
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~'
self.present()
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: failed to
create cairo scaled font, expect ugly output. the offending font is 'FixedSC
Bold 11'
self.present()
/usr/share/terminator/terminatorlib/window.py:384: PangoWarning: shaping
failure, expect ugly output. shape-engine='BasicEngineFc', font='FixedSC Bold
11', text='
!"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~'
self.present()
-- System Information:
Debian Release: 8.0
APT prefers testing-updates
APT policy: (500, 'testing-updates'), (500, 'testing')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Versions of packages libfreetype6:amd64 depends on:
ii libc6 2.19-15
ii libpng12-0 1.2.50-2+b2
ii multiarch-support 2.19-15
ii zlib1g 1:1.2.8.dfsg-2+b1
libfreetype6:amd64 recommends no packages.
libfreetype6:amd64 suggests no packages.
-- no debconf information
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
