Bug#780143:
Axel's patch from upstream git fixes the issue (tested with fixedsc font in terminator).
Bug#780143:
severity 780143 serious retitle 780143 libfreetype6_2.5.2-3 makes some fonts unusable I'm not sure what fonts are affected by this bug, but the package bump should not be released with a bug that makes some unknown number of fonts unusable. Retitle as it is not clear that this bug affects only fixed fonts.
Bug#780143: Backport of the PCF fix from 2.5.5
I have successfully backported a patch coming from libfreetype6 upstream into the current version of debian. I've tested it with Dina which is affected by this bug (pcf version) and it works fine. I have made a small change to the upstream patch: the Changelog file differs thus I had to change the two lines of context. I took the debian source, added one line at the end of debian/patches-freetype/series: 0001-pcf-Fix-Savannah-bug-43774.patch Then wrote the adapted upstream patch (attached to this email, commit 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2) into debian/patches-freetype/0001-pcf-Fix-Savannah-bug-43774.patch I proceed to compile my package with dpkg-buildpackage and installed it successfully with dpkg -i that's all. I suggest to test this change and include it in the jessie release. Thank you. signature.asc Description: Digital signature
Bug#780143: Backport of the PCF fix from 2.5.5
The patch. From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 8 Dec 2014 16:01:50 +0100 Subject: [PATCH] [pcf] Fix Savannah bug #43774. Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' functions. Since the PCF format doesn't have an official specification, we have to exactly follow these functions' behaviour. The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last element. Instead, assign real size. --- ChangeLog | 14 ++ src/pcf/pcfread.c | 54 +++--- 2 files changed, 57 insertions(+), 11 deletions(-) diff --git a/ChangeLog b/ChangeLog index afc342f..e560b4f 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,17 @@ +2014-12-08 Werner Lemberg + + [pcf] Fix Savannah bug #43774. + + Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' + functions. Since the PCF format doesn't have an official + specification, we have to exactly follow these functions' behaviour. + + The problem was unveiled with a patch from 2014-11-06, fixing issue + #43547. + + * src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last + element. Instead, assign real size. + 2014-04-20 Werner Lemberg [autofit] Fix Savannah bug #42148. diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 998cbed..e3caf82 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -2,7 +2,7 @@ FreeType font driver for pcf fonts - Copyright 2000-2010, 2012, 2013 by + Copyright 2000-2010, 2012-2014 by Francesco Zappa Nardelli Permission is hereby granted, free of charge, to any person obtaining a copy @@ -78,7 +78,7 @@ THE SOFTWARE. FT_FRAME_START( 16 ), FT_FRAME_ULONG_LE( type ), FT_FRAME_ULONG_LE( format ), - FT_FRAME_ULONG_LE( size ), + FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */ FT_FRAME_ULONG_LE( offset ), FT_FRAME_END }; @@ -95,9 +95,11 @@ THE SOFTWARE. FT_Memory memory = FT_FACE( face )->memory; FT_UIntn; +FT_ULong size; -if ( FT_STREAM_SEEK ( 0 ) || - FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) + +if ( FT_STREAM_SEEK( 0 ) || + FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) return FT_THROW( Cannot_Open_Resource ); if ( toc->version != PCF_FILE_VERSION || @@ -154,14 +156,35 @@ THE SOFTWARE. break; } -/* we now check whether the `size' and `offset' values are reasonable: */ -/* `offset' + `size' must not exceed the stream size */ +/* + * We now check whether the `size' and `offset' values are reasonable: + * `offset' + `size' must not exceed the stream size. + * + * Note, however, that X11's `pcfWriteFont' routine (used by the + * `bdftopcf' program to create PDF font files) has two special + * features. + * + * - It always assigns the accelerator table a size of 100 bytes in the + *TOC, regardless of its real size, which can vary between 34 and 72 + *bytes. + * + * - Due to the way the routine is designed, it ships out the last font + *table with its real size, ignoring the TOC's size value. Since + *the TOC size values are always rounded up to a multiple of 4, the + *difference can be up to three bytes for all tables except the + *accelerator table, for which the difference can be as large as 66 + *bytes. + * + */ + tables = face->toc.tables; -for ( n = 0; n < toc->count; n++ ) +size = stream->size; + +for ( n = 0; n < toc->count - 1; n++ ) { /* we need two checks to avoid overflow */ - if ( ( tables->size > stream->size) || - ( tables->offset > stream->size - tables->size ) ) + if ( ( tables->size > size) || + ( tables->offset > size - tables->size ) ) { error = FT_THROW( Invalid_Table ); goto Exit; @@ -169,6 +192,15 @@ THE SOFTWARE. tables++; } +/* no check of `tables->size' for last table element ... */ +if ( ( tables->offset > size ) ) +{ + error = FT_THROW( Invalid_Table ); + goto Exit; +} +/* ... instead, we adjust `tables->size' to the real value */ +tables->size = size - tables->offset; + #ifdef FT_DEBUG_LEVEL_TRACE { @@ -733,8 +765,8 @@ THE SOFTWARE. FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); -/* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ -if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) +/* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ +if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) return FT_THROW( Invalid_File_Format ); if ( FT
Bug#780143:
Upstream: "The problem you are describing in this bug report has already been fixed in version 2.5.5"
Bug#780143: libfreetype6:amd64: libfreetype6_2.5.2-3 breaks fixed font in terminal
Package: libfreetype6 Version: 2.5.2-3 Severity: important Dear Maintainer, Using font FixedSC from http://pts-mini- gpl.googlecode.com/svn/trunk/fonts/fixedsc.tgz (libfreetype6_2.5.2-2 was ok) upgrade to libfreetype6_2.5.2-3 run gnome terminal or terminator terminal text is corrupt: http://imgur.com/DQZtDBb downgrade back to libfreetype6_2.5.2-2: terminal text is now ok The bad patch seems to be: 0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch: +/* we now check whether the `size' and `offset' values are reasonable: */ +/* `offset' + `size' must not exceed the stream size */ +tables = face->toc.tables; +for ( n = 0; n < toc->count; n++ ) +{ + /* we need two checks to avoid overflow */ + if ( ( tables->size > stream->size) || + ( tables->offset > stream->size - tables->size ) ) + { +error = FT_THROW( Invalid_Table ); +goto Exit; + } + tables++; +} + This fails when: tables->size=100 tables->offset=339968 stream->size=340040 tables->offset > stream->size - tables->size 339968 > 340040-100(=339940) ..xsession-errors: /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: failed to create cairo scaled font, expect ugly output. the offending font is 'FixedSC 11' self.present() /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: font_face status is: out of memory self.present() /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: scaled_font status is: out of memory self.present() /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: shaping failure, expect ugly output. shape-engine='BasicEngineFc', font='FixedSC 11', text=' !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~' self.present() /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: failed to create cairo scaled font, expect ugly output. the offending font is 'FixedSC Bold 11' self.present() /usr/share/terminator/terminatorlib/window.py:384: PangoWarning: shaping failure, expect ugly output. shape-engine='BasicEngineFc', font='FixedSC Bold 11', text=' !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\]^_`abcdefghijklmnopqrstuvwxyz{|}~' self.present() -- System Information: Debian Release: 8.0 APT prefers testing-updates APT policy: (500, 'testing-updates'), (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/4 CPU cores) Locale: LANG=en_GB.utf8, LC_CTYPE=en_GB.utf8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) Versions of packages libfreetype6:amd64 depends on: ii libc6 2.19-15 ii libpng12-0 1.2.50-2+b2 ii multiarch-support 2.19-15 ii zlib1g 1:1.2.8.dfsg-2+b1 libfreetype6:amd64 recommends no packages. libfreetype6:amd64 suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org