[arch-commits] Commit in freetype2/repos (3 files)
Jan de Groot
jgc at archlinux.org
Fri May 1 09:00:23 UTC 2009
Date: Friday, May 1, 2009 @ 05:00:23
Author: jgc
Revision: 37380
Merged revisions 31443,37379 via svnmerge from
svn+ssh://svn.archlinux.org/srv/svn-packages/freetype2/trunk
........
r31443 | vesa | 2009-03-27 06:45:38 +0000 (Fri, 27 Mar 2009) | 2 lines
Remove disable-static FS#11016
........
r37379 | jgc | 2009-05-01 09:00:05 +0000 (Fri, 01 May 2009) | 2 lines
upgpkg: freetype2 2.3.9-2
Fix security issue
........
Added:
freetype2/repos/extra-x86_64/CVE-2009-0946.patch
(from rev 37379, freetype2/trunk/CVE-2009-0946.patch)
Modified:
freetype2/repos/extra-x86_64/ (properties)
freetype2/repos/extra-x86_64/PKGBUILD
---------------------+
CVE-2009-0946.patch | 144 ++++++++++++++++++++++++++++++++++++++++++++++++++
PKGBUILD | 11 ++-
2 files changed, 151 insertions(+), 4 deletions(-)
Property changes on: freetype2/repos/extra-x86_64
___________________________________________________________________
Modified: svnmerge-integrated
- /freetype2/trunk:1-30104
+ /freetype2/trunk:1-37379
Copied: freetype2/repos/extra-x86_64/CVE-2009-0946.patch (from rev 37379, freetype2/trunk/CVE-2009-0946.patch)
===================================================================
--- extra-x86_64/CVE-2009-0946.patch (rev 0)
+++ extra-x86_64/CVE-2009-0946.patch 2009-05-01 09:00:23 UTC (rev 37380)
@@ -0,0 +1,144 @@
+
+diff --git a/src/cff/cffload.c b/src/cff/cffload.c
+index 22163fb..24b899d 100644
+--- a/src/cff/cffload.c
++++ b/src/cff/cffload.c
+@@ -842,7 +842,20 @@
+ goto Exit;
+
+ for ( j = 1; j < num_glyphs; j++ )
+- charset->sids[j] = FT_GET_USHORT();
++ {
++ FT_UShort sid = FT_GET_USHORT();
++
++
++ /* this constant is given in the CFF specification */
++ if ( sid < 65000 )
++ charset->sids[j] = sid;
++ else
++ {
++ FT_ERROR(( "cff_charset_load:"
++ " invalid SID value %d set to zero\n", sid ));
++ charset->sids[j] = 0;
++ }
++ }
+
+ FT_FRAME_EXIT();
+ }
+@@ -875,6 +888,20 @@
+ goto Exit;
+ }
+
++ /* check whether the range contains at least one valid glyph; */
++ /* the constant is given in the CFF specification */
++ if ( glyph_sid >= 65000 ) {
++ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++ error = CFF_Err_Invalid_File_Format;
++ goto Exit;
++ }
++
++ /* try to rescue some of the SIDs if `nleft' is too large */
++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++ nleft = 65000 - 1 - glyph_sid;
++ }
++
+ /* Fill in the range of sids -- `nleft + 1' glyphs. */
+ for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+ charset->sids[j] = glyph_sid;
+diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
+index fc78315..c0483de 100644
+--- a/src/lzw/ftzopen.c
++++ b/src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+
+ while ( code >= 256U )
+ {
++ if ( !state->prefix )
++ goto Eof;
++
+ FTLZW_STACK_PUSH( state->suffix[code - 256] );
+ code = state->prefix[code - 256];
+ }
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 6830391..1bd2ce7 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1635,7 +1635,7 @@
+ FT_INVALID_TOO_SHORT;
+
+ length = TT_NEXT_ULONG( p );
+- if ( table + length > valid->limit || length < 8208 )
++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+ FT_INVALID_TOO_SHORT;
+
+ is32 = table + 12;
+@@ -1863,7 +1863,8 @@
+ p = table + 16;
+ count = TT_NEXT_ULONG( p );
+
+- if ( table + length > valid->limit || length < 20 + count * 2 )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 20 + count * 2 )
+ FT_INVALID_TOO_SHORT;
+
+ /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+ p = table + 12;
+ num_groups = TT_NEXT_ULONG( p );
+
+- if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 16 + 12 * num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+ FT_ULong num_selectors = TT_NEXT_ULONG( p );
+
+
+- if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++ if ( length > (FT_ULong)( valid->limit - table ) ||
++ length < 10 + 11 * num_selectors )
+ FT_INVALID_TOO_SHORT;
+
+ /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+ FT_ULong i, lastUni = 0;
+
+
+- if ( ndp + numMappings * 4 > valid->limit )
++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numMappings; ++i )
+diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
+index a6db504..cacc490 100644
+--- a/src/smooth/ftsmooth.c
++++ b/src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+ }
+
+- /* allocate new one, depends on pixel format */
++ /* allocate new one */
+ pitch = width;
+ if ( hmul )
+ {
+@@ -194,6 +194,13 @@
+
+ #endif
+
++ if ( pitch > 0xFFFF || height > 0xFFFF )
++ {
++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++ width, height ));
++ return Smooth_Err_Raster_Overflow;
++ }
++
+ bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+ bitmap->num_grays = 256;
+ bitmap->width = width;
+--
+cgit v0.8.2.1
+
Modified: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD 2009-05-01 09:00:05 UTC (rev 37379)
+++ extra-x86_64/PKGBUILD 2009-05-01 09:00:23 UTC (rev 37380)
@@ -2,7 +2,7 @@
# Maintainer: judd <jvinet at zeroflux.org>
pkgname=freetype2
pkgver=2.3.9
-pkgrel=1
+pkgrel=2
pkgdesc="TrueType font rendering library"
arch=(i686 x86_64)
license=('GPL')
@@ -13,12 +13,14 @@
bytecode.patch
freetype-2.3.0-enable-spr.patch
freetype-2.2.1-enable-valid.patch
- freetype-2.2.1-memcpy-fix.patch)
+ freetype-2.2.1-memcpy-fix.patch
+ CVE-2009-0946.patch)
md5sums=('d76233108aca9c9606cdbd341562ad9a'
'9ff19e742968c29e3ba52b08d6bf0a50'
'816dc8619a6904a7385769433c0a8653'
'214119610444c9b02766ccee5e220680'
- '6fb6606d28082ecb8e0c6d986b0b26aa')
+ '6fb6606d28082ecb8e0c6d986b0b26aa'
+ '3322c8f8266f7f3dcafb7205ad433c05')
build() {
cd "${srcdir}/freetype-${pkgver}"
@@ -26,8 +28,9 @@
patch -Np1 -i "${srcdir}/freetype-2.3.0-enable-spr.patch" || return 1
patch -Np1 -i "${srcdir}/freetype-2.2.1-enable-valid.patch" || return 1
patch -Np1 -i "${srcdir}/freetype-2.2.1-memcpy-fix.patch" || return 1
+ patch -Np1 -i "${srcdir}/CVE-2009-0946.patch" || return 1
- ./configure --prefix=/usr --disable-static || return 1
+ ./configure --prefix=/usr || return 1
make || return 1
make DESTDIR="${pkgdir}" install || return 1
}
More information about the arch-commits
mailing list