[freetype/f13/master] Security bugfix
mkasik
mkasik at fedoraproject.org
Mon Oct 4 11:01:53 UTC 2010
commit 29960429d53a6afd9c91e340d8c89ddf9a81ecaa
Author: Marek Kasik <mkasik at redhat.com>
Date: Mon Oct 4 12:56:17 2010 +0200
Security bugfix
Add freetype-2.3.11-CVE-2010-1797.patch
(Check stack after execution of operations too.
Skip the evaluations of the values in decoder, if
cff_decoder_parse_charstrings() returns any error.)
Resolves: #621627
freetype-2.3.11-CVE-2010-1797.patch | 101 +++++++++++++++++++++++++++++++++++
freetype.spec | 11 ++++-
2 files changed, 111 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.3.11-CVE-2010-1797.patch b/freetype-2.3.11-CVE-2010-1797.patch
new file mode 100644
index 0000000..1af9c8b
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-1797.patch
@@ -0,0 +1,101 @@
+--- freetype-2.3.11/src/cff/cffgload.c 2009-09-10 17:52:21.000000000 +0200
++++ freetype-2.3.11/src/cff/cffgload.c 2010-08-11 13:39:32.000000000 +0200
+@@ -2358,8 +2358,11 @@
+ return CFF_Err_Unimplemented_Feature;
+ }
+
+- decoder->top = args;
++ decoder->top = args;
+
++ if ( decoder->top - stack >= CFF_MAX_OPERANDS )
++ goto Stack_Overflow;
++
+ } /* general operator processing */
+
+ } /* while ip < limit */
+@@ -2627,48 +2630,54 @@
+ /* now load the unscaled outline */
+ error = cff_get_glyph_data( face, glyph_index,
+ &charstring, &charstring_len );
+- if ( !error )
+- {
+- error = cff_decoder_prepare( &decoder, size, glyph_index );
+- if ( !error )
+- {
+- error = cff_decoder_parse_charstrings( &decoder,
+- charstring,
+- charstring_len );
++ if ( error )
++ goto Glyph_Build_Finished;
++
++ error = cff_decoder_prepare( &decoder, size, glyph_index );
++ if ( error )
++ goto Glyph_Build_Finished;
+
+- cff_free_glyph_data( face, &charstring, charstring_len );
++ error = cff_decoder_parse_charstrings( &decoder,
++ charstring,
++ charstring_len );
++
++ cff_free_glyph_data( face, &charstring, charstring_len );
++
++ if ( error )
++ goto Glyph_Build_Finished;
+
+
+ #ifdef FT_CONFIG_OPTION_INCREMENTAL
+- /* Control data and length may not be available for incremental */
+- /* fonts. */
+- if ( face->root.internal->incremental_interface )
+- {
+- glyph->root.control_data = 0;
+- glyph->root.control_len = 0;
+- }
+- else
++ /* Control data and length may not be available for incremental */
++ /* fonts. */
++ if ( face->root.internal->incremental_interface )
++ {
++ glyph->root.control_data = 0;
++ glyph->root.control_len = 0;
++ }
++ else
+ #endif /* FT_CONFIG_OPTION_INCREMENTAL */
+
+- /* We set control_data and control_len if charstrings is loaded. */
+- /* See how charstring loads at cff_index_access_element() in */
+- /* cffload.c. */
+- {
+- CFF_Index csindex = &cff->charstrings_index;
++ /* We set control_data and control_len if charstrings is loaded. */
++ /* See how charstring loads at cff_index_access_element() in */
++ /* cffload.c. */
++ {
++ CFF_Index csindex = &cff->charstrings_index;
+
+
+- if ( csindex->offsets )
+- {
+- glyph->root.control_data = csindex->bytes +
+- csindex->offsets[glyph_index] - 1;
+- glyph->root.control_len = charstring_len;
+- }
+- }
++ if ( csindex->offsets )
++ {
++ glyph->root.control_data = csindex->bytes +
++ csindex->offsets[glyph_index] - 1;
++ glyph->root.control_len = charstring_len;
+ }
+ }
+
+- /* save new glyph tables */
+- cff_builder_done( &decoder.builder );
++ Glyph_Build_Finished:
++ /* save new glyph tables, if no error */
++ if ( !error )
++ cff_builder_done( &decoder.builder );
++ /* XXX: anything to do for broken glyph entry? */
+ }
+
+ #ifdef FT_CONFIG_OPTION_INCREMENTAL
diff --git a/freetype.spec b/freetype.spec
index fe1eb91..6c2603f 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -9,7 +9,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.3.11
-Release: 4%{?dist}
+Release: 5%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -37,6 +37,7 @@ Patch92: freetype-2.3.11-CVE-2010-2519.patch
Patch93: freetype-2.3.11-CVE-2010-2520.patch
Patch94: freetype-2.3.11-CVE-2010-2527.patch
Patch95: freetype-2.3.11-CVE-2010-2541.patch
+Patch96: freetype-2.3.11-CVE-2010-1797.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -112,6 +113,7 @@ popd
%patch93 -p1 -b .CVE-2010-2520
%patch94 -p1 -b .CVE-2010-2527
%patch95 -p1 -b .CVE-2010-2541
+%patch96 -p1 -b .CVE-2010-1797
%build
@@ -244,6 +246,13 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Mon Oct 4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-5
+- Add freetype-2.3.11-CVE-2010-1797.patch
+ (Check stack after execution of operations too.
+ Skip the evaluations of the values in decoder, if
+ cff_decoder_parse_charstrings() returns any error.)
+- Resolves: #621627
+
* Fri Oct 1 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-4
- Add freetype-2.3.11-CVE-2010-2498.patch
(Assure that `end_point' is not larger than `glyph->num_points')
More information about the fonts-bugs
mailing list