SOURCES (AC-branch): freetype-CVE-2006-0747.patch (NEW), freetype-...
qboosh
qboosh at pld-linux.org
Wed Jul 26 10:38:17 CEST 2006
Author: qboosh Date: Wed Jul 26 08:38:17 2006 GMT
Module: SOURCES Tag: AC-branch
---- Log message:
- backports from 2.2.x, taken from Mandriva, adjusted for 2.1.10
---- Files affected:
SOURCES:
freetype-CVE-2006-0747.patch (NONE -> 1.1.2.1) (NEW), freetype-CVE-2006-1861.patch (NONE -> 1.1.2.1) (NEW), freetype-CVE-2006-2661.patch (NONE -> 1.1.2.1) (NEW)
---- Diffs:
================================================================
Index: SOURCES/freetype-CVE-2006-0747.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-0747.patch:1.1.2.1
--- /dev/null Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-0747.patch Wed Jul 26 10:38:12 2006
@@ -0,0 +1,56 @@
+--- freetype-2.1.10/src/cff/cffload.c.cve-2006-0747 2005-05-05 23:49:46.000000000 -0600
++++ freetype-2.1.10/src/cff/cffload.c 2006-06-07 17:14:49.008597503 -0600
+@@ -1235,7 +1235,7 @@
+ }
+
+ /* access element */
+- if ( off1 )
++ if ( off1 && off2 > off1 )
+ {
+ *pbyte_len = off2 - off1;
+
+@@ -2040,6 +2040,9 @@
+ FT_FRAME_EXIT();
+ if ( error )
+ goto Exit;
++
++ /* ensure that 'num_blue_values' is even */
++ priv->num_blue_values &= ~1;
+ }
+
+ /* read the local subrs, if any */
+--- freetype-2.1.10/src/cache/ftccache.c.cve-2006-0747 2006-06-07 17:22:33.455176716 -0600
++++ freetype-2.1.10/src/cache/ftccache.c 2006-06-07 17:23:58.303949385 -0600
+@@ -246,7 +246,8 @@
+
+
+ /* remove a node from the cache manager */
+- FT_EXPORT_DEF( void )
++ /* this function is FT_BASE since it may be called by old rogue clients */
++ FT_BASE_DEF( void )
+ ftc_node_destroy( FTC_Node node,
+ FTC_Manager manager )
+ {
+--- freetype-2.1.10/src/type1/t1load.c.cve-2006-0747 2005-04-14 05:39:28.000000000 -0600
++++ freetype-2.1.10/src/type1/t1load.c 2006-06-07 17:14:49.009597324 -0600
+@@ -1990,6 +1990,9 @@
+ if ( error )
+ goto Exit;
+
++ /* ensure even-ness of 'num_blue_values' */
++ priv->num_blue_values &= ~1;
++
+ #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
+
+ /* the following can happen for MM instances; we then treat the */
+--- freetype-2.1.10/src/pshinter/pshglob.c.cve-2006-0747 2004-04-02 00:13:53.000000000 -0700
++++ freetype-2.1.10/src/pshinter/pshglob.c 2006-06-07 17:14:49.009597324 -0600
+@@ -150,7 +150,7 @@
+ FT_UNUSED( target );
+
+
+- for ( ; read_count > 0; read_count -= 2 )
++ for ( ; read_count > 1; read_count -= 2 )
+ {
+ FT_Int reference, delta;
+ FT_UInt count;
================================================================
Index: SOURCES/freetype-CVE-2006-1861.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-1861.patch:1.1.2.1
--- /dev/null Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-1861.patch Wed Jul 26 10:38:12 2006
@@ -0,0 +1,138 @@
+--- freetype-2.1.9/src/bdf/bdflib.c.cve-2006-1861 2004-06-22 06:28:17.000000000 -0600
++++ freetype-2.1.9/src/bdf/bdflib.c 2006-06-08 12:50:32.714640440 -0600
+@@ -1098,6 +1098,7 @@
+ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
+ #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n"
+ #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"
++#define ERRMSG4 "[line %ld] BBX too big.\n"
+
+
+ static FT_Error
+@@ -1570,6 +1571,14 @@
+ goto Exit;
+ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+
++ /* Check that the encoding is in the range [0,65536] because */
++ /* otherwise p->have (a bitmap with static size) overflows. */
++ if ( p->glyph_enc >= sizeof(p->have)*8 )
++ {
++ error = BDF_Err_Invalid_File_Format;
++ goto Exit;
++ }
++
+ /* Check to see whether this encoding has already been encountered. */
+ /* If it has then change it to unencoded so it gets added if */
+ /* indicated. */
+@@ -1820,6 +1829,8 @@
+ /* And finally, gather up the bitmap. */
+ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+ {
++ unsigned long bitmap_size;
++
+ if ( !( p->flags & _BDF_BBX ) )
+ {
+ /* Missing BBX field. */
+@@ -1830,7 +1841,16 @@
+
+ /* Allocate enough space for the bitmap. */
+ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
++
++ bitmap_size = glyph->bpr * glyph->bbx.height;
++ if ( bitmap_size > 0xFFFFU )
++ {
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
++ error = BDF_Err_Bbx_Too_Big;
++ goto Exit;
++ }
++ else
++ glyph->bytes = (unsigned short)bitmap_size;
+
+ if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
+ goto Exit;
+--- freetype-2.1.9/src/cff/cffgload.h.cve-2006-1861 2004-05-13 15:59:17.000000000 -0600
++++ freetype-2.1.9/src/cff/cffgload.h 2006-06-08 12:50:32.714640440 -0600
+@@ -196,7 +196,7 @@ FT_BEGIN_HEADER
+ FT_LOCAL( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags );
+
+
+--- freetype-2.1.10/src/cff/cffload.c.cve-2006-1861 2006-06-08 12:50:32.703642430 -0600
++++ freetype-2.1.10/src/cff/cffload.c 2006-06-08 12:52:52.338376597 -0600
+@@ -1688,6 +1688,8 @@
+
+ for ( i = 0; i < num_glyphs; i++ )
+ charset->cids[charset->sids[i]] = (FT_UShort)i;
++
++ charset->max_cid = max_cid;
+ }
+
+ Exit:
+@@ -2011,7 +2013,7 @@
+
+ if ( error )
+ goto Exit;
+-
++
+ /* if it is a CID font, we stop there */
+ if ( top->cid_registry != 0xFFFFU )
+ goto Exit;
+--- freetype-2.1.9/src/cff/cffgload.c.cve-2006-1861 2004-05-13 15:59:17.000000000 -0600
++++ freetype-2.1.9/src/cff/cffgload.c 2006-06-08 12:50:32.717639897 -0600
+@@ -2284,7 +2284,7 @@
+ FT_LOCAL_DEF( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags )
+ {
+ FT_Error error;
+@@ -2330,7 +2330,7 @@
+
+ error = sfnt->load_sbit_image( face,
+ (FT_ULong)size->strike_index,
+- (FT_UInt)glyph_index,
++ glyph_index,
+ (FT_Int)load_flags,
+ stream,
+ &glyph->root.bitmap,
+@@ -2393,7 +2393,12 @@
+ /* subsetted font, glyph_indices and CIDs are identical, though */
+ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
+ cff->charset.cids )
+- glyph_index = cff->charset.cids[glyph_index];
++ {
++ if ( glyph_index < cff->charset.max_cid )
++ glyph_index = cff->charset.cids[glyph_index];
++ else
++ glyph_index = 0;
++ }
+
+ cff_decoder_init( &decoder, face, size, glyph, hinting,
+ FT_LOAD_TARGET_MODE( load_flags ) );
+--- freetype-2.1.9/src/cff/cfftypes.h.cve-2006-1861 2003-12-20 00:30:05.000000000 -0700
++++ freetype-2.1.9/src/cff/cfftypes.h 2006-06-08 12:50:32.717639897 -0600
+@@ -84,6 +84,7 @@ FT_BEGIN_HEADER
+ FT_UShort* sids;
+ FT_UShort* cids; /* the inverse mapping of `sids'; only needed */
+ /* for CID-keyed fonts */
++ FT_UInt max_cid;
+ } CFF_CharsetRec, *CFF_Charset;
+
+
+--- freetype-2.1.9/include/freetype/fterrdef.h.cve-2006-1861 2004-02-12 01:33:20.000000000 -0700
++++ freetype-2.1.9/include/freetype/fterrdef.h 2006-06-08 12:50:32.718639716 -0600
+@@ -226,6 +226,8 @@
+ "`ENCODING' field missing" )
+ FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \
+ "`BBX' field missing" )
++ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
++ "`BBX' too big" )
+
+
+ /* END */
================================================================
Index: SOURCES/freetype-CVE-2006-2661.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-2661.patch:1.1.2.1
--- /dev/null Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-2661.patch Wed Jul 26 10:38:12 2006
@@ -0,0 +1,62 @@
+--- freetype-2.1.10/src/base/ftutil.c.cve-2006-2661 2005-03-03 15:59:06.000000000 -0700
++++ freetype-2.1.10/src/base/ftutil.c 2006-06-07 18:09:04.314309308 -0600
+@@ -52,6 +52,8 @@
+ FT_Long size,
+ void* *P )
+ {
++ FT_Error error = FT_Err_Ok;
++
+ FT_ASSERT( P != 0 );
+
+ if ( size > 0 )
+@@ -68,13 +70,17 @@
+ FT_MEM_ZERO( *P, size );
+ }
+ else
++ {
+ *P = NULL;
++ if ( size < 0 )
++ error = FT_Err_Invalid_Argument;
++ }
+
+ FT_TRACE7(( "FT_Alloc:" ));
+ FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
+ size, *P, P ));
+
+- return FT_Err_Ok;
++ return error;
+ }
+
+
+@@ -128,11 +134,14 @@
+ return FT_Alloc( memory, size, P );
+
+ /* if the new block if zero-sized, clear the current one */
+- if ( size <= 0 )
++ if ( size == 0 )
+ {
+ FT_Free( memory, P );
+ return FT_Err_Ok;
+ }
++
++ if ( size < 0 || current < 0 )
++ return FT_Err_Invalid_Argument;
+
+ Q = memory->realloc( memory, current, size, *P );
+ if ( !Q )
+@@ -170,11 +179,14 @@
+ return FT_QAlloc( memory, size, P );
+
+ /* if the new block if zero-sized, clear the current one */
+- if ( size <= 0 )
++ if ( size == 0 )
+ {
+ FT_Free( memory, P );
+ return FT_Err_Ok;
+ }
++
++ if ( size < 0 || current < 0 )
++ return FT_Err_Invalid_Argument;
+
+ Q = memory->realloc( memory, current, size, *P );
+ if ( !Q )
================================================================
More information about the pld-cvs-commit
mailing list