rpms/freetype1/F-8 freetype-1.4pre-CVE-2008-1808.patch, NONE, 1.1 freetype1.spec, 1.3, 1.4
Hans de Goede (jwrdegoede)
fedora-extras-commits at redhat.com
Sat Jun 14 08:51:34 UTC 2008
Author: jwrdegoede
Update of /cvs/extras/rpms/freetype1/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5823
Modified Files:
freetype1.spec
Added Files:
freetype-1.4pre-CVE-2008-1808.patch
Log Message:
* Sat Jun 14 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.6.pre
- Backport fixes for CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808 to
freetype 1 (where applicable, bz 450773, 450774)
freetype-1.4pre-CVE-2008-1808.patch:
--- NEW FILE freetype-1.4pre-CVE-2008-1808.patch ---
diff -up freetype-1.3.1/lib/ttfile.c~ freetype-1.3.1/lib/ttfile.c
--- freetype-1.3.1/lib/ttfile.c~ 2008-06-14 09:51:56.000000000 +0200
+++ freetype-1.3.1/lib/ttfile.c 2008-06-14 09:51:56.000000000 +0200
@@ -931,6 +931,9 @@
EXPORT_FUNC
TT_Error TT_Skip_File( STREAM_ARGS Long distance )
{
+ if ( distance < 0 )
+ return TT_Err_Invalid_File_Offset;
+
return TT_Seek_File( STREAM_VARS ftell( CUR_Stream->file ) -
CUR_Stream->base + distance );
}
diff -up freetype-1.3.1/lib/ttinterp.c~ freetype-1.3.1/lib/ttinterp.c
--- freetype-1.3.1/lib/ttinterp.c~ 2008-06-14 09:56:48.000000000 +0200
+++ freetype-1.3.1/lib/ttinterp.c 2008-06-14 09:56:48.000000000 +0200
@@ -4144,7 +4144,7 @@
/* XXX: this is probably wrong... at least it prevents memory */
/* corruption when zp2 is the twilight zone */
- if ( last_point > CUR.zp2.n_points )
+ if ( BOUNDS ( last_point , CUR.zp2.n_points ) )
{
if ( CUR.zp2.n_points > 0 )
last_point = CUR.zp2.n_points - 1;
diff -up freetype-1.3.1/lib/ttload.c~ freetype-1.3.1/lib/ttload.c
--- freetype-1.3.1/lib/ttload.c~ 2008-06-14 09:37:02.000000000 +0200
+++ freetype-1.3.1/lib/ttload.c 2008-06-14 09:46:33.000000000 +0200
@@ -284,6 +284,12 @@
/* read frame data into face table */
maxProfile->version = GET_ULong();
+
+ if (maxProfile->version < 0x10000L)
+ {
+ PERROR(( "!! invalid file format" ));
+ return TT_Err_Invalid_File_Format;
+ }
maxProfile->numGlyphs = GET_UShort();
@@ -294,6 +300,14 @@
maxProfile->maxZones = GET_UShort();
maxProfile->maxTwilightPoints = GET_UShort();
+ /* we add 4 phantom points later */
+ if ( maxProfile->maxTwilightPoints > ( 0xFFFFU - 4 ) )
+ {
+ PERROR(( "Too much twilight points in `maxp' table;\n" ));
+ PERROR(( " some glyphs might be rendered incorrectly.\n" ));
+
+ maxProfile->maxTwilightPoints = 0xFFFFU - 4;
+ }
maxProfile->maxStorage = GET_UShort();
maxProfile->maxFunctionDefs = GET_UShort();
@@ -330,8 +344,10 @@
/* We also increase maxPoints and maxContours in order to support */
/* some broken fonts. */
- face->maxPoints += 8;
- face->maxContours += 4;
+ if ( face->maxPoints < ( 0xFFFFU - 8 ) )
+ face->maxPoints += 8;
+ if ( face->maxContours < ( 0xFFFFU - 4 ) )
+ face->maxContours += 4;
PTRACE2(( "GASP loaded.\n" ));
return TT_Err_Ok;
Index: freetype1.spec
===================================================================
RCS file: /cvs/extras/rpms/freetype1/F-8/freetype1.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- freetype1.spec 5 Sep 2007 18:37:14 -0000 1.3
+++ freetype1.spec 14 Jun 2008 08:50:42 -0000 1.4
@@ -4,7 +4,7 @@
Name: freetype1
Version: 1.4
-Release: 0.4.pre%{?dist}
+Release: 0.6.pre%{?dist}
Summary: Free TrueType font rendering engine, compatibility version
Group: System Environment/Libraries
License: FTL
@@ -14,6 +14,7 @@
Source: http://downloads.sourceforge.net/freetype/freetype-1.3.1.tar.gz
Patch0: freetype-1.3.1-1.4pre.patch
Patch1: freetype-1.4-disable-ft1-bci.patch
+Patch2: freetype-1.4pre-CVE-2008-1808.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: zlib-devel libXt-devel gettext
@@ -59,6 +60,12 @@
%patch1 -p1 -b .disable-ft1-bci
%endif
+%patch2 -p1
+
+iconv -f ISO-8859-1 -t UTF-8 docs/i18n.txt > docs/i18n.txt.tmp
+touch -r docs/i18n.txt docs/i18n.txt.tmp
+mv docs/i18n.txt.tmp docs/i18n.txt
+
%build
# Work around code generation problem with strict-aliasing
@@ -118,6 +125,13 @@
%changelog
+* Sat Jun 14 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.6.pre
+- Backport fixes for CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808 to
+ freetype 1 (where applicable, bz 450773, 450774)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> - 1.4-0.5.pre
+- Autorebuild for GCC 4.3
+
* Wed Sep 5 2007 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.4.pre
- Update license tag
More information about the scm-commits
mailing list