[freetype/f12/master] Security bugfixes
mkasik
mkasik at fedoraproject.org
Mon Oct 4 10:29:06 UTC 2010
commit 97ef5945a6048eca46b68caecbf0560968f9d37c
Author: Marek Kasik <mkasik at redhat.com>
Date: Mon Oct 4 12:27:38 2010 +0200
Security bugfixes
- Add freetype-2.3.11-CVE-2010-2498.patch
(Assure that `end_point' is not larger than `glyph->num_points')
- Add freetype-2.3.11-CVE-2010-2499.patch
(Check the buffer size during gathering PFB fragments)
- Add freetype-2.3.11-CVE-2010-2500.patch
(Use smaller threshold values for `width' and `height')
- Add freetype-2.3.11-CVE-2010-2519.patch
(Check `rlen' the length of fragment declared in the POST fragment header)
- Add freetype-2.3.11-CVE-2010-2520.patch
(Fix bounds check)
- Add freetype-2.3.11-CVE-2010-2527.patch
(Use precision for `%s' where appropriate to avoid buffer overflows)
- Add freetype-2.3.11-CVE-2010-2541.patch
(Avoid overflow when dealing with names of axes)
- Resolves: #613299
freetype-2.3.11-CVE-2010-2498.patch | 35 ++++++++
freetype-2.3.11-CVE-2010-2499.patch | 39 +++++++++
freetype-2.3.11-CVE-2010-2500.patch | 31 +++++++
freetype-2.3.11-CVE-2010-2519.patch | 23 +++++
freetype-2.3.11-CVE-2010-2520.patch | 13 +++
freetype-2.3.11-CVE-2010-2527.patch | 154 +++++++++++++++++++++++++++++++++++
freetype-2.3.11-CVE-2010-2541.patch | 20 +++++
freetype.spec | 34 ++++++++-
8 files changed, 348 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.3.11-CVE-2010-2498.patch b/freetype-2.3.11-CVE-2010-2498.patch
new file mode 100644
index 0000000..fede842
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2498.patch
@@ -0,0 +1,35 @@
+--- freetype-2.3.11/src/pshinter/pshalgo.c 2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.3.11/src/pshinter/pshalgo.c 2010-07-13 13:14:22.000000000 +0200
+@@ -4,7 +4,8 @@
+ /* */
+ /* PostScript hinting algorithm (body). */
+ /* */
+-/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009 by */
++/* Copyright 2001, 2002, 2003, 2004, 2005, 2006, 2007, 2008, 2009, 2010 */
++/* by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used */
+@@ -1690,7 +1691,10 @@
+ /* process secondary hints to `selected' points */
+ if ( num_masks > 1 && glyph->num_points > 0 )
+ {
+- first = mask->end_point;
++ /* the `endchar' op can reduce the number of points */
++ first = mask->end_point > glyph->num_points
++ ? glyph->num_points
++ : mask->end_point;
+ mask++;
+ for ( ; num_masks > 1; num_masks--, mask++ )
+ {
+@@ -1698,7 +1702,9 @@
+ FT_Int count;
+
+
+- next = mask->end_point;
++ next = mask->end_point > glyph->num_points
++ ? glyph->num_points
++ : mask->end_point;
+ count = next - first;
+ if ( count > 0 )
+ {
diff --git a/freetype-2.3.11-CVE-2010-2499.patch b/freetype-2.3.11-CVE-2010-2499.patch
new file mode 100644
index 0000000..5455fa0
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2499.patch
@@ -0,0 +1,39 @@
+--- freetype-2.3.11/src/base/ftobjs.c 2009-09-02 08:42:41.000000000 +0200
++++ freetype-2.3.11/src/base/ftobjs.c 2010-07-12 16:39:13.000000000 +0200
+@@ -1531,6 +1531,8 @@
+ len += rlen;
+ else
+ {
++ if ( pfb_lenpos + 3 > pfb_len + 2 )
++ goto Exit2;
+ pfb_data[pfb_lenpos ] = (FT_Byte)( len );
+ pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
+ pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
+@@ -1539,6 +1541,8 @@
+ if ( ( flags >> 8 ) == 5 ) /* End of font mark */
+ break;
+
++ if ( pfb_pos + 6 > pfb_len + 2 )
++ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+
+ type = flags >> 8;
+@@ -1553,12 +1557,18 @@
+ }
+
+ error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
++ if ( error )
++ goto Exit2;
+ pfb_pos += rlen;
+ }
+
++ if ( pfb_pos + 2 > pfb_len + 2 )
++ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+ pfb_data[pfb_pos++] = 3;
+
++ if ( pfb_lenpos + 3 > pfb_len + 2 )
++ goto Exit2;
+ pfb_data[pfb_lenpos ] = (FT_Byte)( len );
+ pfb_data[pfb_lenpos + 1] = (FT_Byte)( len >> 8 );
+ pfb_data[pfb_lenpos + 2] = (FT_Byte)( len >> 16 );
diff --git a/freetype-2.3.11-CVE-2010-2500.patch b/freetype-2.3.11-CVE-2010-2500.patch
new file mode 100644
index 0000000..afc906d
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2500.patch
@@ -0,0 +1,31 @@
+--- freetype-2.3.11/src/smooth/ftgrays.c 2009-07-31 18:45:19.000000000 +0200
++++ freetype-2.3.11/src/smooth/ftgrays.c 2010-07-13 10:26:58.000000000 +0200
+@@ -1189,7 +1189,7 @@
+ /* first of all, compute the scanline offset */
+ p = (unsigned char*)map->buffer - y * map->pitch;
+ if ( map->pitch >= 0 )
+- p += ( map->rows - 1 ) * map->pitch;
++ p += (unsigned)( ( map->rows - 1 ) * map->pitch );
+
+ for ( ; count > 0; count--, spans++ )
+ {
+--- freetype-2.3.11/src/smooth/ftsmooth.c 2009-07-31 18:45:19.000000000 +0200
++++ freetype-2.3.11/src/smooth/ftsmooth.c 2010-07-13 10:26:58.000000000 +0200
+@@ -4,7 +4,7 @@
+ /* */
+ /* Anti-aliasing renderer interface (body). */
+ /* */
+-/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
++/* Copyright 2000-2001, 2002, 2003, 2004, 2005, 2006, 2009, 2010 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -200,7 +200,7 @@
+
+ /* Required check is ( pitch * height < FT_ULONG_MAX ), */
+ /* but we care realistic cases only. Always pitch <= width. */
+- if ( width > 0xFFFFU || height > 0xFFFFU )
++ if ( width > 0x7FFFU || height > 0x7FFFU )
+ {
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ width, height ));
diff --git a/freetype-2.3.11-CVE-2010-2519.patch b/freetype-2.3.11-CVE-2010-2519.patch
new file mode 100644
index 0000000..49a639c
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2519.patch
@@ -0,0 +1,23 @@
+--- freetype-2.3.11/src/base/ftobjs.c 2010-07-12 17:03:47.000000000 +0200
++++ freetype-2.3.11/src/base/ftobjs.c 2010-07-12 17:07:06.000000000 +0200
+@@ -1526,7 +1526,19 @@
+ goto Exit;
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit;
+- rlen -= 2; /* the flags are part of the resource */
++ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
++ i, offsets[i], rlen, flags ));
++
++ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
++ continue;
++
++ /* the flags are part of the resource, so rlen >= 2. */
++ /* but some fonts declare rlen = 0 for empty fragment */
++ if ( rlen > 2 )
++ rlen -= 2;
++ else
++ rlen = 0;
++
+ if ( ( flags >> 8 ) == type )
+ len += rlen;
+ else
diff --git a/freetype-2.3.11-CVE-2010-2520.patch b/freetype-2.3.11-CVE-2010-2520.patch
new file mode 100644
index 0000000..32cd3d8
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2520.patch
@@ -0,0 +1,13 @@
+--- freetype-2.3.11/src/truetype/ttinterp.c 2009-07-31 18:45:19.000000000 +0200
++++ freetype-2.3.11/src/truetype/ttinterp.c 2010-07-15 14:44:23.000000000 +0200
+@@ -6466,8 +6466,8 @@
+ end_point = CUR.pts.contours[contour] - CUR.pts.first_point;
+ first_point = point;
+
+- if ( CUR.pts.n_points <= end_point )
+- end_point = CUR.pts.n_points;
++ if ( BOUNDS ( end_point, CUR.pts.n_points ) )
++ end_point = CUR.pts.n_points - 1;
+
+ while ( point <= end_point && ( CUR.pts.tags[point] & mask ) == 0 )
+ point++;
diff --git a/freetype-2.3.11-CVE-2010-2527.patch b/freetype-2.3.11-CVE-2010-2527.patch
new file mode 100644
index 0000000..ed7ed1e
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2527.patch
@@ -0,0 +1,154 @@
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c 2009-04-30 18:07:48.000000000 +0200
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftdiff.c 2010-07-22 18:18:06.000000000 +0200
+@@ -1054,11 +1054,11 @@
+
+ state->message = state->message0;
+ if ( total > 1 )
+- sprintf( state->message0, "%s %d/%d @ %5.1fpt",
++ sprintf( state->message0, "%.100s %d/%d @ %5.1fpt",
+ state->filename, idx + 1, total,
+ state->char_size );
+ else
+- sprintf( state->message0, "%s @ %5.1fpt",
++ sprintf( state->message0, "%.100s @ %5.1fpt",
+ state->filename,
+ state->char_size );
+ }
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c 2009-04-30 18:15:21.000000000 +0200
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftgrid.c 2010-07-22 18:18:06.000000000 +0200
+@@ -2,7 +2,7 @@
+ /* */
+ /* The FreeType project -- a free and portable quality TrueType renderer. */
+ /* */
+-/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009 by */
++/* Copyright 1996-2000, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */
+ /* D. Turner, R.Wilhelm, and W. Lemberg */
+ /* */
+ /* */
+@@ -787,22 +787,22 @@ grid_status_draw_outline( GridStatus
+ switch ( error_code )
+ {
+ case FT_Err_Ok:
+- sprintf( status.header_buffer, "%s %s (file `%s')",
++ sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
+ face->family_name, face->style_name, basename );
+ break;
+
+ case FT_Err_Invalid_Pixel_Size:
+- sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
++ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
+ basename );
+ break;
+
+ case FT_Err_Invalid_PPem:
+- sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
++ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
+ basename );
+ break;
+
+ default:
+- sprintf( status.header_buffer, "File `%s': error 0x%04x",
++ sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
+ basename, (FT_UShort)error_code );
+ break;
+ }
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2009-03-14 14:58:28.000000000 +0100
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 18:18:39.000000000 +0200
+@@ -2,7 +2,7 @@
+ /* */
+ /* The FreeType project -- a free and portable quality TrueType renderer. */
+ /* */
+-/* Copyright 1996-2000, 2003, 2004, 2005 by */
++/* Copyright 1996-2000, 2003, 2004, 2005, 2010 by */
+ /* D. Turner, R.Wilhelm, and W. Lemberg */
+ /* */
+ /* */
+@@ -34,7 +34,7 @@
+
+ #define MAXPTSIZE 500 /* dtp */
+
+- char Header[128];
++ char Header[256];
+ char* new_header = 0;
+
+ const unsigned char* Text = (unsigned char*)
+@@ -795,7 +795,7 @@
+ Render_All( Num, ptsize );
+ }
+
+- sprintf( Header, "%s %s (file %s)",
++ sprintf( Header, "%.50s %.50s (file %.100s)",
+ face->family_name,
+ face->style_name,
+ ft_basename( argv[file] ) );
+@@ -830,7 +830,7 @@
+ }
+ else
+ {
+- sprintf( Header, "%s: not an MM font file, or could not be opened",
++ sprintf( Header, "%.100s: not an MM font file, or could not be opened",
+ ft_basename( argv[file] ) );
+ }
+
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c 2009-03-14 14:58:28.000000000 +0100
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftstring.c 2010-07-22 18:18:06.000000000 +0200
+@@ -2,7 +2,7 @@
+ /* */
+ /* The FreeType project -- a free and portable quality TrueType renderer. */
+ /* */
+-/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009 by */
++/* Copyright 1996-2002, 2003, 2004, 2005, 2006, 2007, 2009, 2010 by */
+ /* D. Turner, R.Wilhelm, and W. Lemberg */
+ /* */
+ /* */
+@@ -413,19 +413,20 @@
+ switch ( error_code )
+ {
+ case FT_Err_Ok:
+- sprintf( status.header_buffer, "%s %s (file `%s')", face->family_name,
++ sprintf( status.header_buffer,
++ "%.50s %.50s (file `%.100s')", face->family_name,
+ face->style_name, basename );
+ break;
+ case FT_Err_Invalid_Pixel_Size:
+- sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
++ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
+ basename );
+ break;
+ case FT_Err_Invalid_PPem:
+- sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
++ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
+ basename );
+ break;
+ default:
+- sprintf( status.header_buffer, "File `%s': error 0x%04x", basename,
++ sprintf( status.header_buffer, "File `%.100s': error 0x%04x", basename,
+ (FT_UShort)error_code );
+ break;
+ }
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftview.c 2009-04-30 20:08:25.000000000 +0200
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftview.c 2010-07-22 18:18:06.000000000 +0200
+@@ -1086,19 +1086,19 @@
+ switch ( error_code )
+ {
+ case FT_Err_Ok:
+- sprintf( status.header_buffer, "%s %s (file `%s')",
++ sprintf( status.header_buffer, "%.50s %.50s (file `%.100s')",
+ face->family_name, face->style_name, basename );
+ break;
+ case FT_Err_Invalid_Pixel_Size:
+- sprintf( status.header_buffer, "Invalid pixel size (file `%s')",
++ sprintf( status.header_buffer, "Invalid pixel size (file `%.100s')",
+ basename );
+ break;
+ case FT_Err_Invalid_PPem:
+- sprintf( status.header_buffer, "Invalid ppem value (file `%s')",
++ sprintf( status.header_buffer, "Invalid ppem value (file `%.100s')",
+ basename );
+ break;
+ default:
+- sprintf( status.header_buffer, "File `%s': error 0x%04x",
++ sprintf( status.header_buffer, "File `%.100s': error 0x%04x",
+ basename, (FT_UShort)error_code );
+ break;
+ }
diff --git a/freetype-2.3.11-CVE-2010-2541.patch b/freetype-2.3.11-CVE-2010-2541.patch
new file mode 100644
index 0000000..5f32b8a
--- /dev/null
+++ b/freetype-2.3.11-CVE-2010-2541.patch
@@ -0,0 +1,20 @@
+--- freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 19:11:50.000000000 +0200
++++ freetype-2.3.11/ft2demos-2.3.11/src/ftmulti.c 2010-07-22 19:12:41.000000000 +0200
+@@ -813,13 +813,13 @@
+
+ for ( n = 0; n < (int)multimaster->num_axis; n++ )
+ {
+- char temp[32];
++ char temp[100];
+
+
+- sprintf( temp, " %s:%g",
++ sprintf( temp, " %.50s:%g",
+ multimaster->axis[n].name,
+- design_pos[n]/65536. );
+- strcat( Header, temp );
++ design_pos[n] / 65536.0 );
++ strncat( Header, temp, sizeof( Header ) - strlen( Header ) - 1 );
+ }
+ }
+ grWriteCellString( &bit, 0, 16, Header, fore_color );
diff --git a/freetype.spec b/freetype.spec
index 016bf0d..eb8e0d5 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -9,7 +9,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.3.11
-Release: 3%{?dist}
+Release: 4%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -30,6 +30,14 @@ Patch47: freetype-2.3.11-more-demos.patch
# Fix multilib conflicts
Patch88: freetype-multilib.patch
+Patch89: freetype-2.3.11-CVE-2010-2498.patch
+Patch90: freetype-2.3.11-CVE-2010-2499.patch
+Patch91: freetype-2.3.11-CVE-2010-2500.patch
+Patch92: freetype-2.3.11-CVE-2010-2519.patch
+Patch93: freetype-2.3.11-CVE-2010-2520.patch
+Patch94: freetype-2.3.11-CVE-2010-2527.patch
+Patch95: freetype-2.3.11-CVE-2010-2541.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@@ -97,6 +105,14 @@ popd
%patch88 -p1 -b .multilib
+%patch89 -p1 -b .CVE-2010-2498
+%patch90 -p1 -b .CVE-2010-2499
+%patch91 -p1 -b .CVE-2010-2500
+%patch92 -p1 -b .CVE-2010-2519
+%patch93 -p1 -b .CVE-2010-2520
+%patch94 -p1 -b .CVE-2010-2527
+%patch95 -p1 -b .CVE-2010-2541
+
%build
%configure --disable-static
@@ -225,6 +241,22 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Fri Oct 1 2010 Marek Kasik <mkasik at redhat.com> 2.3.11-4
+- Add freetype-2.3.11-CVE-2010-2498.patch
+ (Assure that `end_point' is not larger than `glyph->num_points')
+- Add freetype-2.3.11-CVE-2010-2499.patch
+ (Check the buffer size during gathering PFB fragments)
+- Add freetype-2.3.11-CVE-2010-2500.patch
+ (Use smaller threshold values for `width' and `height')
+- Add freetype-2.3.11-CVE-2010-2519.patch
+ (Check `rlen' the length of fragment declared in the POST fragment header)
+- Add freetype-2.3.11-CVE-2010-2520.patch
+ (Fix bounds check)
+- Add freetype-2.3.11-CVE-2010-2527.patch
+ (Use precision for `%s' where appropriate to avoid buffer overflows)
+- Add freetype-2.3.11-CVE-2010-2541.patch
+ (Avoid overflow when dealing with names of axes)
+- Resolves: #613299
* Thu Dec 3 2009 Behdad Esfahbod <behdad at redhat.com> 2.3.11-3
- Add freetype-2.3.11-more-demos.patch
More information about the scm-commits
mailing list