[freetype/f15] Fix various CVEs

mkasik mkasik at fedoraproject.org
Wed Apr 4 12:06:06 UTC 2012


commit 89f2ecbbdbceb3c917b9af9e7b54224e791c8e92
Author: Marek Kasik <mkasik at redhat.com>
Date:   Wed Apr 4 14:04:52 2012 +0200

    Fix various CVEs
    
    - Resolves: #806270

 freetype-2.4.4-CVE-2012-1126.patch |   20 ++++++
 freetype-2.4.4-CVE-2012-1127.patch |   43 ++++++++++++
 freetype-2.4.4-CVE-2012-1128.patch |   41 +++++++++++
 freetype-2.4.4-CVE-2012-1130.patch |   22 ++++++
 freetype-2.4.4-CVE-2012-1131.patch |   47 +++++++++++++
 freetype-2.4.4-CVE-2012-1132.patch |  131 ++++++++++++++++++++++++++++++++++++
 freetype-2.4.4-CVE-2012-1133.patch |   14 ++++
 freetype-2.4.4-CVE-2012-1134.patch |   26 +++++++
 freetype-2.4.4-CVE-2012-1135.patch |   20 ++++++
 freetype-2.4.4-CVE-2012-1136.patch |   49 +++++++++++++
 freetype-2.4.4-CVE-2012-1137.patch |   11 +++
 freetype-2.4.4-CVE-2012-1138.patch |   11 +++
 freetype-2.4.4-CVE-2012-1139.patch |   33 +++++++++
 freetype-2.4.4-CVE-2012-1140.patch |   53 +++++++++++++++
 freetype-2.4.4-CVE-2012-1141.patch |   17 +++++
 freetype-2.4.4-CVE-2012-1142.patch |   27 ++++++++
 freetype-2.4.4-CVE-2012-1143.patch |   67 ++++++++++++++++++
 freetype-2.4.4-CVE-2012-1144.patch |   22 ++++++
 freetype-2.4.4-bdf-overflow.patch  |   11 +++
 freetype.spec                      |   44 ++++++++++++-
 20 files changed, 708 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.4-CVE-2012-1126.patch b/freetype-2.4.4-CVE-2012-1126.patch
new file mode 100644
index 0000000..27d2321
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1126.patch
@@ -0,0 +1,20 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1,6 +1,6 @@
+ /*
+  * Copyright 2000 Computing Research Labs, New Mexico State University
+- * Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010
++ * Copyright 2001-2012
+  *   Francesco Zappa Nardelli
+  *
+  * Permission is hereby granted, free of charge, to any person obtaining a
+@@ -1254,7 +1254,8 @@
+     ep = line + linelen;
+ 
+     /* Trim the leading whitespace if it exists. */
+-    *sp++ = 0;
++    if ( *sp )
++      *sp++ = 0;
+     while ( *sp                           &&
+             ( *sp == ' ' || *sp == '\t' ) )
+       sp++;
diff --git a/freetype-2.4.4-CVE-2012-1127.patch b/freetype-2.4.4-CVE-2012-1127.patch
new file mode 100644
index 0000000..837ef74
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1127.patch
@@ -0,0 +1,43 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -188,6 +188,7 @@
+ #define ACMSG13  "Glyph %ld extra rows removed.\n"
+ #define ACMSG14  "Glyph %ld extra columns removed.\n"
+ #define ACMSG15  "Incorrect glyph count: %ld indicated but %ld found.\n"
++#define ACMSG16  "Glyph %ld missing columns padded with zero bits.\n"
+ 
+   /* Error messages. */
+ #define ERRMSG1  "[line %ld] Missing \"%s\" line.\n"
+@@ -1725,18 +1726,31 @@
+       for ( i = 0; i < nibbles; i++ )
+       {
+         c = line[i];
++        if ( !c )
++          break;
+         *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
+         if ( i + 1 < nibbles && ( i & 1 ) )
+           *++bp = 0;
+       }
+ 
++      /* If any line has not enough columns,            */
++      /* indicate they have been padded with zero bits. */
++      if ( i < nibbles                            &&
++           !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
++      {
++        FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding ));
++        p->flags       |= _BDF_GLYPH_WIDTH_CHECK;
++        font->modified  = 1;
++      }
++
+       /* Remove possible garbage at the right. */
+       mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
+       if ( glyph->bbx.width )
+         *bp &= nibble_mask[mask_index];
+ 
+       /* If any line has extra columns, indicate they have been removed. */
+-      if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
++      if ( i == nibbles                                             &&
++           ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+            !( p->flags & _BDF_GLYPH_WIDTH_CHECK )                   )
+       {
+         FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
diff --git a/freetype-2.4.4-CVE-2012-1128.patch b/freetype-2.4.4-CVE-2012-1128.patch
new file mode 100644
index 0000000..6830bef
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1128.patch
@@ -0,0 +1,41 @@
+--- freetype-2.4.6/src/truetype/ttinterp.c	2011-01-31 21:45:29.000000000 +0100
++++ freetype-2.4.6/src/truetype/ttinterp.c	2012-03-28 13:07:28.000000000 +0200
+@@ -5788,7 +5788,7 @@
+     FT_F26Dot6       dx,
+                      dy;
+ 
+-    FT_UShort        last_point, i;
++    FT_UShort        limit, i;
+ 
+ 
+     if ( BOUNDS( args[0], 2 ) )
+@@ -5805,24 +5805,15 @@
+     /*      Twilight zone has no contours, so use `n_points'.   */
+     /*      Normal zone's `n_points' includes phantoms, so must */
+     /*      use end of last contour.                            */
+-    if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
+-      last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
++    if ( CUR.GS.gep2 == 0 )
++      limit = (FT_UShort)CUR.zp2.n_points;
+     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+-    {
+-      last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+-
+-      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+-      {
+-        if ( CUR.pedantic_hinting )
+-          CUR.error = TT_Err_Invalid_Reference;
+-        return;
+-      }
+-    }
++      limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
+     else
+-      last_point = 0;
++      limit = 0;
+ 
+     /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
+-    for ( i = 0; i <= last_point; i++ )
++    for ( i = 0; i < limit; i++ )
+     {
+       if ( zp.cur != CUR.zp2.cur || refp != i )
+         MOVE_Zp2_Point( i, dx, dy, FALSE );
diff --git a/freetype-2.4.4-CVE-2012-1130.patch b/freetype-2.4.4-CVE-2012-1130.patch
new file mode 100644
index 0000000..aa7d40d
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1130.patch
@@ -0,0 +1,22 @@
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -2,8 +2,7 @@
+ 
+     FreeType font driver for pcf fonts
+ 
+-  Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
+-            2010 by
++  Copyright 2000-2010, 2012 by
+   Francesco Zappa Nardelli
+ 
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+@@ -496,7 +495,8 @@ THE SOFTWARE.
+       goto Bail;
+     }
+ 
+-    if ( FT_NEW_ARRAY( strings, string_size ) )
++    /* allocate one more byte so that we have a final null byte */
++    if ( FT_NEW_ARRAY( strings, string_size + 1 ) )
+       goto Bail;
+ 
+     error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size );
diff --git a/freetype-2.4.4-CVE-2012-1131.patch b/freetype-2.4.4-CVE-2012-1131.patch
new file mode 100644
index 0000000..808ef58
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1131.patch
@@ -0,0 +1,47 @@
+--- freetype-2.4.4/src/smooth/ftsmooth.c	2010-08-10 02:47:47.000000000 +0200
++++ freetype-2.4.4/src/smooth/ftsmooth.c	2012-03-28 15:21:42.000000000 +0200
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Anti-aliasing renderer interface (body).                             */
+ /*                                                                         */
+-/*  Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by       */
++/*  Copyright 2000-2006, 2009-2012 by                                      */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -105,7 +105,7 @@
+     FT_Error     error;
+     FT_Outline*  outline = NULL;
+     FT_BBox      cbox;
+-    FT_UInt      width, height, height_org, width_org, pitch;
++    FT_Pos       width, height, height_org, width_org, pitch;
+     FT_Bitmap*   bitmap;
+     FT_Memory    memory;
+     FT_Int       hmul = mode == FT_RENDER_MODE_LCD;
+@@ -148,7 +148,7 @@
+       return Smooth_Err_Raster_Overflow;
+     }
+     else
+-      width  = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
++      width  = ( cbox.xMax - cbox.xMin ) >> 6;
+ 
+     if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
+     {
+@@ -158,7 +158,7 @@
+       return Smooth_Err_Raster_Overflow;
+     }
+     else
+-      height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
++      height = ( cbox.yMax - cbox.yMin ) >> 6;
+ 
+     bitmap = &slot->bitmap;
+     memory = render->root.memory;
+@@ -218,7 +218,7 @@
+ 
+     /* Required check is ( pitch * height < FT_ULONG_MAX ),     */
+     /* but we care realistic cases only. Always pitch <= width. */
+-    if ( width > 0x7FFFU || height > 0x7FFFU )
++    if ( width > 0x7FFF || height > 0x7FFF )
+     {
+       FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
+                  width, height ));
diff --git a/freetype-2.4.4-CVE-2012-1132.patch b/freetype-2.4.4-CVE-2012-1132.patch
new file mode 100644
index 0000000..83b4c17
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1132.patch
@@ -0,0 +1,131 @@
+--- freetype-2.4.4/src/psaux/psobjs.c	2010-06-20 16:24:14.000000000 +0200
++++ freetype-2.4.4/src/psaux/psobjs.c	2012-03-30 15:28:11.000000000 +0200
+@@ -4,8 +4,7 @@
+ /*                                                                         */
+ /*    Auxiliary functions for PostScript fonts (body).                     */
+ /*                                                                         */
+-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,   */
+-/*            2010 by                                                      */
++/*  Copyright 1996-2012 by                                                 */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -590,7 +589,7 @@
+     }
+ 
+   Exit:
+-    if ( cur == parser->cursor )
++    if ( cur < limit && cur == parser->cursor )
+     {
+       FT_ERROR(( "ps_parser_skip_PS_token:"
+                  " current token is `%c' which is self-delimiting\n"
+--- freetype-2.4.4/src/type1/t1load.c	2010-11-18 10:36:26.000000000 +0100
++++ freetype-2.4.4/src/type1/t1load.c	2012-03-30 15:28:57.000000000 +0200
+@@ -72,6 +72,13 @@
+ #include "t1errors.h"
+ 
+ 
++#ifdef FT_CONFIG_OPTION_INCREMENTAL
++#define IS_INCREMENTAL  ( face->root.internal->incremental_interface != 0 )
++#else
++#define IS_INCREMENTAL  0
++#endif
++
++
+   /*************************************************************************/
+   /*                                                                       */
+   /* The macro FT_COMPONENT is used in trace mode.  It is an implicit      */
+@@ -1028,7 +1035,8 @@
+   static int
+   read_binary_data( T1_Parser  parser,
+                     FT_Long*   size,
+-                    FT_Byte**  base )
++                    FT_Byte**  base,
++                    FT_Bool    incremental )
+   {
+     FT_Byte*  cur;
+     FT_Byte*  limit = parser->root.limit;
+@@ -1063,8 +1071,12 @@
+       }
+     }
+ 
+-    FT_ERROR(( "read_binary_data: invalid size field\n" ));
+-    parser->root.error = T1_Err_Invalid_File_Format;
++    if( !incremental )
++    {
++      FT_ERROR(( "read_binary_data: invalid size field\n" ));
++      parser->root.error = T1_Err_Invalid_File_Format;
++    }
++
+     return 0;
+   }
+ 
+@@ -1385,15 +1397,17 @@
+       FT_Byte*  base;
+ 
+ 
+-      /* If the next token isn't `dup' we are done. */
+-      if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
++      /* If we are out of data, or if the next token isn't `dup', */
++      /* we are done.                                             */
++      if ( parser->root.cursor + 4 >= parser->root.limit          ||
++          ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+         break;
+ 
+       T1_Skip_PS_Token( parser );       /* `dup' */
+ 
+       idx = T1_ToInt( parser );
+ 
+-      if ( !read_binary_data( parser, &size, &base ) )
++      if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+         return;
+ 
+       /* The binary string is followed by one token, e.g. `NP' */
+@@ -1405,7 +1419,8 @@
+         return;
+       T1_Skip_Spaces  ( parser );
+ 
+-      if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
++      if ( parser->root.cursor + 4 < parser->root.limit            &&
++           ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
+       {
+         T1_Skip_PS_Token( parser ); /* skip `put' */
+         T1_Skip_Spaces  ( parser );
+@@ -1578,7 +1593,7 @@
+         cur++;                              /* skip `/' */
+         len = parser->root.cursor - cur;
+ 
+-        if ( !read_binary_data( parser, &size, &base ) )
++        if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+           return;
+ 
+         /* for some non-standard fonts like `Optima' which provides */
+@@ -1867,7 +1882,7 @@
+ 
+ 
+         parser->root.cursor = start_binary;
+-        if ( !read_binary_data( parser, &s, &b ) )
++        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+           return T1_Err_Invalid_File_Format;
+         have_integer = 0;
+       }
+@@ -1880,7 +1895,7 @@
+ 
+ 
+         parser->root.cursor = start_binary;
+-        if ( !read_binary_data( parser, &s, &b ) )
++        if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+           return T1_Err_Invalid_File_Format;
+         have_integer = 0;
+       }
+@@ -2154,9 +2169,7 @@
+       type1->subrs_len   = loader.subrs.lengths;
+     }
+ 
+-#ifdef FT_CONFIG_OPTION_INCREMENTAL
+-    if ( !face->root.internal->incremental_interface )
+-#endif
++    if ( !IS_INCREMENTAL )
+       if ( !loader.charstrings.init )
+       {
+         FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
diff --git a/freetype-2.4.4-CVE-2012-1133.patch b/freetype-2.4.4-CVE-2012-1133.patch
new file mode 100644
index 0000000..ad82b25
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1133.patch
@@ -0,0 +1,14 @@
+--- freetype-2.4.4/src/bdf/bdflib.c	2012-03-28 15:24:32.000000000 +0200
++++ freetype-2.4.4/src/bdf/bdflib.c	2012-03-28 15:25:18.000000000 +0200
+@@ -1587,6 +1587,11 @@
+ 
+       p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ 
++      /* Normalize negative encoding values.  The specification only */
++      /* allows -1, but we can be more generous here.                */
++      if ( p->glyph_enc < -1 )
++        p->glyph_enc = -1;
++
+       /* Check that the encoding is in the range [0,65536] because        */
+       /* otherwise p->have (a bitmap with static size) overflows.         */
+       if ( (size_t)p->glyph_enc >= sizeof ( p->have ) * 8 )
diff --git a/freetype-2.4.4-CVE-2012-1134.patch b/freetype-2.4.4-CVE-2012-1134.patch
new file mode 100644
index 0000000..bd72640
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1134.patch
@@ -0,0 +1,26 @@
+--- a/src/type1/t1parse.c
++++ b/src/type1/t1parse.c
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Type 1 parser (body).                                                */
+ /*                                                                         */
+-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by             */
++/*  Copyright 1996-2005, 2008, 2009, 2012 by                               */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -467,6 +467,14 @@
+     /* we now decrypt the encoded binary private dictionary */
+     psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+ 
++    if ( parser->private_len < 4 )
++    {
++      FT_ERROR(( "T1_Get_Private_Dict:"
++                 " invalid private dictionary section\n" ));
++      error = T1_Err_Invalid_File_Format;
++      goto Fail;
++    }
++
+     /* replace the four random bytes at the beginning with whitespace */
+     parser->private_dict[0] = ' ';
+     parser->private_dict[1] = ' ';
diff --git a/freetype-2.4.4-CVE-2012-1135.patch b/freetype-2.4.4-CVE-2012-1135.patch
new file mode 100644
index 0000000..869b0df
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1135.patch
@@ -0,0 +1,20 @@
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -4477,7 +4477,7 @@
+       CUR.length = opcode_length[CUR.opcode];
+       if ( CUR.length < 0 )
+       {
+-        if ( CUR.IP + 1 > CUR.codeSize )
++        if ( CUR.IP + 1 >= CUR.codeSize )
+           goto Fail_Overflow;
+         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
+       }
+@@ -7544,7 +7544,7 @@
+ 
+       if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
+       {
+-        if ( CUR.IP + 1 > CUR.codeSize )
++        if ( CUR.IP + 1 >= CUR.codeSize )
+           goto LErrorCodeOverflow_;
+ 
+         CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
diff --git a/freetype-2.4.4-CVE-2012-1136.patch b/freetype-2.4.4-CVE-2012-1136.patch
new file mode 100644
index 0000000..d342d77
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1136.patch
@@ -0,0 +1,49 @@
+--- freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:13:24.000000000 +0200
++++ freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:15:33.000000000 +0200
+@@ -1749,12 +1749,7 @@
+     if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
+     {
+       if ( !( p->flags & _BDF_ENCODING ) )
+-      {
+-        /* Missing ENCODING field. */
+-        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
+-        error = BDF_Err_Missing_Encoding_Field;
+-        goto Exit;
+-      }
++        goto Missing_Encoding;
+ 
+       error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+       if ( error )
+@@ -1769,6 +1764,9 @@
+     /* Expect the DWIDTH (scalable width) field next. */
+     if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
+     {
++      if ( !( p->flags & _BDF_ENCODING ) )
++        goto Missing_Encoding;
++
+       error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+       if ( error )
+         goto Exit;
+@@ -1794,6 +1792,9 @@
+     /* Expect the BBX field next. */
+     if ( ft_memcmp( line, "BBX", 3 ) == 0 )
+     {
++      if ( !( p->flags & _BDF_ENCODING ) )
++        goto Missing_Encoding;
++
+       error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+       if ( error )
+         goto Exit;
+@@ -1893,6 +1894,12 @@
+     }
+ 
+     error = BDF_Err_Invalid_File_Format;
++    goto Exit;
++
++  Missing_Encoding:
++    /* Missing ENCODING field. */
++    FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
++    error = BDF_Err_Missing_Encoding_Field;
+ 
+   Exit:
+     if ( error && ( p->flags & _BDF_GLYPH ) )
diff --git a/freetype-2.4.4-CVE-2012-1137.patch b/freetype-2.4.4-CVE-2012-1137.patch
new file mode 100644
index 0000000..fc13555
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1137.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -462,7 +462,7 @@
+     if ( num_items > list->size )
+     {
+       unsigned long  oldsize = list->size; /* same as _bdf_list_t.size */
+-      unsigned long  newsize = oldsize + ( oldsize >> 1 ) + 4;
++      unsigned long  newsize = oldsize + ( oldsize >> 1 ) + 5;
+       unsigned long  bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) );
+       FT_Memory      memory  = list->memory;
+ 
diff --git a/freetype-2.4.4-CVE-2012-1138.patch b/freetype-2.4.4-CVE-2012-1138.patch
new file mode 100644
index 0000000..a5a798d
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1138.patch
@@ -0,0 +1,11 @@
+--- freetype-2.4.6/src/truetype/ttinterp.c	2012-03-28 13:16:19.000000000 +0200
++++ freetype-2.4.6/src/truetype/ttinterp.c	2012-03-28 13:19:39.000000000 +0200
+@@ -6223,7 +6223,7 @@
+                              TT_MulFix14( (FT_UInt32)cvt_dist,
+                                           CUR.GS.freeVector.y );
+ 
+-      CUR.zp1.cur[point] = CUR.zp0.cur[point];
++      CUR.zp1.cur[point] = CUR.zp1.org[point];
+     }
+ 
+     org_dist = CUR_Func_dualproj( &CUR.zp1.org[point],
diff --git a/freetype-2.4.4-CVE-2012-1139.patch b/freetype-2.4.4-CVE-2012-1139.patch
new file mode 100644
index 0000000..7f69100
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1139.patch
@@ -0,0 +1,33 @@
+--- freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:24:22.000000000 +0200
++++ freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:24:22.000000000 +0200
+@@ -791,7 +791,7 @@
+   };
+ 
+ 
+-#define isdigok( m, d )  (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
++#define isdigok( m, d )  (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+ 
+ 
+   /* Routine to convert an ASCII string into an unsigned long integer. */
+@@ -1709,7 +1709,7 @@
+       for ( i = 0; i < nibbles; i++ )
+       {
+         c = line[i];
+-        if ( !c )
++        if ( !isdigok( hdigits, c ) )
+           break;
+         *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
+         if ( i + 1 < nibbles && ( i & 1 ) )
+@@ -1732,9 +1732,9 @@
+         *bp &= nibble_mask[mask_index];
+ 
+       /* If any line has extra columns, indicate they have been removed. */
+-      if ( i == nibbles                                             &&
+-           ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+-           !( p->flags & _BDF_GLYPH_WIDTH_CHECK )                   )
++      if ( i == nibbles                           &&
++           isdigok( hdigits, line[nibbles] )      &&
++           !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+       {
+         FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
+         p->flags       |= _BDF_GLYPH_WIDTH_CHECK;
diff --git a/freetype-2.4.4-CVE-2012-1140.patch b/freetype-2.4.4-CVE-2012-1140.patch
new file mode 100644
index 0000000..98fd254
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1140.patch
@@ -0,0 +1,53 @@
+--- a/src/psaux/psconv.c
++++ b/src/psaux/psconv.c
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Some convenience conversions (body).                                 */
+ /*                                                                         */
+-/*  Copyright 2006, 2008, 2009 by                                          */
++/*  Copyright 2006, 2008, 2009, 2012 by                                    */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -79,7 +79,7 @@
+     FT_Bool   sign = 0;
+ 
+ 
+-    if ( p == limit || base < 2 || base > 36 )
++    if ( p >= limit || base < 2 || base > 36 )
+       return 0;
+ 
+     if ( *p == '-' || *p == '+' )
+@@ -150,7 +150,7 @@
+     FT_Bool   sign = 0;
+ 
+ 
+-    if ( p == limit )
++    if ( p >= limit )
+       return 0;
+ 
+     if ( *p == '-' || *p == '+' )
+@@ -346,7 +346,11 @@
+ 
+ #if 1
+ 
+-    p  = *cursor;
++    p = *cursor;
++
++    if ( p >= limit )
++      return 0;
++
+     if ( n > (FT_UInt)( limit - p ) )
+       n = (FT_UInt)( limit - p );
+ 
+@@ -434,6 +438,10 @@
+ #if 1
+ 
+     p = *cursor;
++
++    if ( p >= limit )
++      return 0;
++
+     if ( n > (FT_UInt)(limit - p) )
+       n = (FT_UInt)(limit - p);
+ 
diff --git a/freetype-2.4.4-CVE-2012-1141.patch b/freetype-2.4.4-CVE-2012-1141.patch
new file mode 100644
index 0000000..5b369bc
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1141.patch
@@ -0,0 +1,17 @@
+--- freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:25:37.000000000 +0200
++++ freetype-2.4.6/src/bdf/bdflib.c	2012-03-28 13:25:37.000000000 +0200
+@@ -521,6 +521,14 @@
+ 
+     /* Initialize the list. */
+     list->used = 0;
++    if ( list->size )
++    {
++      list->field[0] = (char*)empty;
++      list->field[1] = (char*)empty;
++      list->field[2] = (char*)empty;
++      list->field[3] = (char*)empty;
++      list->field[4] = (char*)empty;
++    }
+ 
+     /* If the line is empty, then simply return. */
+     if ( linelen == 0 || line[0] == 0 )
diff --git a/freetype-2.4.4-CVE-2012-1142.patch b/freetype-2.4.4-CVE-2012-1142.patch
new file mode 100644
index 0000000..2389ee8
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1142.patch
@@ -0,0 +1,27 @@
+--- freetype-2.4.6/src/winfonts/winfnt.c	2010-09-11 08:06:45.000000000 +0200
++++ freetype-2.4.6/src/winfonts/winfnt.c	2012-03-28 13:21:18.000000000 +0200
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    FreeType font driver for Windows FNT/FON files                       */
+ /*                                                                         */
+-/*  Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */
++/*  Copyright 1996-2004, 2006-2012 by                                      */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*  Copyright 2003 Huw D M Davies for Codeweavers                          */
+ /*  Copyright 2007 Dmitry Timoshkov for Codeweavers                        */
+@@ -827,7 +827,14 @@
+           root->charmap = root->charmaps[0];
+       }
+ 
+-      /* setup remaining flags */
++      /* set up remaining flags */
++
++      if ( font->header.last_char < font->header.first_char )
++      {
++        FT_TRACE2(( "invalid number of glyphs\n" ));
++        error = FNT_Err_Invalid_File_Format;
++        goto Fail;
++      }
+ 
+       /* reserve one slot for the .notdef glyph at index 0 */
+       root->num_glyphs = font->header.last_char -
diff --git a/freetype-2.4.4-CVE-2012-1143.patch b/freetype-2.4.4-CVE-2012-1143.patch
new file mode 100644
index 0000000..43c3f11
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1143.patch
@@ -0,0 +1,67 @@
+--- a/src/base/ftcalc.c
++++ b/src/base/ftcalc.c
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Arithmetic computations (body).                                      */
+ /*                                                                         */
+-/*  Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by             */
++/*  Copyright 1996-2006, 2008, 2012 by                                     */
+ /*  David Turner, Robert Wilhelm, and Werner Lemberg.                      */
+ /*                                                                         */
+ /*  This file is part of the FreeType project, and may only be used,       */
+@@ -307,7 +307,7 @@
+       q <<= 1;
+       r  |= lo >> 31;
+ 
+-      if ( r >= (FT_UInt32)y )
++      if ( r >= y )
+       {
+         r -= y;
+         q |= 1;
+@@ -373,7 +373,7 @@
+     if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 )
+       a = ( a * b + ( c >> 1 ) ) / c;
+ 
+-    else if ( c > 0 )
++    else if ( (FT_Int32)c > 0 )
+     {
+       FT_Int64  temp, temp2;
+ 
+@@ -412,7 +412,7 @@
+     if ( a <= 46340L && b <= 46340L && c > 0 )
+       a = a * b / c;
+ 
+-    else if ( c > 0 )
++    else if ( (FT_Int32)c > 0 )
+     {
+       FT_Int64  temp;
+ 
+@@ -544,7 +544,7 @@
+     s  = (FT_Int32)a; a = FT_ABS( a );
+     s ^= (FT_Int32)b; b = FT_ABS( b );
+ 
+-    if ( b == 0 )
++    if ( (FT_UInt32)b == 0 )
+     {
+       /* check for division by 0 */
+       q = (FT_UInt32)0x7FFFFFFFL;
+@@ -552,15 +552,16 @@
+     else if ( ( a >> 16 ) == 0 )
+     {
+       /* compute result directly */
+-      q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b;
++      q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b;
+     }
+     else
+     {
+       /* we need more bits; we have to do it by hand */
+       FT_Int64  temp, temp2;
+ 
+-      temp.hi  = (FT_Int32) (a >> 16);
+-      temp.lo  = (FT_UInt32)(a << 16);
++
++      temp.hi  = (FT_Int32) ( a >> 16 );
++      temp.lo  = (FT_UInt32)( a << 16 );
+       temp2.hi = 0;
+       temp2.lo = (FT_UInt32)( b >> 1 );
+       FT_Add64( &temp, &temp2, &temp );
diff --git a/freetype-2.4.4-CVE-2012-1144.patch b/freetype-2.4.4-CVE-2012-1144.patch
new file mode 100644
index 0000000..89ea94e
--- /dev/null
+++ b/freetype-2.4.4-CVE-2012-1144.patch
@@ -0,0 +1,22 @@
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -362,14 +362,17 @@
+     if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit )
+       goto Invalid_Outline;
+ 
+-    prev_cont = FT_NEXT_USHORT( p );
++    prev_cont = FT_NEXT_SHORT( p );
+ 
+     if ( n_contours > 0 )
+       cont[0] = prev_cont;
+ 
++    if ( prev_cont < 0 )
++      goto Invalid_Outline;
++
+     for ( cont++; cont < cont_limit; cont++ )
+     {
+-      cont[0] = FT_NEXT_USHORT( p );
++      cont[0] = FT_NEXT_SHORT( p );
+       if ( cont[0] <= prev_cont )
+       {
+         /* unordered contours: this is invalid */
diff --git a/freetype-2.4.4-bdf-overflow.patch b/freetype-2.4.4-bdf-overflow.patch
new file mode 100644
index 0000000..53f3210
--- /dev/null
+++ b/freetype-2.4.4-bdf-overflow.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1912,7 +1912,7 @@
+       glyph->bpr   = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+ 
+       bitmap_size = glyph->bpr * glyph->bbx.height;
+-      if ( bitmap_size > 0xFFFFU )
++      if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU )
+       {
+         FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+         error = BDF_Err_Bbx_Too_Big;
diff --git a/freetype.spec b/freetype.spec
index ef33a49..8df5c3b 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.4.4
-Release: 7%{?dist}
+Release: 8%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -31,6 +31,25 @@ Patch91:  0002-Fix-autohinting-fallback.patch
 Patch92:  freetype-2.4.4-CVE-2011-0226.patch
 Patch93:  freetype-2.4.4-CVE-2011-3256.patch
 Patch94:  freetype-2.4.4-CVE-2011-3439.patch
+Patch95:  freetype-2.4.4-CVE-2012-1126.patch
+Patch96:  freetype-2.4.4-CVE-2012-1127.patch
+Patch97:  freetype-2.4.4-CVE-2012-1128.patch
+Patch98:  freetype-2.4.4-CVE-2012-1130.patch
+Patch99:  freetype-2.4.4-CVE-2012-1131.patch
+Patch100: freetype-2.4.4-CVE-2012-1132.patch
+Patch101: freetype-2.4.4-CVE-2012-1133.patch
+Patch102: freetype-2.4.4-CVE-2012-1134.patch
+Patch103: freetype-2.4.4-CVE-2012-1135.patch
+Patch104: freetype-2.4.4-CVE-2012-1136.patch
+Patch105: freetype-2.4.4-CVE-2012-1137.patch
+Patch106: freetype-2.4.4-CVE-2012-1138.patch
+Patch107: freetype-2.4.4-CVE-2012-1139.patch
+Patch108: freetype-2.4.4-CVE-2012-1140.patch
+Patch109: freetype-2.4.4-CVE-2012-1141.patch
+Patch110: freetype-2.4.4-CVE-2012-1142.patch
+Patch111: freetype-2.4.4-CVE-2012-1143.patch
+Patch112: freetype-2.4.4-CVE-2012-1144.patch
+Patch113: freetype-2.4.4-bdf-overflow.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -97,6 +116,25 @@ popd
 %patch92 -p1 -b .CVE-2011-0226
 %patch93 -p1 -b .CVE-2011-3256
 %patch94 -p1 -b .CVE-2011-3439
+%patch95 -p1 -b .CVE-2012-1126
+%patch96 -p1 -b .CVE-2012-1127
+%patch97 -p1 -b .CVE-2012-1128
+%patch98 -p1 -b .CVE-2012-1130
+%patch99 -p1 -b .CVE-2012-1131
+%patch100 -p1 -b .CVE-2012-1132
+%patch101 -p1 -b .CVE-2012-1133
+%patch102 -p1 -b .CVE-2012-1134
+%patch103 -p1 -b .CVE-2012-1135
+%patch104 -p1 -b .CVE-2012-1136
+%patch105 -p1 -b .CVE-2012-1137
+%patch106 -p1 -b .CVE-2012-1138
+%patch107 -p1 -b .CVE-2012-1139
+%patch108 -p1 -b .CVE-2012-1140
+%patch109 -p1 -b .CVE-2012-1141
+%patch110 -p1 -b .CVE-2012-1142
+%patch111 -p1 -b .CVE-2012-1143
+%patch112 -p1 -b .CVE-2012-1144
+%patch113 -p1 -b .bdf-overflow
 
 %build
 
@@ -229,6 +267,10 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Wed Apr  4 2012 Marek Kasik <mkasik at redhat.com> 2.4.4-8
+- Fixes various CVEs
+- Resolves: #806270
+
 * Tue Nov 15 2011 Marek Kasik <mkasik at redhat.com> 2.4.4-7
 - Fix CVE-2011-3439
 - Resolves: #753837


More information about the fonts-bugs mailing list