[freetype/f21] Fix openning of uncompressed PCF fonts
mkasik
mkasik at fedoraproject.org
Tue Feb 24 12:40:18 UTC 2015
commit 5fe4fcf7a4ba9f52bf9f397585d1e735043c6874
Author: Marek Kasik <mkasik at redhat.com>
Date: Tue Feb 24 13:39:09 2015 +0100
Fix openning of uncompressed PCF fonts
Resolves: #1195652
freetype-2.5.3-pcf-read-a.patch | 125 ++++++++++++++++++++++++++++++++++++++++
freetype-2.5.3-pcf-read-b.patch | 37 ++++++++++++
freetype.spec | 13 ++++-
3 files changed, 174 insertions(+), 1 deletion(-)
---
diff --git a/freetype-2.5.3-pcf-read-a.patch b/freetype-2.5.3-pcf-read-a.patch
new file mode 100644
index 0000000..d7f2036
--- /dev/null
+++ b/freetype-2.5.3-pcf-read-a.patch
@@ -0,0 +1,125 @@
+From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Mon, 8 Dec 2014 16:01:50 +0100
+Subject: [PATCH] [pcf] Fix Savannah bug #43774.
+
+Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
+functions. Since the PCF format doesn't have an official
+specification, we have to exactly follow these functions' behaviour.
+
+The problem was unveiled with a patch from 2014-11-06, fixing issue #43547.
+
+* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
+element. Instead, assign real size.
+---
+ ChangeLog | 14 ++++++++++++++
+ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 57 insertions(+), 11 deletions(-)
+
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index 998cbed..e3caf82 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -2,7 +2,7 @@
+
+ FreeType font driver for pcf fonts
+
+- Copyright 2000-2010, 2012, 2013 by
++ Copyright 2000-2010, 2012-2014 by
+ Francesco Zappa Nardelli
+
+ Permission is hereby granted, free of charge, to any person obtaining a copy
+@@ -78,7 +78,7 @@ THE SOFTWARE.
+ FT_FRAME_START( 16 ),
+ FT_FRAME_ULONG_LE( type ),
+ FT_FRAME_ULONG_LE( format ),
+- FT_FRAME_ULONG_LE( size ),
++ FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */
+ FT_FRAME_ULONG_LE( offset ),
+ FT_FRAME_END
+ };
+@@ -95,9 +95,11 @@ THE SOFTWARE.
+ FT_Memory memory = FT_FACE( face )->memory;
+ FT_UInt n;
+
++ FT_ULong size;
+
+- if ( FT_STREAM_SEEK ( 0 ) ||
+- FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) )
++
++ if ( FT_STREAM_SEEK( 0 ) ||
++ FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
+ return FT_THROW( Cannot_Open_Resource );
+
+ if ( toc->version != PCF_FILE_VERSION ||
+@@ -151,14 +153,35 @@ THE SOFTWARE.
+ break;
+ }
+
+- /* we now check whether the `size' and `offset' values are reasonable: */
+- /* `offset' + `size' must not exceed the stream size */
++ /*
++ * We now check whether the `size' and `offset' values are reasonable:
++ * `offset' + `size' must not exceed the stream size.
++ *
++ * Note, however, that X11's `pcfWriteFont' routine (used by the
++ * `bdftopcf' program to create PDF font files) has two special
++ * features.
++ *
++ * - It always assigns the accelerator table a size of 100 bytes in the
++ * TOC, regardless of its real size, which can vary between 34 and 72
++ * bytes.
++ *
++ * - Due to the way the routine is designed, it ships out the last font
++ * table with its real size, ignoring the TOC's size value. Since
++ * the TOC size values are always rounded up to a multiple of 4, the
++ * difference can be up to three bytes for all tables except the
++ * accelerator table, for which the difference can be as large as 66
++ * bytes.
++ *
++ */
++
+ tables = face->toc.tables;
+- for ( n = 0; n < toc->count; n++ )
++ size = stream->size;
++
++ for ( n = 0; n < toc->count - 1; n++ )
+ {
+ /* we need two checks to avoid overflow */
+- if ( ( tables->size > stream->size ) ||
+- ( tables->offset > stream->size - tables->size ) )
++ if ( ( tables->size > size ) ||
++ ( tables->offset > size - tables->size ) )
+ {
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+@@ -166,6 +189,15 @@ THE SOFTWARE.
+ tables++;
+ }
+
++ /* no check of `tables->size' for last table element ... */
++ if ( ( tables->offset > size ) )
++ {
++ error = FT_THROW( Invalid_Table );
++ goto Exit;
++ }
++ /* ... instead, we adjust `tables->size' to the real value */
++ tables->size = size - tables->offset;
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+ {
+@@ -714,8 +746,8 @@ THE SOFTWARE.
+
+ FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps ));
+
+- /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */
+- if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics )
++ /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */
++ if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics )
+ return FT_THROW( Invalid_File_Format );
+
+ if ( FT_NEW_ARRAY( offsets, nbitmaps ) )
+--
+2.1.0
+
diff --git a/freetype-2.5.3-pcf-read-b.patch b/freetype-2.5.3-pcf-read-b.patch
new file mode 100644
index 0000000..93a5861
--- /dev/null
+++ b/freetype-2.5.3-pcf-read-b.patch
@@ -0,0 +1,37 @@
+From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl at gnu.org>
+Date: Sat, 13 Dec 2014 07:42:51 +0100
+Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from
+ 2014-12-08.
+
+---
+ ChangeLog | 4 ++++
+ src/pcf/pcfread.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index e3caf82..a29a9e3 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -189,14 +189,15 @@ THE SOFTWARE.
+ tables++;
+ }
+
+- /* no check of `tables->size' for last table element ... */
++ /* only check `tables->offset' for last table element ... */
+ if ( ( tables->offset > size ) )
+ {
+ error = FT_THROW( Invalid_Table );
+ goto Exit;
+ }
+- /* ... instead, we adjust `tables->size' to the real value */
+- tables->size = size - tables->offset;
++ /* ... and adjust `tables->size' to the real value if necessary */
++ if ( tables->size > size - tables->offset )
++ tables->size = size - tables->offset;
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+--
+2.1.0
+
diff --git a/freetype.spec b/freetype.spec
index 85e7410..6d4a745 100644
--- a/freetype.spec
+++ b/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.5.3
-Release: 15%{?dist}
+Release: 16%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -66,6 +66,10 @@ Patch115: freetype-2.5.3-CVE-2014-9674a.patch
Patch116: freetype-2.5.3-unsigned-long.patch
Patch117: freetype-2.5.3-CVE-2014-9674b.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1195652
+Patch118: freetype-2.5.3-pcf-read-a.patch
+Patch119: freetype-2.5.3-pcf-read-b.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@@ -160,6 +164,9 @@ popd
%patch116 -p1 -b .unsigned-long
%patch117 -p1 -b .CVE-2014-9674b
+%patch118 -p1 -b .pcf-read-a
+%patch119 -p1 -b .pcf-read-b
+
%build
%configure --disable-static \
@@ -280,6 +287,10 @@ rm -rf $RPM_BUILD_ROOT
%{_mandir}/man1/*
%changelog
+* Tue Feb 24 2015 Marek Kasik <mkasik at redhat.com> - 2.5.3-16
+- Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions
+- Resolves: #1195652
+
* Tue Feb 17 2015 Marek Kasik <mkasik at redhat.com> - 2.5.3-15
- Fixes CVE-2014-9656
- Check `p' before `num_glyphs'.
More information about the scm-commits
mailing list