[freetype/f15] Fix CVE-2011-0226
mkasik
mkasik at fedoraproject.org
Wed Jul 20 16:33:51 UTC 2011
commit cc16bca8832e404b35d3a5eafb4d6490cc8c3c2f
Author: Marek Kasik <mkasik at redhat.com>
Date: Wed Jul 20 18:30:13 2011 +0200
Fix CVE-2011-0226
Add freetype-2.4.4-CVE-2011-0226.patch
(Add better argument check for `callothersubr'.)
based on patches by Werner Lemberg,
Alexei Podtelezhnikov and Matthias Drochner
Resolves: #723469
freetype-2.4.4-CVE-2011-0226.patch | 99 ++++++++++++++++++++++++++++++++++++
freetype.spec | 12 ++++-
2 files changed, 109 insertions(+), 2 deletions(-)
---
diff --git a/freetype-2.4.4-CVE-2011-0226.patch b/freetype-2.4.4-CVE-2011-0226.patch
new file mode 100644
index 0000000..cebc0a8
--- /dev/null
+++ b/freetype-2.4.4-CVE-2011-0226.patch
@@ -0,0 +1,99 @@
+--- freetype-2.4.4/src/psaux/t1decode.c 2010-11-23 19:28:53.000000000 +0100
++++ freetype-2.4.4/src/psaux/t1decode.c 2011-07-20 14:58:03.000000000 +0200
+@@ -28,6 +28,8 @@
+
+ #include "psauxerr.h"
+
++/* ensure proper sign extension */
++#define Fix2Int( f ) ( (FT_Int)(FT_Short)( (f) >> 16 ) )
+
+ /*************************************************************************/
+ /* */
+@@ -662,7 +664,7 @@
+ if ( large_int )
+ FT_TRACE4(( " %ld", value ));
+ else
+- FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
++ FT_TRACE4(( " %ld", Fix2Int( value ) ));
+ #endif
+
+ *top++ = value;
+@@ -684,8 +686,8 @@
+
+ top -= 2;
+
+- subr_no = (FT_Int)( top[1] >> 16 );
+- arg_cnt = (FT_Int)( top[0] >> 16 );
++ subr_no = Fix2Int( top[1] );
++ arg_cnt = Fix2Int( top[0] );
+
+ /***********************************************************/
+ /* */
+@@ -862,7 +864,7 @@
+ if ( arg_cnt != 1 || blend == NULL )
+ goto Unexpected_OtherSubr;
+
+- idx = (FT_Int)( top[0] >> 16 );
++ idx = Fix2Int( top[0] );
+
+ if ( idx < 0 ||
+ idx + blend->num_designs > decoder->len_buildchar )
+@@ -930,7 +932,7 @@
+ if ( arg_cnt != 2 || blend == NULL )
+ goto Unexpected_OtherSubr;
+
+- idx = (FT_Int)( top[1] >> 16 );
++ idx = Fix2Int( top[1] );
+
+ if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+ goto Unexpected_OtherSubr;
+@@ -951,7 +953,7 @@
+ if ( arg_cnt != 1 || blend == NULL )
+ goto Unexpected_OtherSubr;
+
+- idx = (FT_Int)( top[0] >> 16 );
++ idx = Fix2Int( top[0] );
+
+ if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+ goto Unexpected_OtherSubr;
+@@ -1009,11 +1011,15 @@
+ break;
+
+ default:
+- FT_ERROR(( "t1_decoder_parse_charstrings:"
+- " unknown othersubr [%d %d], wish me luck\n",
+- arg_cnt, subr_no ));
+- unknown_othersubr_result_cnt = arg_cnt;
+- break;
++ if ( arg_cnt >= 0 && subr_no >= 0 )
++ {
++ FT_ERROR(( "t1_decoder_parse_charstrings:"
++ " unknown othersubr [%d %d], wish me luck\n",
++ arg_cnt, subr_no ));
++ unknown_othersubr_result_cnt = arg_cnt;
++ break;
++ }
++ /* fall through */
+
+ Unexpected_OtherSubr:
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
+@@ -1139,8 +1145,8 @@
+ top[0],
+ top[1],
+ top[2],
+- (FT_Int)( top[3] >> 16 ),
+- (FT_Int)( top[4] >> 16 ) );
++ Fix2Int( top[3] ),
++ Fix2Int( top[4] ) );
+
+ case op_sbw:
+ FT_TRACE4(( " sbw" ));
+@@ -1324,7 +1330,7 @@
+
+ FT_TRACE4(( " callsubr" ));
+
+- idx = (FT_Int)( top[0] >> 16 );
++ idx = Fix2Int( top[0] );
+ if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
+ {
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
diff --git a/freetype.spec b/freetype.spec
index bd869a6..c7a4e74 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.4
-Release: 4%{?dist}
+Release: 5%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -26,9 +26,9 @@ Patch47: freetype-2.3.11-more-demos.patch
Patch88: freetype-multilib.patch
Patch89: freetype-2.4.2-CVE-2010-3311.patch
-
Patch90: 0001-Fall-back-to-autohinting-if-a-TTF-OTF-doesn-t-contai.patch
Patch91: 0002-Fix-autohinting-fallback.patch
+Patch92: freetype-2.4.4-CVE-2011-0226.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -92,6 +92,7 @@ popd
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .auto-autohint
%patch91 -p1 -b .fix-autohint
+%patch92 -p1 -b .CVE-2011-0226
%build
@@ -224,6 +225,13 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Wed Jul 20 2011 Marek Kasik <mkasik at redhat.com> 2.4.4-5
+- Add freetype-2.4.4-CVE-2011-0226.patch
+ (Add better argument check for `callothersubr'.)
+ - based on patches by Werner Lemberg,
+ Alexei Podtelezhnikov and Matthias Drochner
+- Resolves: #723469
+
* Tue Mar 8 2011 Marek Kasik <mkasik at redhat.com> 2.4.4-4
- Fix autohinting fallback (#547532).
- Ignore CFF-based OTFs.
More information about the scm-commits
mailing list