[freetype/f16] Fix CVE-2011-3439
mkasik
mkasik at fedoraproject.org
Tue Nov 15 16:18:34 UTC 2011
commit 698eff9cbd1e9385209575f8ddd67215228581df
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Nov 15 17:16:52 2011 +0100
Fix CVE-2011-3439
Resolves: #753837
freetype-2.4.6-CVE-2011-3439.patch | 76 ++++++++++++++++++++++++++++++++++++
freetype.spec | 8 +++-
2 files changed, 83 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.4.6-CVE-2011-3439.patch b/freetype-2.4.6-CVE-2011-3439.patch
new file mode 100644
index 0000000..5cd5809
--- /dev/null
+++ b/freetype-2.4.6-CVE-2011-3439.patch
@@ -0,0 +1,76 @@
+--- freetype-2.4.6/src/cid/cidload.c 2009-07-03 15:28:24.000000000 +0200
++++ freetype-2.4.6/src/cid/cidload.c 2011-11-15 17:13:06.000000000 +0100
+@@ -4,7 +4,7 @@
+ /* */
+ /* CID-keyed Type1 font loader (body). */
+ /* */
+-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */
++/* Copyright 1996-2006, 2009, 2011 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -110,7 +110,7 @@
+ CID_FaceDict dict;
+
+
+- if ( parser->num_dict < 0 )
++ if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
+ {
+ FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
+ keyword->ident ));
+@@ -158,7 +158,7 @@
+ FT_Fixed temp_scale;
+
+
+- if ( parser->num_dict >= 0 )
++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
+ {
+ dict = face->cid.font_dicts + parser->num_dict;
+ matrix = &dict->font_matrix;
+@@ -249,7 +249,7 @@
+ CID_FaceDict dict;
+
+
+- if ( parser->num_dict >= 0 )
++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
+ {
+ dict = face->cid.font_dicts + parser->num_dict;
+
+@@ -413,12 +413,25 @@
+ FT_Byte* p;
+
+
++ /* Check for possible overflow. */
++ if ( num_subrs == FT_UINT_MAX )
++ {
++ error = CID_Err_Syntax_Error;
++ goto Fail;
++ }
++
+ /* reallocate offsets array if needed */
+ if ( num_subrs + 1 > max_offsets )
+ {
+ FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
+
+
++ if ( new_max <= max_offsets )
++ {
++ error = CID_Err_Syntax_Error;
++ goto Fail;
++ }
++
+ if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
+ goto Fail;
+
+@@ -436,6 +449,11 @@
+
+ FT_FRAME_EXIT();
+
++ /* offsets must be ordered */
++ for ( count = 1; count <= num_subrs; count++ )
++ if ( offsets[count - 1] > offsets[count] )
++ goto Fail;
++
+ /* now, compute the size of subrs charstrings, */
+ /* allocate, and read them */
+ data_len = offsets[num_subrs] - offsets[0];
diff --git a/freetype.spec b/freetype.spec
index 6c9f7a3..d958397 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.6
-Release: 3%{?dist}
+Release: 4%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -27,6 +27,7 @@ Patch88: freetype-multilib.patch
Patch89: freetype-2.4.2-CVE-2010-3311.patch
Patch90: freetype-2.4.6-CVE-2011-3256.patch
+Patch91: freetype-2.4.6-CVE-2011-3439.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -89,6 +90,7 @@ popd
%patch88 -p1 -b .multilib
%patch89 -p1 -b .CVE-2010-3311
%patch90 -p1 -b .CVE-2011-3256
+%patch91 -p1 -b .CVE-2011-3439
%build
@@ -221,6 +223,10 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Tue Nov 15 2011 Marek Kasik <mkasik at redhat.com> 2.4.6-4
+- Fix CVE-2011-3439
+- Resolves: #753837
+
* Wed Oct 26 2011 Fedora Release Engineering <rel-eng at lists.fedoraproject.org> - 2.4.6-3
- Rebuilt for glibc bug#747377
More information about the scm-commits
mailing list