[freetype] Update to 2.4.9
mkasik
mkasik at fedoraproject.org
Fri Mar 30 14:30:04 UTC 2012
commit e50e9306ffb73658d49547aee3048c46fd614547
Author: Marek Kasik <mkasik at redhat.com>
Date: Fri Mar 30 16:29:22 2012 +0200
Update to 2.4.9
Fixes various CVEs
Resolves: #806270, #802933
.gitignore | 3 +
freetype-2.4.9-CVE-2012-1139.patch | 11 ++++
freetype-2.4.9-CVE-2012-1141.patch | 10 +++
freetype-2.4.9-incremental-interface.patch | 88 ++++++++++++++++++++++++++++
freetype-2.4.9-loop-exit-condition.patch | 16 +++++
freetype.spec | 22 ++++++-
sources | 6 +-
7 files changed, 151 insertions(+), 5 deletions(-)
---
diff --git a/.gitignore b/.gitignore
index e1f5eb2..15d9d9f 100644
--- a/.gitignore
+++ b/.gitignore
@@ -22,3 +22,6 @@ ft2demos-2.4.2.tar.bz2
/freetype-2.4.8.tar.bz2
/freetype-doc-2.4.8.tar.bz2
/ft2demos-2.4.8.tar.bz2
+/freetype-2.4.9.tar.bz2
+/freetype-doc-2.4.9.tar.bz2
+/ft2demos-2.4.9.tar.bz2
diff --git a/freetype-2.4.9-CVE-2012-1139.patch b/freetype-2.4.9-CVE-2012-1139.patch
new file mode 100644
index 0000000..380b3da
--- /dev/null
+++ b/freetype-2.4.9-CVE-2012-1139.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -842,7 +842,7 @@
+ };
+
+
+-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
++#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+
+
+ /* Routine to convert an ASCII string into an unsigned long integer. */
diff --git a/freetype-2.4.9-CVE-2012-1141.patch b/freetype-2.4.9-CVE-2012-1141.patch
new file mode 100644
index 0000000..71ac06b
--- /dev/null
+++ b/freetype-2.4.9-CVE-2012-1141.patch
@@ -0,0 +1,10 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -569,6 +569,7 @@
+ list->field[1] = (char*)empty;
+ list->field[2] = (char*)empty;
+ list->field[3] = (char*)empty;
++ list->field[4] = (char*)empty;
+ }
+
+ /* If the line is empty, then simply return. */
diff --git a/freetype-2.4.9-incremental-interface.patch b/freetype-2.4.9-incremental-interface.patch
new file mode 100644
index 0000000..4dc741d
--- /dev/null
+++ b/freetype-2.4.9-incremental-interface.patch
@@ -0,0 +1,88 @@
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -71,6 +71,13 @@
+ #include "t1errors.h"
+
+
++#ifdef FT_CONFIG_OPTION_INCREMENTAL
++#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
++#else
++#define IS_INCREMENTAL 0
++#endif
++
++
+ /*************************************************************************/
+ /* */
+ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */
+@@ -1030,7 +1037,8 @@
+ static int
+ read_binary_data( T1_Parser parser,
+ FT_Long* size,
+- FT_Byte** base )
++ FT_Byte** base,
++ FT_Bool incremental )
+ {
+ FT_Byte* cur;
+ FT_Byte* limit = parser->root.limit;
+@@ -1065,8 +1073,12 @@
+ }
+ }
+
+- FT_ERROR(( "read_binary_data: invalid size field\n" ));
+- parser->root.error = T1_Err_Invalid_File_Format;
++ if( !incremental )
++ {
++ FT_ERROR(( "read_binary_data: invalid size field\n" ));
++ parser->root.error = T1_Err_Invalid_File_Format;
++ }
++
+ return 0;
+ }
+
+@@ -1396,7 +1408,7 @@
+
+ idx = T1_ToInt( parser );
+
+- if ( !read_binary_data( parser, &size, &base ) )
++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+ return;
+
+ /* The binary string is followed by one token, e.g. `NP' */
+@@ -1582,7 +1594,7 @@
+ cur++; /* skip `/' */
+ len = parser->root.cursor - cur;
+
+- if ( !read_binary_data( parser, &size, &base ) )
++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+ return;
+
+ /* for some non-standard fonts like `Optima' which provides */
+@@ -1871,7 +1883,7 @@
+
+
+ parser->root.cursor = start_binary;
+- if ( !read_binary_data( parser, &s, &b ) )
++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+ return T1_Err_Invalid_File_Format;
+ have_integer = 0;
+ }
+@@ -1884,7 +1896,7 @@
+
+
+ parser->root.cursor = start_binary;
+- if ( !read_binary_data( parser, &s, &b ) )
++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+ return T1_Err_Invalid_File_Format;
+ have_integer = 0;
+ }
+@@ -2160,9 +2172,7 @@
+ type1->subrs_len = loader.subrs.lengths;
+ }
+
+-#ifdef FT_CONFIG_OPTION_INCREMENTAL
+- if ( !face->root.internal->incremental_interface )
+-#endif
++ if ( !IS_INCREMENTAL )
+ if ( !loader.charstrings.init )
+ {
+ FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
diff --git a/freetype-2.4.9-loop-exit-condition.patch b/freetype-2.4.9-loop-exit-condition.patch
new file mode 100644
index 0000000..9edd4e8
--- /dev/null
+++ b/freetype-2.4.9-loop-exit-condition.patch
@@ -0,0 +1,16 @@
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1399,9 +1399,10 @@
+ FT_Byte* base;
+
+
+- /* If the next token isn't `dup' we are done. */
+- if ( parser->root.cursor + 4 < parser->root.limit &&
+- ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
++ /* If we are out of data, or if the next token isn't `dup', */
++ /* we are done. */
++ if ( parser->root.cursor + 4 >= parser->root.limit ||
++ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ break;
+
+ T1_Skip_PS_Token( parser ); /* `dup' */
diff --git a/freetype.spec b/freetype.spec
index 8435547..83f9394 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -6,8 +6,8 @@
Summary: A free and portable font rendering engine
Name: freetype
-Version: 2.4.8
-Release: 2%{?dist}
+Version: 2.4.9
+Release: 1%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -25,6 +25,15 @@ Patch47: freetype-2.3.11-more-demos.patch
# Fix multilib conflicts
Patch88: freetype-multilib.patch
+Patch89: freetype-2.4.9-CVE-2012-1139.patch
+Patch90: freetype-2.4.9-CVE-2012-1141.patch
+
+# https://savannah.nongnu.org/bugs/?35833
+Patch91: freetype-2.4.9-loop-exit-condition.patch
+
+#https://savannah.nongnu.org/bugs/?35847
+Patch92: freetype-2.4.9-incremental-interface.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@@ -84,6 +93,10 @@ pushd ft2demos-%{version}
popd
%patch88 -p1 -b .multilib
+%patch89 -p1 -b .CVE-2012-1139
+%patch90 -p1 -b .CVE-2012-1141
+%patch91 -p1 -b .loop-exit-condition
+%patch92 -p1 -b .incremental-interface
%build
@@ -216,6 +229,11 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Fri Mar 30 2012 Marek Kasik <mkasik at redhat.com> 2.4.9-1
+- Update to 2.4.9
+- Fixes various CVEs
+- Resolves: #806270
+
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild
diff --git a/sources b/sources
index 0d9f9c5..5cdc1d9 100644
--- a/sources
+++ b/sources
@@ -1,3 +1,3 @@
-dbf2caca1d3afd410a29217a9809d397 freetype-2.4.8.tar.bz2
-538c925059e90be23928b454c14df728 freetype-doc-2.4.8.tar.bz2
-f44562cf0b434b6dc3488751f82d99ec ft2demos-2.4.8.tar.bz2
+77a893dae81fd5b896632715ca041179 freetype-2.4.9.tar.bz2
+39c0881d426db837aa6ff1856e44af86 freetype-doc-2.4.9.tar.bz2
+52e6a7e7ba4fecd39562199baac6a7d2 ft2demos-2.4.9.tar.bz2
More information about the fonts-bugs
mailing list