[freetype/f13/master] Fix CVE-2010-3855

mkasik mkasik at fedoraproject.org
Mon Nov 15 10:16:13 UTC 2010 

commit 6cd5de2091b6ea5277f43547ce404f9c54e269aa
Author: Marek Kasik <mkasik at redhat.com>
Date:   Mon Nov 15 10:31:26 2010 +0100

    Fix CVE-2010-3855
    
    Add freetype-2.3.11-CVE-2010-3855.patch
      (Protect against invalid `runcnt' values.)
    Resolves: #651764

 freetype-2.3.11-CVE-2010-3855.patch |   20 ++++++++++++++++++++
 freetype.spec                       |    9 ++++++++-
 2 files changed, 28 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.3.11-CVE-2010-3855.patch b/freetype-2.3.11-CVE-2010-3855.patch
new file mode 100644
index 0000000..a215546
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-3855.patch
@@ -0,0 +1,20 @@
+--- freetype-2.3.11/src/truetype/ttgxvar.c	2009-07-31 18:45:19.000000000 +0200
++++ freetype-2.3.11/src/truetype/ttgxvar.c	2010-11-15 10:26:22.517444003 +0100
+@@ -157,7 +157,7 @@
+         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
+         first  = points[i++] = FT_GET_USHORT();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         /* first point not included in runcount */
+@@ -168,7 +168,7 @@
+       {
+         first = points[i++] = FT_GET_BYTE();
+ 
+-        if ( runcnt < 1 )
++        if ( runcnt < 1 || i + runcnt >= n )
+           goto Exit;
+ 
+         for ( j = 0; j < runcnt; ++j )
diff --git a/freetype.spec b/freetype.spec
index e128f67..dce5aa5 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -9,7 +9,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.3.11
-Release: 6%{?dist}
+Release: 7%{?dist}
 License: FTL or GPLv2+
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -42,6 +42,7 @@ Patch97:  freetype-2.3.11-CVE-2010-2805.patch
 Patch98:  freetype-2.3.11-CVE-2010-2806.patch
 Patch99:  freetype-2.3.11-CVE-2010-2808.patch
 Patch100:  freetype-2.3.11-CVE-2010-3311.patch
+Patch101:  freetype-2.3.11-CVE-2010-3855.patch
 
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
@@ -122,6 +123,7 @@ popd
 %patch98 -p1 -b .CVE-2010-2806
 %patch99 -p1 -b .CVE-2010-2808
 %patch100 -p1 -b .CVE-2010-3311
+%patch101 -p1 -b .CVE-2010-3855
 
 %build
 
@@ -254,6 +256,11 @@ rm -rf $RPM_BUILD_ROOT
 %doc docs/tutorial
 
 %changelog
+* Mon Nov 15 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-7
+- Add freetype-2.3.11-CVE-2010-3855.patch
+    (Protect against invalid `runcnt' values.)
+- Resolves: #651764
+
 * Mon Oct  4 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-6
 - Add freetype-2.3.11-CVE-2010-2805.patch
     (Fix comparison.)

More information about the scm-commits mailing list