[freetype] Fix CVE-2010-3855

mkasik mkasik at fedoraproject.org
Mon Nov 15 10:02:38 UTC 2010 

commit 4548e1aa0427e423b4ac55f74b107e11be8c7746
Author: Marek Kasik <mkasik at redhat.com>
Date:   Mon Nov 15 10:31:46 2010 +0100

    Fix CVE-2010-3855
    
    Add freetype-2.4.3-CVE-2010-3855.patch
      (Protect against invalid `runcnt' values.)
    Resolves: #651764

 freetype-2.4.3-CVE-2010-3855.patch |   20 ++++++++++++++++++++
 freetype.spec                      |    9 ++++++++-
 2 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.3-CVE-2010-3855.patch b/freetype-2.4.3-CVE-2010-3855.patch
new file mode 100644
index 0000000..b6a3fd7
--- /dev/null
+++ b/freetype-2.4.3-CVE-2010-3855.patch
@@ -0,0 +1,20 @@
+--- freetype-2.4.3/src/truetype/ttgxvar.c	2010-07-12 21:03:49.000000000 +0200
++++ freetype-2.4.3/src/truetype/ttgxvar.c	2010-11-15 10:23:43.856348141 +0100
+@@ -154,7 +154,7 @@
+         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
+         first  = points[i++] = FT_GET_USHORT();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         /* first point not included in runcount */
+@@ -165,7 +165,7 @@
+       {
+         first = points[i++] = FT_GET_BYTE();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         for ( j = 0; j < runcnt; ++j )
diff --git a/freetype.spec b/freetype.spec
index acc2524..82b782d 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.4.3
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -27,6 +27,7 @@ Patch47:  freetype-2.3.11-more-demos.patch
 Patch88:  freetype-multilib.patch
 
 Patch89:  freetype-2.4.2-CVE-2010-3311.patch
+Patch90:  freetype-2.4.3-CVE-2010-3855.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -94,6 +95,7 @@ popd
 
 %patch88 -p1 -b .multilib
 %patch89 -p1 -b .CVE-2010-3311
+%patch90 -p1 -b .CVE-2010-3855
 
 %build
 
@@ -226,6 +228,11 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Mon Nov 15 2010 Marek Kasik <mkasik at redhat.com> 2.4.3-2
+- Add freetype-2.4.3-CVE-2010-3855.patch
+    (Protect against invalid `runcnt' values.)
+- Resolves: #651764
+
 * Tue Oct 26 2010 Marek Kasik <mkasik at redhat.com> 2.4.3-1
 - Update to 2.4.3
 - Resolves: #639906

More information about the fonts-bugs mailing list