[freetype/f16] Fix various CVEs
mkasik
mkasik at fedoraproject.org
Fri Mar 30 14:31:05 UTC 2012
commit c9e0ddd5319c89cc7deb08cf8d32125e1be25dff
Author: Marek Kasik <mkasik at redhat.com>
Date: Fri Mar 30 16:25:41 2012 +0200
Fix various CVEs
Resolves: #806270
freetype-2.4.6-CVE-2012-1126.patch | 20 ++++++
freetype-2.4.6-CVE-2012-1127.patch | 43 ++++++++++++
freetype-2.4.6-CVE-2012-1128.patch | 41 +++++++++++
freetype-2.4.6-CVE-2012-1130.patch | 22 ++++++
freetype-2.4.6-CVE-2012-1131.patch | 50 ++++++++++++++
freetype-2.4.6-CVE-2012-1132.patch | 130 ++++++++++++++++++++++++++++++++++++
freetype-2.4.6-CVE-2012-1133.patch | 14 ++++
freetype-2.4.6-CVE-2012-1134.patch | 26 +++++++
freetype-2.4.6-CVE-2012-1135.patch | 20 ++++++
freetype-2.4.6-CVE-2012-1136.patch | 49 ++++++++++++++
freetype-2.4.6-CVE-2012-1137.patch | 11 +++
freetype-2.4.6-CVE-2012-1138.patch | 11 +++
freetype-2.4.6-CVE-2012-1139.patch | 33 +++++++++
freetype-2.4.6-CVE-2012-1140.patch | 53 +++++++++++++++
freetype-2.4.6-CVE-2012-1141.patch | 17 +++++
freetype-2.4.6-CVE-2012-1142.patch | 27 ++++++++
freetype-2.4.6-CVE-2012-1143.patch | 67 ++++++++++++++++++
freetype-2.4.6-CVE-2012-1144.patch | 22 ++++++
freetype-2.4.6-bdf-overflow.patch | 11 +++
freetype.spec | 44 ++++++++++++-
20 files changed, 710 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.6-CVE-2012-1126.patch b/freetype-2.4.6-CVE-2012-1126.patch
new file mode 100644
index 0000000..2279119
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1126.patch
@@ -0,0 +1,20 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1,6 +1,6 @@
+ /*
+ * Copyright 2000 Computing Research Labs, New Mexico State University
+- * Copyright 2001-2011
++ * Copyright 2001-2012
+ * Francesco Zappa Nardelli
+ *
+ * Permission is hereby granted, free of charge, to any person obtaining a
+@@ -1254,7 +1254,8 @@
+ ep = line + linelen;
+
+ /* Trim the leading whitespace if it exists. */
+- *sp++ = 0;
++ if ( *sp )
++ *sp++ = 0;
+ while ( *sp &&
+ ( *sp == ' ' || *sp == '\t' ) )
+ sp++;
diff --git a/freetype-2.4.6-CVE-2012-1127.patch b/freetype-2.4.6-CVE-2012-1127.patch
new file mode 100644
index 0000000..837ef74
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1127.patch
@@ -0,0 +1,43 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -188,6 +188,7 @@
+ #define ACMSG13 "Glyph %ld extra rows removed.\n"
+ #define ACMSG14 "Glyph %ld extra columns removed.\n"
+ #define ACMSG15 "Incorrect glyph count: %ld indicated but %ld found.\n"
++#define ACMSG16 "Glyph %ld missing columns padded with zero bits.\n"
+
+ /* Error messages. */
+ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
+@@ -1725,18 +1726,31 @@
+ for ( i = 0; i < nibbles; i++ )
+ {
+ c = line[i];
++ if ( !c )
++ break;
+ *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
+ if ( i + 1 < nibbles && ( i & 1 ) )
+ *++bp = 0;
+ }
+
++ /* If any line has not enough columns, */
++ /* indicate they have been padded with zero bits. */
++ if ( i < nibbles &&
++ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
++ {
++ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG16, glyph->encoding ));
++ p->flags |= _BDF_GLYPH_WIDTH_CHECK;
++ font->modified = 1;
++ }
++
+ /* Remove possible garbage at the right. */
+ mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
+ if ( glyph->bbx.width )
+ *bp &= nibble_mask[mask_index];
+
+ /* If any line has extra columns, indicate they have been removed. */
+- if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
++ if ( i == nibbles &&
++ ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ {
+ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
diff --git a/freetype-2.4.6-CVE-2012-1128.patch b/freetype-2.4.6-CVE-2012-1128.patch
new file mode 100644
index 0000000..254804c
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1128.patch
@@ -0,0 +1,41 @@
+--- a/src/truetype/ttinterp.c 2011-01-31 21:45:29.000000000 +0100
++++ b/src/truetype/ttinterp.c 2012-03-28 13:07:28.000000000 +0200
+@@ -5788,7 +5788,7 @@
+ FT_F26Dot6 dx,
+ dy;
+
+- FT_UShort last_point, i;
++ FT_UShort limit, i;
+
+
+ if ( BOUNDS( args[0], 2 ) )
+@@ -5805,24 +5805,15 @@
+ /* Twilight zone has no contours, so use `n_points'. */
+ /* Normal zone's `n_points' includes phantoms, so must */
+ /* use end of last contour. */
+- if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
+- last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
++ if ( CUR.GS.gep2 == 0 )
++ limit = (FT_UShort)CUR.zp2.n_points;
+ else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+- {
+- last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+-
+- if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+- {
+- if ( CUR.pedantic_hinting )
+- CUR.error = TT_Err_Invalid_Reference;
+- return;
+- }
+- }
++ limit = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] + 1 );
+ else
+- last_point = 0;
++ limit = 0;
+
+ /* XXX: UNDOCUMENTED! SHZ doesn't touch the points */
+- for ( i = 0; i <= last_point; i++ )
++ for ( i = 0; i < limit; i++ )
+ {
+ if ( zp.cur != CUR.zp2.cur || refp != i )
+ MOVE_Zp2_Point( i, dx, dy, FALSE );
diff --git a/freetype-2.4.6-CVE-2012-1130.patch b/freetype-2.4.6-CVE-2012-1130.patch
new file mode 100644
index 0000000..aa7d40d
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1130.patch
@@ -0,0 +1,22 @@
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -2,8 +2,7 @@
+
+ FreeType font driver for pcf fonts
+
+- Copyright 2000, 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009,
+- 2010 by
++ Copyright 2000-2010, 2012 by
+ Francesco Zappa Nardelli
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+@@ -496,7 +495,8 @@ THE SOFTWARE.
+ goto Bail;
+ }
+
+- if ( FT_NEW_ARRAY( strings, string_size ) )
++ /* allocate one more byte so that we have a final null byte */
++ if ( FT_NEW_ARRAY( strings, string_size + 1 ) )
+ goto Bail;
+
+ error = FT_Stream_Read( stream, (FT_Byte*)strings, string_size );
diff --git a/freetype-2.4.6-CVE-2012-1131.patch b/freetype-2.4.6-CVE-2012-1131.patch
new file mode 100644
index 0000000..9c72b07
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1131.patch
@@ -0,0 +1,50 @@
+--- a/src/smooth/ftsmooth.c
++++ b/src/smooth/ftsmooth.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* Anti-aliasing renderer interface (body). */
+ /* */
+-/* Copyright 2000-2006, 2009-2011 by */
++/* Copyright 2000-2006, 2009-2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -105,9 +105,9 @@
+ FT_Error error;
+ FT_Outline* outline = NULL;
+ FT_BBox cbox;
+- FT_UInt width, height, pitch;
++ FT_Pos width, height, pitch;
+ #ifndef FT_CONFIG_OPTION_SUBPIXEL_RENDERING
+- FT_UInt height_org, width_org;
++ FT_Pos height_org, width_org;
+ #endif
+ FT_Bitmap* bitmap;
+ FT_Memory memory;
+@@ -151,7 +151,7 @@
+ return Smooth_Err_Raster_Overflow;
+ }
+ else
+- width = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
++ width = ( cbox.xMax - cbox.xMin ) >> 6;
+
+ if ( cbox.yMin < 0 && cbox.yMax > FT_INT_MAX + cbox.yMin )
+ {
+@@ -161,7 +161,7 @@
+ return Smooth_Err_Raster_Overflow;
+ }
+ else
+- height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
++ height = ( cbox.yMax - cbox.yMin ) >> 6;
+
+ bitmap = &slot->bitmap;
+ memory = render->root.memory;
+@@ -223,7 +223,7 @@
+
+ /* Required check is ( pitch * height < FT_ULONG_MAX ), */
+ /* but we care realistic cases only. Always pitch <= width. */
+- if ( width > 0x7FFFU || height > 0x7FFFU )
++ if ( width > 0x7FFF || height > 0x7FFF )
+ {
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %u x %u\n",
+ width, height ));
diff --git a/freetype-2.4.6-CVE-2012-1132.patch b/freetype-2.4.6-CVE-2012-1132.patch
new file mode 100644
index 0000000..069295a
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1132.patch
@@ -0,0 +1,130 @@
+--- freetype-2.4.8/src/psaux/psobjs.c 2011-04-13 13:34:22.000000000 +0200
++++ freetype-2.4.8/src/psaux/psobjs.c 2012-03-30 14:35:25.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* Auxiliary functions for PostScript fonts (body). */
+ /* */
+-/* Copyright 1996-2011 by */
++/* Copyright 1996-2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -589,7 +589,7 @@
+ }
+
+ Exit:
+- if ( cur == parser->cursor )
++ if ( cur < limit && cur == parser->cursor )
+ {
+ FT_ERROR(( "ps_parser_skip_PS_token:"
+ " current token is `%c' which is self-delimiting\n"
+--- freetype-2.4.8/src/type1/t1load.c 2011-09-27 14:34:40.000000000 +0200
++++ freetype-2.4.8/src/type1/t1load.c 2012-03-30 14:35:57.000000000 +0200
+@@ -71,6 +71,13 @@
+ #include "t1errors.h"
+
+
++#ifdef FT_CONFIG_OPTION_INCREMENTAL
++#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
++#else
++#define IS_INCREMENTAL 0
++#endif
++
++
+ /*************************************************************************/
+ /* */
+ /* The macro FT_COMPONENT is used in trace mode. It is an implicit */
+@@ -1030,7 +1037,8 @@
+ static int
+ read_binary_data( T1_Parser parser,
+ FT_Long* size,
+- FT_Byte** base )
++ FT_Byte** base,
++ FT_Bool incremental )
+ {
+ FT_Byte* cur;
+ FT_Byte* limit = parser->root.limit;
+@@ -1065,8 +1073,12 @@
+ }
+ }
+
+- FT_ERROR(( "read_binary_data: invalid size field\n" ));
+- parser->root.error = T1_Err_Invalid_File_Format;
++ if( !incremental )
++ {
++ FT_ERROR(( "read_binary_data: invalid size field\n" ));
++ parser->root.error = T1_Err_Invalid_File_Format;
++ }
++
+ return 0;
+ }
+
+@@ -1387,15 +1399,17 @@
+ FT_Byte* base;
+
+
+- /* If the next token isn't `dup' we are done. */
+- if ( ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
++ /* If we are out of data, or if the next token isn't `dup', */
++ /* we are done. */
++ if ( parser->root.cursor + 4 >= parser->root.limit ||
++ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ break;
+
+ T1_Skip_PS_Token( parser ); /* `dup' */
+
+ idx = T1_ToInt( parser );
+
+- if ( !read_binary_data( parser, &size, &base ) )
++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+ return;
+
+ /* The binary string is followed by one token, e.g. `NP' */
+@@ -1407,7 +1421,8 @@
+ return;
+ T1_Skip_Spaces ( parser );
+
+- if ( ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
++ if ( parser->root.cursor + 4 < parser->root.limit &&
++ ft_strncmp( (char*)parser->root.cursor, "put", 3 ) == 0 )
+ {
+ T1_Skip_PS_Token( parser ); /* skip `put' */
+ T1_Skip_Spaces ( parser );
+@@ -1580,7 +1595,7 @@
+ cur++; /* skip `/' */
+ len = parser->root.cursor - cur;
+
+- if ( !read_binary_data( parser, &size, &base ) )
++ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
+ return;
+
+ /* for some non-standard fonts like `Optima' which provides */
+@@ -1869,7 +1884,7 @@
+
+
+ parser->root.cursor = start_binary;
+- if ( !read_binary_data( parser, &s, &b ) )
++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+ return T1_Err_Invalid_File_Format;
+ have_integer = 0;
+ }
+@@ -1882,7 +1897,7 @@
+
+
+ parser->root.cursor = start_binary;
+- if ( !read_binary_data( parser, &s, &b ) )
++ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
+ return T1_Err_Invalid_File_Format;
+ have_integer = 0;
+ }
+@@ -2158,9 +2173,7 @@
+ type1->subrs_len = loader.subrs.lengths;
+ }
+
+-#ifdef FT_CONFIG_OPTION_INCREMENTAL
+- if ( !face->root.internal->incremental_interface )
+-#endif
++ if ( !IS_INCREMENTAL )
+ if ( !loader.charstrings.init )
+ {
+ FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));
diff --git a/freetype-2.4.6-CVE-2012-1133.patch b/freetype-2.4.6-CVE-2012-1133.patch
new file mode 100644
index 0000000..6b12ac1
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1133.patch
@@ -0,0 +1,14 @@
+--- a/src/bdf/bdflib.c 2012-03-28 13:08:54.000000000 +0200
++++ b/src/bdf/bdflib.c 2012-03-28 13:12:00.000000000 +0200
+@@ -1587,6 +1587,11 @@
+
+ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+
++ /* Normalize negative encoding values. The specification only */
++ /* allows -1, but we can be more generous here. */
++ if ( p->glyph_enc < -1 )
++ p->glyph_enc = -1;
++
+ /* Check that the encoding is in the range [0,65536] because */
+ /* otherwise p->have (a bitmap with static size) overflows. */
+ if ( p->glyph_enc > 0 &&
diff --git a/freetype-2.4.6-CVE-2012-1134.patch b/freetype-2.4.6-CVE-2012-1134.patch
new file mode 100644
index 0000000..bd72640
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1134.patch
@@ -0,0 +1,26 @@
+--- a/src/type1/t1parse.c
++++ b/src/type1/t1parse.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* Type 1 parser (body). */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2008, 2009 by */
++/* Copyright 1996-2005, 2008, 2009, 2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -467,6 +467,14 @@
+ /* we now decrypt the encoded binary private dictionary */
+ psaux->t1_decrypt( parser->private_dict, parser->private_len, 55665U );
+
++ if ( parser->private_len < 4 )
++ {
++ FT_ERROR(( "T1_Get_Private_Dict:"
++ " invalid private dictionary section\n" ));
++ error = T1_Err_Invalid_File_Format;
++ goto Fail;
++ }
++
+ /* replace the four random bytes at the beginning with whitespace */
+ parser->private_dict[0] = ' ';
+ parser->private_dict[1] = ' ';
diff --git a/freetype-2.4.6-CVE-2012-1135.patch b/freetype-2.4.6-CVE-2012-1135.patch
new file mode 100644
index 0000000..869b0df
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1135.patch
@@ -0,0 +1,20 @@
+--- a/src/truetype/ttinterp.c
++++ b/src/truetype/ttinterp.c
+@@ -4477,7 +4477,7 @@
+ CUR.length = opcode_length[CUR.opcode];
+ if ( CUR.length < 0 )
+ {
+- if ( CUR.IP + 1 > CUR.codeSize )
++ if ( CUR.IP + 1 >= CUR.codeSize )
+ goto Fail_Overflow;
+ CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
+ }
+@@ -7544,7 +7544,7 @@
+
+ if ( ( CUR.length = opcode_length[CUR.opcode] ) < 0 )
+ {
+- if ( CUR.IP + 1 > CUR.codeSize )
++ if ( CUR.IP + 1 >= CUR.codeSize )
+ goto LErrorCodeOverflow_;
+
+ CUR.length = 2 - CUR.length * CUR.code[CUR.IP + 1];
diff --git a/freetype-2.4.6-CVE-2012-1136.patch b/freetype-2.4.6-CVE-2012-1136.patch
new file mode 100644
index 0000000..ea472c9
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1136.patch
@@ -0,0 +1,49 @@
+--- a/src/bdf/bdflib.c 2012-03-28 13:13:24.000000000 +0200
++++ b/src/bdf/bdflib.c 2012-03-28 13:15:33.000000000 +0200
+@@ -1749,12 +1749,7 @@
+ if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+- {
+- /* Missing ENCODING field. */
+- FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
+- error = BDF_Err_Missing_Encoding_Field;
+- goto Exit;
+- }
++ goto Missing_Encoding;
+
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -1769,6 +1764,9 @@
+ /* Expect the DWIDTH (scalable width) field next. */
+ if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
+ {
++ if ( !( p->flags & _BDF_ENCODING ) )
++ goto Missing_Encoding;
++
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+ goto Exit;
+@@ -1794,6 +1792,9 @@
+ /* Expect the BBX field next. */
+ if ( ft_memcmp( line, "BBX", 3 ) == 0 )
+ {
++ if ( !( p->flags & _BDF_ENCODING ) )
++ goto Missing_Encoding;
++
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+ goto Exit;
+@@ -1893,6 +1894,12 @@
+ }
+
+ error = BDF_Err_Invalid_File_Format;
++ goto Exit;
++
++ Missing_Encoding:
++ /* Missing ENCODING field. */
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENCODING" ));
++ error = BDF_Err_Missing_Encoding_Field;
+
+ Exit:
+ if ( error && ( p->flags & _BDF_GLYPH ) )
diff --git a/freetype-2.4.6-CVE-2012-1137.patch b/freetype-2.4.6-CVE-2012-1137.patch
new file mode 100644
index 0000000..fc13555
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1137.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -462,7 +462,7 @@
+ if ( num_items > list->size )
+ {
+ unsigned long oldsize = list->size; /* same as _bdf_list_t.size */
+- unsigned long newsize = oldsize + ( oldsize >> 1 ) + 4;
++ unsigned long newsize = oldsize + ( oldsize >> 1 ) + 5;
+ unsigned long bigsize = (unsigned long)( FT_INT_MAX / sizeof ( char* ) );
+ FT_Memory memory = list->memory;
+
diff --git a/freetype-2.4.6-CVE-2012-1138.patch b/freetype-2.4.6-CVE-2012-1138.patch
new file mode 100644
index 0000000..33fe926
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1138.patch
@@ -0,0 +1,11 @@
+--- a/src/truetype/ttinterp.c 2012-03-28 13:16:19.000000000 +0200
++++ b/src/truetype/ttinterp.c 2012-03-28 13:19:39.000000000 +0200
+@@ -6223,7 +6223,7 @@
+ TT_MulFix14( (FT_UInt32)cvt_dist,
+ CUR.GS.freeVector.y );
+
+- CUR.zp1.cur[point] = CUR.zp0.cur[point];
++ CUR.zp1.cur[point] = CUR.zp1.org[point];
+ }
+
+ org_dist = CUR_Func_dualproj( &CUR.zp1.org[point],
diff --git a/freetype-2.4.6-CVE-2012-1139.patch b/freetype-2.4.6-CVE-2012-1139.patch
new file mode 100644
index 0000000..e0be94c
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1139.patch
@@ -0,0 +1,33 @@
+--- a/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
++++ b/src/bdf/bdflib.c 2012-03-28 13:24:22.000000000 +0200
+@@ -791,7 +791,7 @@
+ };
+
+
+-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
++#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+
+
+ /* Routine to convert an ASCII string into an unsigned long integer. */
+@@ -1709,7 +1709,7 @@
+ for ( i = 0; i < nibbles; i++ )
+ {
+ c = line[i];
+- if ( !c )
++ if ( !isdigok( hdigits, c ) )
+ break;
+ *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
+ if ( i + 1 < nibbles && ( i & 1 ) )
+@@ -1732,9 +1732,9 @@
+ *bp &= nibble_mask[mask_index];
+
+ /* If any line has extra columns, indicate they have been removed. */
+- if ( i == nibbles &&
+- ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
+- !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
++ if ( i == nibbles &&
++ isdigok( hdigits, line[nibbles] ) &&
++ !( p->flags & _BDF_GLYPH_WIDTH_CHECK ) )
+ {
+ FT_TRACE2(( "_bdf_parse_glyphs: " ACMSG14, glyph->encoding ));
+ p->flags |= _BDF_GLYPH_WIDTH_CHECK;
diff --git a/freetype-2.4.6-CVE-2012-1140.patch b/freetype-2.4.6-CVE-2012-1140.patch
new file mode 100644
index 0000000..98fd254
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1140.patch
@@ -0,0 +1,53 @@
+--- a/src/psaux/psconv.c
++++ b/src/psaux/psconv.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* Some convenience conversions (body). */
+ /* */
+-/* Copyright 2006, 2008, 2009 by */
++/* Copyright 2006, 2008, 2009, 2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -79,7 +79,7 @@
+ FT_Bool sign = 0;
+
+
+- if ( p == limit || base < 2 || base > 36 )
++ if ( p >= limit || base < 2 || base > 36 )
+ return 0;
+
+ if ( *p == '-' || *p == '+' )
+@@ -150,7 +150,7 @@
+ FT_Bool sign = 0;
+
+
+- if ( p == limit )
++ if ( p >= limit )
+ return 0;
+
+ if ( *p == '-' || *p == '+' )
+@@ -346,7 +346,11 @@
+
+ #if 1
+
+- p = *cursor;
++ p = *cursor;
++
++ if ( p >= limit )
++ return 0;
++
+ if ( n > (FT_UInt)( limit - p ) )
+ n = (FT_UInt)( limit - p );
+
+@@ -434,6 +438,10 @@
+ #if 1
+
+ p = *cursor;
++
++ if ( p >= limit )
++ return 0;
++
+ if ( n > (FT_UInt)(limit - p) )
+ n = (FT_UInt)(limit - p);
+
diff --git a/freetype-2.4.6-CVE-2012-1141.patch b/freetype-2.4.6-CVE-2012-1141.patch
new file mode 100644
index 0000000..aac0f52
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1141.patch
@@ -0,0 +1,17 @@
+--- a/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
++++ b/src/bdf/bdflib.c 2012-03-28 13:25:37.000000000 +0200
+@@ -521,6 +521,14 @@
+
+ /* Initialize the list. */
+ list->used = 0;
++ if ( list->size )
++ {
++ list->field[0] = (char*)empty;
++ list->field[1] = (char*)empty;
++ list->field[2] = (char*)empty;
++ list->field[3] = (char*)empty;
++ list->field[4] = (char*)empty;
++ }
+
+ /* If the line is empty, then simply return. */
+ if ( linelen == 0 || line[0] == 0 )
diff --git a/freetype-2.4.6-CVE-2012-1142.patch b/freetype-2.4.6-CVE-2012-1142.patch
new file mode 100644
index 0000000..8035837
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1142.patch
@@ -0,0 +1,27 @@
+--- a/src/winfonts/winfnt.c 2010-09-11 08:06:45.000000000 +0200
++++ b/src/winfonts/winfnt.c 2012-03-28 13:21:18.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* FreeType font driver for Windows FNT/FON files */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2004, 2006, 2007, 2008, 2009, 2010 by */
++/* Copyright 1996-2004, 2006-2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* Copyright 2003 Huw D M Davies for Codeweavers */
+ /* Copyright 2007 Dmitry Timoshkov for Codeweavers */
+@@ -827,7 +827,14 @@
+ root->charmap = root->charmaps[0];
+ }
+
+- /* setup remaining flags */
++ /* set up remaining flags */
++
++ if ( font->header.last_char < font->header.first_char )
++ {
++ FT_TRACE2(( "invalid number of glyphs\n" ));
++ error = FNT_Err_Invalid_File_Format;
++ goto Fail;
++ }
+
+ /* reserve one slot for the .notdef glyph at index 0 */
+ root->num_glyphs = font->header.last_char -
diff --git a/freetype-2.4.6-CVE-2012-1143.patch b/freetype-2.4.6-CVE-2012-1143.patch
new file mode 100644
index 0000000..43c3f11
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1143.patch
@@ -0,0 +1,67 @@
+--- a/src/base/ftcalc.c
++++ b/src/base/ftcalc.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* Arithmetic computations (body). */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2008 by */
++/* Copyright 1996-2006, 2008, 2012 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -307,7 +307,7 @@
+ q <<= 1;
+ r |= lo >> 31;
+
+- if ( r >= (FT_UInt32)y )
++ if ( r >= y )
+ {
+ r -= y;
+ q |= 1;
+@@ -373,7 +373,7 @@
+ if ( a <= 46340L && b <= 46340L && c <= 176095L && c > 0 )
+ a = ( a * b + ( c >> 1 ) ) / c;
+
+- else if ( c > 0 )
++ else if ( (FT_Int32)c > 0 )
+ {
+ FT_Int64 temp, temp2;
+
+@@ -412,7 +412,7 @@
+ if ( a <= 46340L && b <= 46340L && c > 0 )
+ a = a * b / c;
+
+- else if ( c > 0 )
++ else if ( (FT_Int32)c > 0 )
+ {
+ FT_Int64 temp;
+
+@@ -544,7 +544,7 @@
+ s = (FT_Int32)a; a = FT_ABS( a );
+ s ^= (FT_Int32)b; b = FT_ABS( b );
+
+- if ( b == 0 )
++ if ( (FT_UInt32)b == 0 )
+ {
+ /* check for division by 0 */
+ q = (FT_UInt32)0x7FFFFFFFL;
+@@ -552,15 +552,16 @@
+ else if ( ( a >> 16 ) == 0 )
+ {
+ /* compute result directly */
+- q = (FT_UInt32)( (a << 16) + (b >> 1) ) / (FT_UInt32)b;
++ q = (FT_UInt32)( ( a << 16 ) + ( b >> 1 ) ) / (FT_UInt32)b;
+ }
+ else
+ {
+ /* we need more bits; we have to do it by hand */
+ FT_Int64 temp, temp2;
+
+- temp.hi = (FT_Int32) (a >> 16);
+- temp.lo = (FT_UInt32)(a << 16);
++
++ temp.hi = (FT_Int32) ( a >> 16 );
++ temp.lo = (FT_UInt32)( a << 16 );
+ temp2.hi = 0;
+ temp2.lo = (FT_UInt32)( b >> 1 );
+ FT_Add64( &temp, &temp2, &temp );
diff --git a/freetype-2.4.6-CVE-2012-1144.patch b/freetype-2.4.6-CVE-2012-1144.patch
new file mode 100644
index 0000000..89ea94e
--- /dev/null
+++ b/freetype-2.4.6-CVE-2012-1144.patch
@@ -0,0 +1,22 @@
+--- a/src/truetype/ttgload.c
++++ b/src/truetype/ttgload.c
+@@ -362,14 +362,17 @@
+ if ( n_contours >= 0xFFF || p + ( n_contours + 1 ) * 2 > limit )
+ goto Invalid_Outline;
+
+- prev_cont = FT_NEXT_USHORT( p );
++ prev_cont = FT_NEXT_SHORT( p );
+
+ if ( n_contours > 0 )
+ cont[0] = prev_cont;
+
++ if ( prev_cont < 0 )
++ goto Invalid_Outline;
++
+ for ( cont++; cont < cont_limit; cont++ )
+ {
+- cont[0] = FT_NEXT_USHORT( p );
++ cont[0] = FT_NEXT_SHORT( p );
+ if ( cont[0] <= prev_cont )
+ {
+ /* unordered contours: this is invalid */
diff --git a/freetype-2.4.6-bdf-overflow.patch b/freetype-2.4.6-bdf-overflow.patch
new file mode 100644
index 0000000..53f3210
--- /dev/null
+++ b/freetype-2.4.6-bdf-overflow.patch
@@ -0,0 +1,11 @@
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1912,7 +1912,7 @@
+ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+
+ bitmap_size = glyph->bpr * glyph->bbx.height;
+- if ( bitmap_size > 0xFFFFU )
++ if ( glyph->bpr > 0xFFFFU || bitmap_size > 0xFFFFU )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
+ error = BDF_Err_Bbx_Too_Big;
diff --git a/freetype.spec b/freetype.spec
index d958397..5c154c1 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.6
-Release: 4%{?dist}
+Release: 5%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -28,6 +28,25 @@ Patch88: freetype-multilib.patch
Patch89: freetype-2.4.2-CVE-2010-3311.patch
Patch90: freetype-2.4.6-CVE-2011-3256.patch
Patch91: freetype-2.4.6-CVE-2011-3439.patch
+Patch92: freetype-2.4.6-CVE-2012-1126.patch
+Patch93: freetype-2.4.6-CVE-2012-1127.patch
+Patch94: freetype-2.4.6-CVE-2012-1128.patch
+Patch95: freetype-2.4.6-CVE-2012-1130.patch
+Patch96: freetype-2.4.6-CVE-2012-1131.patch
+Patch97: freetype-2.4.6-CVE-2012-1132.patch
+Patch98: freetype-2.4.6-CVE-2012-1133.patch
+Patch99: freetype-2.4.6-CVE-2012-1134.patch
+Patch100: freetype-2.4.6-CVE-2012-1135.patch
+Patch101: freetype-2.4.6-CVE-2012-1136.patch
+Patch102: freetype-2.4.6-CVE-2012-1137.patch
+Patch103: freetype-2.4.6-CVE-2012-1138.patch
+Patch104: freetype-2.4.6-CVE-2012-1139.patch
+Patch105: freetype-2.4.6-CVE-2012-1140.patch
+Patch106: freetype-2.4.6-CVE-2012-1141.patch
+Patch107: freetype-2.4.6-CVE-2012-1142.patch
+Patch108: freetype-2.4.6-CVE-2012-1143.patch
+Patch109: freetype-2.4.6-CVE-2012-1144.patch
+Patch110: freetype-2.4.6-bdf-overflow.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -91,6 +110,25 @@ popd
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .CVE-2011-3256
%patch91 -p1 -b .CVE-2011-3439
+%patch92 -p1 -b .CVE-2012-1126
+%patch93 -p1 -b .CVE-2012-1127
+%patch94 -p1 -b .CVE-2012-1128
+%patch95 -p1 -b .CVE-2012-1130
+%patch96 -p1 -b .CVE-2012-1131
+%patch97 -p1 -b .CVE-2012-1132
+%patch98 -p1 -b .CVE-2012-1133
+%patch99 -p1 -b .CVE-2012-1134
+%patch100 -p1 -b .CVE-2012-1135
+%patch101 -p1 -b .CVE-2012-1136
+%patch102 -p1 -b .CVE-2012-1137
+%patch103 -p1 -b .CVE-2012-1138
+%patch104 -p1 -b .CVE-2012-1139
+%patch105 -p1 -b .CVE-2012-1140
+%patch106 -p1 -b .CVE-2012-1141
+%patch107 -p1 -b .CVE-2012-1142
+%patch108 -p1 -b .CVE-2012-1143
+%patch109 -p1 -b .CVE-2012-1144
+%patch110 -p1 -b .bdf-overflow
%build
@@ -223,6 +261,10 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Fri Mar 30 2012 Marek Kasik <mkasik at redhat.com> 2.4.6-5
+- Fixes various CVEs
+- Resolves: #806270
+
* Tue Nov 15 2011 Marek Kasik <mkasik at redhat.com> 2.4.6-4
- Fix CVE-2011-3439
- Resolves: #753837
More information about the fonts-bugs
mailing list