[freetype/f21] Don't append to stem arrays after hintmask is constructed

mkasik mkasik at fedoraproject.org
Wed Dec 10 16:37:51 UTC 2014 

commit 28c294f8c9d8ec28498114eed32cb7db52fb1ea9
Author: Marek Kasik <mkasik at redhat.com>
Date:   Wed Dec 10 17:34:18 2014 +0100

    Don't append to stem arrays after hintmask is constructed
    
    Related: #1172634

 freetype-2.5.3-hintmask.patch |   92 +++++++++++++++++++++++++++++++++++++++++
 freetype.spec                 |   11 ++++-
 2 files changed, 102 insertions(+), 1 deletions(-)
---
diff --git a/freetype-2.5.3-hintmask.patch b/freetype-2.5.3-hintmask.patch
new file mode 100644
index 0000000..15954fc
--- /dev/null
+++ b/freetype-2.5.3-hintmask.patch
@@ -0,0 +1,92 @@
+From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold at adobe.com>
+Date: Thu, 04 Dec 2014 05:10:16 +0000
+Subject: [cff] Fix Savannah bug #43661.
+
+* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
+cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
+hintmask is constructed.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
+avoid reading past end of hintmask.
+---
+diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c
+index 81049f4..28a892b 100644
+--- a/src/cff/cf2hints.c
++++ b/src/cff/cf2hints.c
+@@ -794,9 +794,12 @@
+     maskPtr      = cf2_hintmask_getMaskPtr( &tempHintMask );
+ 
+     /* use the hStem hints only, which are first in the mask */
+-    /* TODO: compare this to cffhintmaskGetBitCount */
+     bitCount = cf2_arrstack_size( hStemHintArray );
+ 
++    /* Defense-in-depth.  Should never return here. */
++    if ( bitCount > hintMask->bitCount )
++        return;
++
+     /* synthetic embox hints get highest priority */
+     if ( font->blues.doEmBoxHints )
+     {
+diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c
+index 5610917..a269606 100644
+--- a/src/cff/cf2intrp.c
++++ b/src/cff/cf2intrp.c
+@@ -4,7 +4,7 @@
+ /*                                                                         */
+ /*    Adobe's CFF Interpreter (body).                                      */
+ /*                                                                         */
+-/*  Copyright 2007-2013 Adobe Systems Incorporated.                        */
++/*  Copyright 2007-2014 Adobe Systems Incorporated.                        */
+ /*                                                                         */
+ /*  This software, and all works of authorship, whether in source or       */
+ /*  object code form as indicated by the copyright notice(s) included      */
+@@ -593,8 +593,11 @@
+ 
+         /* never add hints after the mask is computed */
+         if ( cf2_hintmask_isValid( &hintMask ) )
++        {
+           FT_TRACE4(( "cf2_interpT2CharString:"
+                       " invalid horizontal hint mask\n" ));
++          break;
++        }
+ 
+         cf2_doStems( font,
+                      opStack,
+@@ -614,8 +617,11 @@
+ 
+         /* never add hints after the mask is computed */
+         if ( cf2_hintmask_isValid( &hintMask ) )
++        {
+           FT_TRACE4(( "cf2_interpT2CharString:"
+                       " invalid vertical hint mask\n" ));
++          break;
++        }
+ 
+         cf2_doStems( font,
+                      opStack,
+@@ -1141,15 +1147,16 @@
+         /* `cf2_hintmask_read' (which also traces the mask bytes) */
+         FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));
+ 
+-        /* if there are arguments on the stack, there this is an */
+-        /* implied cf2_cmdVSTEMHM                                */
+-        if ( cf2_stack_count( opStack ) != 0 )
++        /* never add hints after the mask is computed */
++        if ( cf2_stack_count( opStack ) > 1    &&
++             cf2_hintmask_isValid( &hintMask ) )
+         {
+-          /* never add hints after the mask is computed */
+-          if ( cf2_hintmask_isValid( &hintMask ) )
+-            FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
++          FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
++          break;
+         }
+ 
++        /* if there are arguments on the stack, there this is an */
++        /* implied cf2_cmdVSTEMHM                                */
+         cf2_doStems( font,
+                      opStack,
+                      &vStemHintArray,
+--
+cgit v0.9.0.2
diff --git a/freetype.spec b/freetype.spec
index ea1cbaa..2b4e752 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.5.3
-Release: 11%{?dist}
+Release: 12%{?dist}
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@@ -35,6 +35,9 @@ Patch91:  freetype-2.5.3-freetype-config-libs.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1161963
 Patch92:  freetype-2.5.3-freetype-config-prefix.patch
 
+# https://bugzilla.gnome.org/show_bug.cgi?id=1172634
+Patch93:  freetype-2.5.3-hintmask.patch
+
 Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
 
 BuildRequires: libX11-devel
@@ -102,6 +105,8 @@ popd
 
 %patch92 -p1 -b .freetype-config-prefix
 
+%patch93 -p1 -b .hintmask
+
 %build
 
 %configure --disable-static \
@@ -222,6 +227,10 @@ rm -rf $RPM_BUILD_ROOT
 %{_mandir}/man1/*
 
 %changelog
+* Wed Dec 10 2014 Marek Kasik <mkasik at redhat.com> - 2.5.3-12
+- Don't append to stem arrays after hintmask is constructed.
+- Related: #1172634
+
 * Tue Nov 11 2014 Marek Kasik <mkasik at redhat.com> - 2.5.3-11
 - Fix directories returned by freetype-config with modified prefix
 - Resolves: #1161963

More information about the scm-commits mailing list