[freetype/f20] Fix various CVEs

mkasik mkasik at fedoraproject.org
Tue Mar 11 13:13:26 UTC 2014 

commit 026a552e731c47525ca9e64bdb8242b18bf733c5
Author: Marek Kasik <mkasik at redhat.com>
Date:   Tue Mar 11 14:12:40 2014 +0100

    Fix various CVEs
    
    Add freetype-2.5.0-CVE-2014-2240.patch
      (Return when `hintMask' is invalid.)
    Add freetype-2.5.0-CVE-2014-2241.patch
      (Don't call non-existing subroutines.)
    Resolves: #1074647

 freetype-2.5.0-CVE-2014-2240.patch |   25 +++++++++++++++++
 freetype-2.5.0-CVE-2014-2241.patch |   52 ++++++++++++++++++++++++++++++++++++
 freetype.spec                      |   16 ++++++++++-
 3 files changed, 92 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.5.0-CVE-2014-2240.patch b/freetype-2.5.0-CVE-2014-2240.patch
new file mode 100644
index 0000000..d838de3
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2240.patch
@@ -0,0 +1,25 @@
+From 0eae6eb0645264c98812f0095e0f5df4541830e6 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold at adobe.com>
+Date: Fri, 28 Feb 2014 06:40:01 +0000
+Subject: Fix Savannah bug #41697, part 1.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Return when `hintMask' is
+invalid.  In this case, it is not safe to use the length of
+`hStemHintArray'; the exception has already been recorded in
+`hintMask'.
+---
+diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
+index 5f44161..79f84fc 100644
+--- a/src/cff/cf2hints.c
++++ b/src/cff/cf2hints.c
+@@ -781,6 +781,8 @@
+       cf2_hintmask_setAll( hintMask,
+                            cf2_arrstack_size( hStemHintArray ) +
+                              cf2_arrstack_size( vStemHintArray ) );
++      if ( !cf2_hintmask_isValid( hintMask ) )
++          return;                   /* too many stem hints */
+     }
+ 
+     /* begin by clearing the map */
+--
+cgit v0.9.0.2
diff --git a/freetype-2.5.0-CVE-2014-2241.patch b/freetype-2.5.0-CVE-2014-2241.patch
new file mode 100644
index 0000000..3e6cd60
--- /dev/null
+++ b/freetype-2.5.0-CVE-2014-2241.patch
@@ -0,0 +1,52 @@
+From 135c3faebb96f8f550bd4f318716f2e1e095a969 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold at adobe.com>
+Date: Fri, 28 Feb 2014 06:42:42 +0000
+Subject: Fix Savannah bug #41697, part 2.
+
+* src/cff/cf2ft.c (cf2_initLocalRegionBuffer,
+cf2_initGlobalRegionBuffer): It is possible for a charstring to call
+a subroutine if no subroutines exist.  This is an error but should
+not trigger an assert.  Split the assert to account for this.
+---
+diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c
+index df5f8fb..82bac75 100644
+--- a/src/cff/cf2ft.c
++++ b/src/cff/cf2ft.c
+@@ -521,7 +521,7 @@
+                               CF2_UInt      idx,
+                               CF2_Buffer    buf )
+   {
+-    FT_ASSERT( decoder && decoder->globals );
++    FT_ASSERT( decoder );
+ 
+     FT_ZERO( buf );
+ 
+@@ -529,6 +529,8 @@
+     if ( idx >= decoder->num_globals )
+       return TRUE;     /* error */
+ 
++    FT_ASSERT( decoder->globals );
++
+     buf->start =
+     buf->ptr   = decoder->globals[idx];
+     buf->end   = decoder->globals[idx + 1];
+@@ -594,7 +596,7 @@
+                              CF2_UInt      idx,
+                              CF2_Buffer    buf )
+   {
+-    FT_ASSERT( decoder && decoder->locals );
++    FT_ASSERT( decoder );
+ 
+     FT_ZERO( buf );
+ 
+@@ -602,6 +604,8 @@
+     if ( idx >= decoder->num_locals )
+       return TRUE;     /* error */
+ 
++    FT_ASSERT( decoder->locals );
++
+     buf->start =
+     buf->ptr   = decoder->locals[idx];
+     buf->end   = decoder->locals[idx + 1];
+--
+cgit v0.9.0.2
diff --git a/freetype.spec b/freetype.spec
index 74cee3c..93a8113 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.5.0
-Release: 4%{?dist}
+Release: 5%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -35,6 +35,10 @@ Patch91:  freetype-2.5.0.1.patch
 # https://bugzilla.gnome.org/show_bug.cgi?id=686709
 Patch92:  0001-Fix-vertical-size-of-emboldened-glyphs.patch
 
+# https://bugzilla.gnome.org/show_bug.cgi?id=1074647
+Patch93:  freetype-2.5.0-CVE-2014-2240.patch
+Patch94:  freetype-2.5.0-CVE-2014-2241.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 BuildRequires: libX11-devel
@@ -102,6 +106,9 @@ popd
 
 %patch92 -p1 -b .emboldened-glyphs
 
+%patch93 -p1 -b .CVE-2014-2240
+%patch94 -p1 -b .CVE-2014-2241
+
 %build
 
 %configure --disable-static
@@ -222,6 +229,13 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Tue Mar 11 2014 Marek Kasik <mkasik at redhat.com> - 2.5.0-5
+- Add freetype-2.5.0-CVE-2014-2240.patch
+    (Return when `hintMask' is invalid.)
+- Add freetype-2.5.0-CVE-2014-2241.patch
+    (Don't call non-existing subroutines.)
+- Resolves: #1074647
+
 * Fri Sep 20 2013 Marek Kasik <mkasik at redhat.com> - 2.5.0-4
 - Fix vertical size of emboldened glyphs

More information about the fonts-bugs mailing list