[freetype/f14] Fix CVE-2011-3256
mkasik
mkasik at fedoraproject.org
Thu Oct 20 16:04:39 UTC 2011
commit 7d6b06f1464d76532346b98f20d4fded1a936883
Author: Marek Kasik <mkasik at redhat.com>
Date: Thu Oct 20 18:04:08 2011 +0200
Fix CVE-2011-3256
Add freetype-2.4.2-CVE-2011-3256.patch
(Handle some border cases)
- based on patch by Braden Thomas
freetype-2.4.2-CVE-2011-3256.patch | 92 ++++++++++++++++++++++++++++++++++++
freetype.spec | 8 +++-
2 files changed, 99 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.2-CVE-2011-3256.patch b/freetype-2.4.2-CVE-2011-3256.patch
new file mode 100644
index 0000000..19251b9
--- /dev/null
+++ b/freetype-2.4.2-CVE-2011-3256.patch
@@ -0,0 +1,92 @@
+--- freetype-2.4.2/src/base/ftbitmap.c 2009-07-31 18:45:18.000000000 +0200
++++ freetype-2.4.2/src/base/ftbitmap.c 2011-10-20 17:39:09.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* FreeType utility functions for bitmaps (body). */
+ /* */
+-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009 by */
++/* Copyright 2004-2009, 2011 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -417,6 +417,10 @@
+
+ target->pitch = source->width + pad;
+
++ if ( target->pitch > 0 &&
++ target->rows > FT_ULONG_MAX / target->pitch )
++ return FT_Err_Invalid_Argument;
++
+ if ( target->rows * target->pitch > old_size &&
+ FT_QREALLOC( target->buffer,
+ old_size, target->rows * target->pitch ) )
+--- freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:38:34.000000000 +0200
++++ freetype-2.4.2/src/psaux/t1decode.c 2011-10-20 17:39:09.000000000 +0200
+@@ -754,6 +754,13 @@
+ if ( arg_cnt != 0 )
+ goto Unexpected_OtherSubr;
+
++ if ( decoder->flex_state == 0 )
++ {
++ FT_ERROR(( "t1_decoder_parse_charstrings:"
++ " missing flex start\n" ));
++ goto Syntax_Error;
++ }
++
+ /* note that we should not add a point for index 0; */
+ /* this will move our current position to the flex */
+ /* point without adding any point to the outline */
+--- freetype-2.4.2/src/raster/ftrend1.c 2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.4.2/src/raster/ftrend1.c 2011-10-20 17:39:32.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* The FreeType glyph rasterizer interface (body). */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2005, 2006 by */
++/* Copyright 1996-2003, 2005, 2006, 2011 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -25,6 +25,7 @@
+
+ #include "rasterrs.h"
+
++#define FT_USHORT_MAX USHRT_MAX
+
+ /* initialize renderer -- init its raster */
+ static FT_Error
+@@ -168,6 +169,13 @@
+
+ width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
+ height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
++
++ if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
++ {
++ error = Raster_Err_Invalid_Argument;
++ goto Exit;
++ }
++
+ bitmap = &slot->bitmap;
+ memory = render->root.memory;
+
+--- freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:38:34.000000000 +0200
++++ freetype-2.4.2/src/truetype/ttgxvar.c 2011-10-20 17:39:09.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* TrueType GX Font Variation loader */
+ /* */
+-/* Copyright 2004, 2005, 2006, 2007, 2008, 2009, 2010 by */
++/* Copyright 2004-2011 by */
+ /* David Turner, Robert Wilhelm, Werner Lemberg, and George Williams. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -1474,6 +1474,9 @@
+ {
+ for ( j = 0; j < point_count; ++j )
+ {
++ if ( localpoints[j] >= n_points )
++ continue;
++
+ delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
+ delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
+ }
diff --git a/freetype.spec b/freetype.spec
index 8c8d867..1ed8c5f 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.2
-Release: 5%{?dist}
+Release: 6%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -29,6 +29,7 @@ Patch88: freetype-multilib.patch
Patch89: freetype-2.4.2-CVE-2010-3311.patch
Patch90: freetype-2.4.2-CVE-2010-3855.patch
Patch91: freetype-2.4.2-CVE-2011-0226.patch
+Patch92: freetype-2.4.2-CVE-2011-3256.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -98,6 +99,7 @@ popd
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .CVE-2010-3855
%patch91 -p1 -b .CVE-2011-0226
+%patch92 -p1 -b .CVE-2011-3256
%build
@@ -230,6 +232,10 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Thu Oct 20 2011 Marek Kasik <mkasik at redhat.com> 2.4.2-6
+- Add freetype-2.4.2-CVE-2011-3256.patch
+ (Handle some border cases)
+
* Wed Jul 20 2011 Marek Kasik <mkasik at redhat.com> 2.4.2-5
- Add freetype-2.4.2-CVE-2011-0226.patch
(Add better argument check for `callothersubr'.)
More information about the scm-commits
mailing list