[arch-commits] Commit in freetype2/repos (3 files)

Jan de Groot jgc at archlinux.org
Fri May 1 09:00:23 UTC 2009 

    Date: Friday, May 1, 2009 @ 05:00:23
  Author: jgc
Revision: 37380

Merged revisions 31443,37379 via svnmerge from 
svn+ssh://svn.archlinux.org/srv/svn-packages/freetype2/trunk

........
  r31443 | vesa | 2009-03-27 06:45:38 +0000 (Fri, 27 Mar 2009) | 2 lines
  
  Remove disable-static FS#11016
........
  r37379 | jgc | 2009-05-01 09:00:05 +0000 (Fri, 01 May 2009) | 2 lines
  
  upgpkg: freetype2 2.3.9-2
      Fix security issue
........

Added:
  freetype2/repos/extra-x86_64/CVE-2009-0946.patch
    (from rev 37379, freetype2/trunk/CVE-2009-0946.patch)
Modified:
  freetype2/repos/extra-x86_64/	(properties)
  freetype2/repos/extra-x86_64/PKGBUILD

---------------------+
 CVE-2009-0946.patch |  144 ++++++++++++++++++++++++++++++++++++++++++++++++++
 PKGBUILD            |   11 ++-
 2 files changed, 151 insertions(+), 4 deletions(-)


Property changes on: freetype2/repos/extra-x86_64
___________________________________________________________________
Modified: svnmerge-integrated
   - /freetype2/trunk:1-30104
   + /freetype2/trunk:1-37379

Copied: freetype2/repos/extra-x86_64/CVE-2009-0946.patch (from rev 37379, freetype2/trunk/CVE-2009-0946.patch)
===================================================================
--- extra-x86_64/CVE-2009-0946.patch	                        (rev 0)
+++ extra-x86_64/CVE-2009-0946.patch	2009-05-01 09:00:23 UTC (rev 37380)
@@ -0,0 +1,144 @@
+
+diff --git a/src/cff/cffload.c b/src/cff/cffload.c
+index 22163fb..24b899d 100644
+--- a/src/cff/cffload.c
++++ b/src/cff/cffload.c
+@@ -842,7 +842,20 @@
+             goto Exit;
+ 
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+ 
+           FT_FRAME_EXIT();
+         }
+@@ -875,6 +888,20 @@
+                 goto Exit;
+             }
+ 
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification             */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;
+diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
+index fc78315..c0483de 100644
+--- a/src/lzw/ftzopen.c
++++ b/src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+ 
+           while ( code >= 256U )
+           {
++            if ( !state->prefix )
++              goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 6830391..1bd2ce7 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1635,7 +1635,7 @@
+       FT_INVALID_TOO_SHORT;
+ 
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+ 
+     is32       = table + 12;
+@@ -1863,7 +1863,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+ 
+ 
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+           FT_ULong  i, lastUni = 0;
+ 
+ 
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+ 
+           for ( i = 0; i < numMappings; ++i )
+diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
+index a6db504..cacc490 100644
+--- a/src/smooth/ftsmooth.c
++++ b/src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+ 
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ 
+ #endif
+ 
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;
+--
+cgit v0.8.2.1
+

Modified: extra-x86_64/PKGBUILD
===================================================================
--- extra-x86_64/PKGBUILD	2009-05-01 09:00:05 UTC (rev 37379)
+++ extra-x86_64/PKGBUILD	2009-05-01 09:00:23 UTC (rev 37380)
@@ -2,7 +2,7 @@
 # Maintainer: judd <jvinet at zeroflux.org>
 pkgname=freetype2
 pkgver=2.3.9
-pkgrel=1
+pkgrel=2
 pkgdesc="TrueType font rendering library"
 arch=(i686 x86_64)
 license=('GPL')
@@ -13,12 +13,14 @@
 	bytecode.patch
 	freetype-2.3.0-enable-spr.patch
 	freetype-2.2.1-enable-valid.patch
-	freetype-2.2.1-memcpy-fix.patch)
+	freetype-2.2.1-memcpy-fix.patch
+	CVE-2009-0946.patch)
 md5sums=('d76233108aca9c9606cdbd341562ad9a'
          '9ff19e742968c29e3ba52b08d6bf0a50'
          '816dc8619a6904a7385769433c0a8653'
          '214119610444c9b02766ccee5e220680'
-         '6fb6606d28082ecb8e0c6d986b0b26aa')
+         '6fb6606d28082ecb8e0c6d986b0b26aa'
+	 '3322c8f8266f7f3dcafb7205ad433c05')
 
 build() {
   cd "${srcdir}/freetype-${pkgver}"
@@ -26,8 +28,9 @@
   patch -Np1 -i "${srcdir}/freetype-2.3.0-enable-spr.patch" || return 1
   patch -Np1 -i "${srcdir}/freetype-2.2.1-enable-valid.patch" || return 1
   patch -Np1 -i "${srcdir}/freetype-2.2.1-memcpy-fix.patch" || return 1
+  patch -Np1 -i "${srcdir}/CVE-2009-0946.patch" || return 1
 
-  ./configure --prefix=/usr --disable-static || return 1
+  ./configure --prefix=/usr || return 1
   make || return 1
   make DESTDIR="${pkgdir}" install || return 1
 }

More information about the arch-commits mailing list