SOURCES (AC-branch): freetype-CVE-2006-0747.patch (NEW), freetype-...

qboosh qboosh at pld-linux.org
Wed Jul 26 10:38:17 CEST 2006


Author: qboosh                       Date: Wed Jul 26 08:38:17 2006 GMT
Module: SOURCES                       Tag: AC-branch
---- Log message:
- backports from 2.2.x, taken from Mandriva, adjusted for 2.1.10

---- Files affected:
SOURCES:
   freetype-CVE-2006-0747.patch (NONE -> 1.1.2.1)  (NEW), freetype-CVE-2006-1861.patch (NONE -> 1.1.2.1)  (NEW), freetype-CVE-2006-2661.patch (NONE -> 1.1.2.1)  (NEW)

---- Diffs:

================================================================
Index: SOURCES/freetype-CVE-2006-0747.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-0747.patch:1.1.2.1
--- /dev/null	Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-0747.patch	Wed Jul 26 10:38:12 2006
@@ -0,0 +1,56 @@
+--- freetype-2.1.10/src/cff/cffload.c.cve-2006-0747	2005-05-05 23:49:46.000000000 -0600
++++ freetype-2.1.10/src/cff/cffload.c	2006-06-07 17:14:49.008597503 -0600
+@@ -1235,7 +1235,7 @@
+       }
+ 
+       /* access element */
+-      if ( off1 )
++      if ( off1 && off2 > off1 )
+       {
+         *pbyte_len = off2 - off1;
+ 
+@@ -2040,6 +2040,9 @@
+       FT_FRAME_EXIT();
+       if ( error )
+         goto Exit;
++
++      /* ensure that 'num_blue_values' is even */
++      priv->num_blue_values &= ~1;
+     }
+ 
+     /* read the local subrs, if any */
+--- freetype-2.1.10/src/cache/ftccache.c.cve-2006-0747	2006-06-07 17:22:33.455176716 -0600
++++ freetype-2.1.10/src/cache/ftccache.c	2006-06-07 17:23:58.303949385 -0600
+@@ -246,7 +246,8 @@
+ 
+ 
+   /* remove a node from the cache manager */
+-  FT_EXPORT_DEF( void )
++  /* this function is FT_BASE since it may be called by old rogue clients */
++  FT_BASE_DEF( void )
+   ftc_node_destroy( FTC_Node     node,
+                     FTC_Manager  manager )
+   {
+--- freetype-2.1.10/src/type1/t1load.c.cve-2006-0747	2005-04-14 05:39:28.000000000 -0600
++++ freetype-2.1.10/src/type1/t1load.c	2006-06-07 17:14:49.009597324 -0600
+@@ -1990,6 +1990,9 @@
+     if ( error )
+       goto Exit;
+ 
++    /* ensure even-ness of 'num_blue_values' */
++    priv->num_blue_values &= ~1;
++
+ #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
+ 
+     /* the following can happen for MM instances; we then treat the */
+--- freetype-2.1.10/src/pshinter/pshglob.c.cve-2006-0747	2004-04-02 00:13:53.000000000 -0700
++++ freetype-2.1.10/src/pshinter/pshglob.c	2006-06-07 17:14:49.009597324 -0600
+@@ -150,7 +150,7 @@
+     FT_UNUSED( target );
+ 
+ 
+-    for ( ; read_count > 0; read_count -= 2 )
++    for ( ; read_count > 1; read_count -= 2 )
+     {
+       FT_Int         reference, delta;
+       FT_UInt        count;

================================================================
Index: SOURCES/freetype-CVE-2006-1861.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-1861.patch:1.1.2.1
--- /dev/null	Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-1861.patch	Wed Jul 26 10:38:12 2006
@@ -0,0 +1,138 @@
+--- freetype-2.1.9/src/bdf/bdflib.c.cve-2006-1861	2004-06-22 06:28:17.000000000 -0600
++++ freetype-2.1.9/src/bdf/bdflib.c	2006-06-08 12:50:32.714640440 -0600
+@@ -1098,6 +1098,7 @@
+ #define ERRMSG1  "[line %ld] Missing \"%s\" line.\n"
+ #define ERRMSG2  "[line %ld] Font header corrupted or missing fields.\n"
+ #define ERRMSG3  "[line %ld] Font glyphs corrupted or missing fields.\n"
++#define ERRMSG4  "[line %ld] BBX too big.\n"
+ 
+ 
+   static FT_Error
+@@ -1570,6 +1571,14 @@
+         goto Exit;
+       p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ 
++      /* Check that the encoding is in the range [0,65536] because        */
++      /* otherwise p->have (a bitmap with static size) overflows.         */
++      if ( p->glyph_enc >= sizeof(p->have)*8 )
++      {
++        error = BDF_Err_Invalid_File_Format;
++        goto Exit;
++      }
++
+       /* Check to see whether this encoding has already been encountered. */
+       /* If it has then change it to unencoded so it gets added if        */
+       /* indicated.                                                       */
+@@ -1820,6 +1829,8 @@
+     /* And finally, gather up the bitmap. */
+     if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+     {
++      unsigned long  bitmap_size;
++
+       if ( !( p->flags & _BDF_BBX ) )
+       {
+         /* Missing BBX field. */
+@@ -1830,7 +1841,16 @@
+ 
+       /* Allocate enough space for the bitmap. */
+       glyph->bpr   = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+-      glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
++
++      bitmap_size = glyph->bpr * glyph->bbx.height;
++      if ( bitmap_size > 0xFFFFU )
++      {
++        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
++        error = BDF_Err_Bbx_Too_Big;
++        goto Exit;
++      }
++      else
++        glyph->bytes = (unsigned short)bitmap_size;
+ 
+       if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
+         goto Exit;
+--- freetype-2.1.9/src/cff/cffgload.h.cve-2006-1861	2004-05-13 15:59:17.000000000 -0600
++++ freetype-2.1.9/src/cff/cffgload.h	2006-06-08 12:50:32.714640440 -0600
+@@ -196,7 +196,7 @@ FT_BEGIN_HEADER
+   FT_LOCAL( FT_Error )
+   cff_slot_load( CFF_GlyphSlot  glyph,
+                  CFF_Size       size,
+-                 FT_Int         glyph_index,
++                 FT_UInt        glyph_index,
+                  FT_Int32       load_flags );
+ 
+ 
+--- freetype-2.1.10/src/cff/cffload.c.cve-2006-1861	2006-06-08 12:50:32.703642430 -0600
++++ freetype-2.1.10/src/cff/cffload.c	2006-06-08 12:52:52.338376597 -0600
+@@ -1688,6 +1688,8 @@
+ 
+       for ( i = 0; i < num_glyphs; i++ )
+         charset->cids[charset->sids[i]] = (FT_UShort)i;
++
++      charset->max_cid = max_cid;
+     }
+ 
+   Exit:
+@@ -2011,7 +2013,7 @@
+ 
+     if ( error )
+       goto Exit;
+-
++ 
+     /* if it is a CID font, we stop there */
+     if ( top->cid_registry != 0xFFFFU )
+       goto Exit;
+--- freetype-2.1.9/src/cff/cffgload.c.cve-2006-1861	2004-05-13 15:59:17.000000000 -0600
++++ freetype-2.1.9/src/cff/cffgload.c	2006-06-08 12:50:32.717639897 -0600
+@@ -2284,7 +2284,7 @@
+   FT_LOCAL_DEF( FT_Error )
+   cff_slot_load( CFF_GlyphSlot  glyph,
+                  CFF_Size       size,
+-                 FT_Int         glyph_index,
++                 FT_UInt        glyph_index,
+                  FT_Int32       load_flags )
+   {
+     FT_Error      error;
+@@ -2330,7 +2330,7 @@
+ 
+         error = sfnt->load_sbit_image( face,
+                                        (FT_ULong)size->strike_index,
+-                                       (FT_UInt)glyph_index,
++                                       glyph_index,
+                                        (FT_Int)load_flags,
+                                        stream,
+                                        &glyph->root.bitmap,
+@@ -2393,7 +2393,12 @@
+       /* subsetted font, glyph_indices and CIDs are identical, though */
+       if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
+            cff->charset.cids )
+-        glyph_index = cff->charset.cids[glyph_index];
++      {
++        if ( glyph_index < cff->charset.max_cid )
++          glyph_index = cff->charset.cids[glyph_index];
++        else
++          glyph_index = 0;
++      }
+ 
+       cff_decoder_init( &decoder, face, size, glyph, hinting,
+                         FT_LOAD_TARGET_MODE( load_flags ) );
+--- freetype-2.1.9/src/cff/cfftypes.h.cve-2006-1861	2003-12-20 00:30:05.000000000 -0700
++++ freetype-2.1.9/src/cff/cfftypes.h	2006-06-08 12:50:32.717639897 -0600
+@@ -84,6 +84,7 @@ FT_BEGIN_HEADER
+     FT_UShort*  sids;
+     FT_UShort*  cids;       /* the inverse mapping of `sids'; only needed */
+                             /* for CID-keyed fonts                        */
++    FT_UInt     max_cid;
+   } CFF_CharsetRec, *CFF_Charset;
+ 
+ 
+--- freetype-2.1.9/include/freetype/fterrdef.h.cve-2006-1861	2004-02-12 01:33:20.000000000 -0700
++++ freetype-2.1.9/include/freetype/fterrdef.h	2006-06-08 12:50:32.718639716 -0600
+@@ -226,6 +226,8 @@
+                 "`ENCODING' field missing" )
+   FT_ERRORDEF_( Missing_Bbx_Field,                           0xB6, \
+                 "`BBX' field missing" )
++  FT_ERRORDEF_( Bbx_Too_Big,                                 0xB7, \
++                "`BBX' too big" )
+ 
+ 
+ /* END */

================================================================
Index: SOURCES/freetype-CVE-2006-2661.patch
diff -u /dev/null SOURCES/freetype-CVE-2006-2661.patch:1.1.2.1
--- /dev/null	Wed Jul 26 10:38:17 2006
+++ SOURCES/freetype-CVE-2006-2661.patch	Wed Jul 26 10:38:12 2006
@@ -0,0 +1,62 @@
+--- freetype-2.1.10/src/base/ftutil.c.cve-2006-2661	2005-03-03 15:59:06.000000000 -0700
++++ freetype-2.1.10/src/base/ftutil.c	2006-06-07 18:09:04.314309308 -0600
+@@ -52,6 +52,8 @@
+             FT_Long    size,
+             void*     *P )
+   {
++    FT_Error  error = FT_Err_Ok;
++
+     FT_ASSERT( P != 0 );
+ 
+     if ( size > 0 )
+@@ -68,13 +70,17 @@
+       FT_MEM_ZERO( *P, size );
+     }
+     else
++    {
+       *P = NULL;
++      if ( size < 0 )
++        error = FT_Err_Invalid_Argument;
++    }
+ 
+     FT_TRACE7(( "FT_Alloc:" ));
+     FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
+                 size, *P, P ));
+ 
+-    return FT_Err_Ok;
++    return error;
+   }
+ 
+ 
+@@ -128,11 +134,14 @@
+       return FT_Alloc( memory, size, P );
+ 
+     /* if the new block if zero-sized, clear the current one */
+-    if ( size <= 0 )
++    if ( size == 0 )
+     {
+       FT_Free( memory, P );
+       return FT_Err_Ok;
+     }
++    
++    if ( size < 0 || current < 0 )
++      return FT_Err_Invalid_Argument;
+ 
+     Q = memory->realloc( memory, current, size, *P );
+     if ( !Q )
+@@ -170,11 +179,14 @@
+       return FT_QAlloc( memory, size, P );
+ 
+     /* if the new block if zero-sized, clear the current one */
+-    if ( size <= 0 )
++    if ( size == 0 )
+     {
+       FT_Free( memory, P );
+       return FT_Err_Ok;
+     }
++    
++    if ( size < 0 || current < 0 )
++      return FT_Err_Invalid_Argument;
+ 
+     Q = memory->realloc( memory, current, size, *P );
+     if ( !Q )
================================================================


More information about the pld-cvs-commit mailing list