[t1lib/el4] Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch) New version of patch for CVE-2011-0764
Jaroslav Škarvada
jskarvad at fedoraproject.org
Tue Jan 10 16:14:06 UTC 2012
commit 463f1cceb711245d04991ba7083b2ceb44845cd4
Author: Jaroslav Škarvada <jskarvad at redhat.com>
Date: Tue Jan 10 17:13:58 2012 +0100
Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch)
New version of patch for CVE-2011-0764, also fixes CVE-2011-1552,
CVE-2011-1553, CVE-2011-1554 (type1-inv-rw-fix patch)
Resolves: rhbz#772899
t1lib-5.0.2-afm-fix.patch | 23 +++++++
t1lib-5.0.2-type1-inv-rw-fix.patch | 124 ++++++++++++++++++++++++++++++++++++
t1lib.spec | 16 ++++-
3 files changed, 162 insertions(+), 1 deletions(-)
---
diff --git a/t1lib-5.0.2-afm-fix.patch b/t1lib-5.0.2-afm-fix.patch
new file mode 100644
index 0000000..66fbf4d
--- /dev/null
+++ b/t1lib-5.0.2-afm-fix.patch
@@ -0,0 +1,23 @@
+diff -up t1lib-5.1.2/lib/t1lib/parseAFM.c.orig t1lib-5.1.2/lib/t1lib/parseAFM.c
+--- t1lib-5.1.2/lib/t1lib/parseAFM.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/t1lib/parseAFM.c 2011-05-10 23:59:08.726465425 +0200
+@@ -199,7 +199,8 @@ static char *token(stream)
+ idx = 0;
+
+ while (ch != EOF && ch != ' ' && ch != CR && ch != LF &&
+- ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
++ ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';' &&
++ idx < (MAX_NAME - 1)){
+ ident[idx++] = ch;
+ ch = fgetc(stream);
+ } /* while */
+@@ -235,7 +236,8 @@ static char *linetoken(stream)
+ while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
+
+ idx = 0;
+- while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z)
++ while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z &&
++ idx < (MAX_NAME - 1))
+ {
+ ident[idx++] = ch;
+ ch = fgetc(stream);
diff --git a/t1lib-5.0.2-type1-inv-rw-fix.patch b/t1lib-5.0.2-type1-inv-rw-fix.patch
new file mode 100644
index 0000000..1237803
--- /dev/null
+++ b/t1lib-5.0.2-type1-inv-rw-fix.patch
@@ -0,0 +1,124 @@
+diff -up t1lib-5.1.2/lib/type1/lines.c.orig t1lib-5.1.2/lib/type1/lines.c
+--- t1lib-5.1.2/lib/type1/lines.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/type1/lines.c 2012-01-10 00:50:01.617614468 +0100
+@@ -67,6 +67,10 @@ This module provides the following entry
+ None.
+ */
+
++#define BITS (sizeof(LONG)*8)
++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
++
+ /*
+ :h2.StepLine() - Produces Run Ends for a Line After Checks
+
+@@ -84,6 +88,9 @@ void StepLine(R, x1, y1, x2, y2)
+ IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
+ x1, y1, x2, y2);
+
++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
++ abort("Lines this big not supported", 49);
++
+ dy = y2 - y1;
+
+ /*
+diff -up t1lib-5.1.2/lib/type1/objects.c.orig t1lib-5.1.2/lib/type1/objects.c
+--- t1lib-5.1.2/lib/type1/objects.c.orig 2007-12-23 16:49:42.000000000 +0100
++++ t1lib-5.1.2/lib/type1/objects.c 2012-01-10 00:55:18.082937510 +0100
+@@ -1137,12 +1137,13 @@ char *t1_get_abort_message( int number)
+ "Context: out of them", /* 46 */
+ "MatrixInvert: can't", /* 47 */
+ "xiStub called", /* 48 */
+- "Illegal access type1 abort() message" /* 49 */
++ "Lines this big not supported", /* 49 */
++ "Illegal access type1 abort() message" /* 50 */
+ };
+
+- /* no is valid from 1 to 48 */
+- if ( (number<1)||(number>48))
+- number=49;
++ /* no is valid from 1 to 49 */
++ if ( (number<1)||(number>49))
++ number=50;
+ return( err_msgs[number-1]);
+
+ }
+diff -up t1lib-5.1.2/lib/type1/type1.c.orig t1lib-5.1.2/lib/type1/type1.c
+--- t1lib-5.1.2/lib/type1/type1.c.orig 2007-12-23 21:19:42.000000000 +0530
++++ t1lib-5.1.2/lib/type1/type1.c 2012-01-04 13:11:50.324115578 +0530
+@@ -1012,6 +1012,7 @@
+ double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
+ double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
+
+ /* setup default hinted position */
+ ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
+@@ -1289,7 +1290,7 @@
+ static int DoRead(CodeP)
+ int *CodeP;
+ {
+- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
++ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
+ /* We handle the non-documented Adobe convention to use lenIV=-1 to
+ suppress charstring encryption. */
+ if (blues->lenIV==-1) {
+@@ -1700,6 +1701,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous segment! */
++ if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+
+ /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1730,7 @@
+ long pindex = 0;
+
+ /* compute hinting for previous point! */
++ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
+ FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+
+ /* Allocate three new path points and pre-setup data */
+@@ -1786,7 +1789,9 @@
+ long tmpind;
+ double deltax = 0.0;
+ double deltay = 0.0;
+-
++
++ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
++
+ /* If this ClosePath command together with the starting point of this
+ path completes to a segment aligned to a stem, we would miss
+ hinting for this point. --> Check and explicitly care for this! */
+@@ -1801,6 +1806,7 @@
+ deltax = ppoints[i].x - ppoints[numppoints-1].x;
+ deltay = ppoints[i].y - ppoints[numppoints-1].y;
+
++ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
+ /* save nummppoints and reset to move point */
+ tmpind = numppoints;
+ numppoints = i + 1;
+@@ -1903,6 +1909,7 @@
+ FindStems( currx, curry, 0, 0, dx, dy);
+ }
+ else {
++ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
+ FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+ }
+
+@@ -2152,6 +2159,7 @@
+ DOUBLE cx, cy;
+ DOUBLE ex, ey;
+
++ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
+
+ /* Our PPOINT list now contains 7 moveto commands which
+ are about to be consumed by the Flex mechanism. --> Remove these
+@@ -2321,6 +2329,7 @@
+ struct segment *CurrentPoint;
+ DOUBLE CurrentX, CurrentY;
+
++ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
+ /* Push CurrentPoint on fake PostScript stack */
+ PSFakePush( ppoints[numppoints-1].x);
+ PSFakePush( ppoints[numppoints-1].y);
diff --git a/t1lib.spec b/t1lib.spec
index da6b8af..be2c56a 100644
--- a/t1lib.spec
+++ b/t1lib.spec
@@ -1,6 +1,6 @@
Name: t1lib
Version: 5.0.2
-Release: 1
+Release: 2
Epoch: 0
Summary: PostScript Type 1 font rasterizer
@@ -16,6 +16,12 @@ Patch2: t1lib-5.0.0-xglyph-env.patch
Patch3: t1lib-5.0.0-hintfix.patch
# From Debian's t1lib-5.0.0-4 (slightly tweaked):
Patch5: t1lib-5.0.0-t1libconfig.patch
+# Fixes CVE-2010-2642, CVE-2011-0433
+# http://bugzilla.redhat.com/show_bug.cgi?id=679732
+Patch6: t1lib-5.0.2-afm-fix.patch
+# Fixes CVE-2011-0764, CVE-2011-1552, CVE-2011-1553, CVE-2011-1554
+# http://bugzilla.redhat.com/show_bug.cgi?id=692909
+Patch7: t1lib-5.0.2-type1-inv-rw-fix.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
BuildRequires: XFree86-devel
@@ -46,6 +52,8 @@ This package contains header files and static libraries for %{name}.
%patch1 -p1
%patch2 -p1
%patch5 -p1
+%patch6 -p1 -b .afm-fix
+%patch7 -p1 -b .type1-inv-rw-fix
%build
@@ -106,6 +114,12 @@ fi
%changelog
+* Tue Jan 10 2012 Jaroslav Škarvada <jskarvad at redhat.com> - 0:5.0.2-2
+- Add patch to fix CVE-2010-2642, CVE-2011-0433 (afm-fix patch)
+- New version of patch for CVE-2011-0764, also fixes CVE-2011-1552,
+ CVE-2011-1553, CVE-2011-1554 (type1-inv-rw-fix patch)
+ Resolves: rhbz#772899
+
* Thu Mar 11 2004 Marius L. Jøhndal <mariuslj at ifi.uio.no> - 0:5.0.2-0.fdr.1
- Updated to 5.0.2.
More information about the scm-commits
mailing list