[freetype/f15] Fix CVE-2011-3439
mkasik
mkasik at fedoraproject.org
Tue Nov 15 16:29:21 UTC 2011
commit d1e0a644c1930f44c2b24d1124f6db79cfef4361
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Nov 15 17:28:40 2011 +0100
Fix CVE-2011-3439
Resolves: #753837
freetype-2.4.4-CVE-2011-3439.patch | 76 ++++++++++++++++++++++++++++++++++++
freetype.spec | 8 +++-
2 files changed, 83 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.4-CVE-2011-3439.patch b/freetype-2.4.4-CVE-2011-3439.patch
new file mode 100644
index 0000000..cf3ca8b
--- /dev/null
+++ b/freetype-2.4.4-CVE-2011-3439.patch
@@ -0,0 +1,76 @@
+--- freetype-2.4.4/src/cid/cidload.c 2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.4.4/src/cid/cidload.c 2011-11-15 17:25:38.000000000 +0100
+@@ -4,7 +4,7 @@
+ /* */
+ /* CID-keyed Type1 font loader (body). */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
++/* Copyright 1996-2006, 2009, 2011 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -110,7 +110,7 @@
+ CID_FaceDict dict;
+
+
+- if ( parser->num_dict < 0 )
++ if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
+ {
+ FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
+ keyword->ident ));
+@@ -158,7 +158,7 @@
+ FT_Fixed temp_scale;
+
+
+- if ( parser->num_dict >= 0 )
++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
+ {
+ dict = face->cid.font_dicts + parser->num_dict;
+ matrix = &dict->font_matrix;
+@@ -249,7 +249,7 @@
+ CID_FaceDict dict;
+
+
+- if ( parser->num_dict >= 0 )
++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
+ {
+ dict = face->cid.font_dicts + parser->num_dict;
+
+@@ -413,12 +413,25 @@
+ FT_Byte* p;
+
+
++ /* Check for possible overflow. */
++ if ( num_subrs == FT_UINT_MAX )
++ {
++ error = CID_Err_Syntax_Error;
++ goto Fail;
++ }
++
+ /* reallocate offsets array if needed */
+ if ( num_subrs + 1 > max_offsets )
+ {
+ FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
+
+
++ if ( new_max <= max_offsets )
++ {
++ error = CID_Err_Syntax_Error;
++ goto Fail;
++ }
++
+ if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
+ goto Fail;
+
+@@ -436,6 +449,11 @@
+
+ FT_FRAME_EXIT();
+
++ /* offsets must be ordered */
++ for ( count = 1; count <= num_subrs; count++ )
++ if ( offsets[count - 1] > offsets[count] )
++ goto Fail;
++
+ /* now, compute the size of subrs charstrings, */
+ /* allocate, and read them */
+ data_len = offsets[num_subrs] - offsets[0];
diff --git a/freetype.spec b/freetype.spec
index 8e7b645..ef33a49 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.4
-Release: 6%{?dist}
+Release: 7%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -30,6 +30,7 @@ Patch90: 0001-Fall-back-to-autohinting-if-a-TTF-OTF-doesn-t-contai.patch
Patch91: 0002-Fix-autohinting-fallback.patch
Patch92: freetype-2.4.4-CVE-2011-0226.patch
Patch93: freetype-2.4.4-CVE-2011-3256.patch
+Patch94: freetype-2.4.4-CVE-2011-3439.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -95,6 +96,7 @@ popd
%patch91 -p1 -b .fix-autohint
%patch92 -p1 -b .CVE-2011-0226
%patch93 -p1 -b .CVE-2011-3256
+%patch94 -p1 -b .CVE-2011-3439
%build
@@ -227,6 +229,10 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Tue Nov 15 2011 Marek Kasik <mkasik at redhat.com> 2.4.4-7
+- Fix CVE-2011-3439
+- Resolves: #753837
+
* Thu Oct 20 2011 Marek Kasik <mkasik at redhat.com> 2.4.4-6
- Add freetype-2.4.4-CVE-2011-3256.patch
(Handle some border cases)
More information about the fonts-bugs
mailing list