diff --git a/freetype-2.4.5-CVE-2011-0226.patch b/freetype-2.4.5-CVE-2011-0226.patch new file mode 100644 index 0000000..f0afa21 --- /dev/null +++ b/freetype-2.4.5-CVE-2011-0226.patch @@ -0,0 +1,99 @@ +--- freetype-2.4.5/src/psaux/t1decode.c 2010-11-23 19:28:53.000000000 +0100 ++++ freetype-2.4.5/src/psaux/t1decode.c 2011-07-20 15:00:39.000000000 +0200 +@@ -28,6 +28,8 @@ + + #include "psauxerr.h" + ++/* ensure proper sign extension */ ++#define Fix2Int( f ) ( (FT_Int)(FT_Short)( (f) >> 16 ) ) + + /*************************************************************************/ + /* */ +@@ -662,7 +664,7 @@ + if ( large_int ) + FT_TRACE4(( " %ld", value )); + else +- FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) )); ++ FT_TRACE4(( " %ld", Fix2Int( value ) )); + #endif + + *top++ = value; +@@ -684,8 +686,8 @@ + + top -= 2; + +- subr_no = (FT_Int)( top[1] >> 16 ); +- arg_cnt = (FT_Int)( top[0] >> 16 ); ++ subr_no = Fix2Int( top[1] ); ++ arg_cnt = Fix2Int( top[0] ); + + /***********************************************************/ + /* */ +@@ -862,7 +864,7 @@ + if ( arg_cnt != 1 || blend == NULL ) + goto Unexpected_OtherSubr; + +- idx = (FT_Int)( top[0] >> 16 ); ++ idx = Fix2Int( top[0] ); + + if ( idx < 0 || + idx + blend->num_designs > decoder->len_buildchar ) +@@ -930,7 +932,7 @@ + if ( arg_cnt != 2 || blend == NULL ) + goto Unexpected_OtherSubr; + +- idx = (FT_Int)( top[1] >> 16 ); ++ idx = Fix2Int( top[1] ); + + if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) + goto Unexpected_OtherSubr; +@@ -951,7 +953,7 @@ + if ( arg_cnt != 1 || blend == NULL ) + goto Unexpected_OtherSubr; + +- idx = (FT_Int)( top[0] >> 16 ); ++ idx = Fix2Int( top[0] ); + + if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar ) + goto Unexpected_OtherSubr; +@@ -1009,11 +1011,15 @@ + break; + + default: +- FT_ERROR(( "t1_decoder_parse_charstrings:" +- " unknown othersubr [%d %d], wish me luck\n", +- arg_cnt, subr_no )); +- unknown_othersubr_result_cnt = arg_cnt; +- break; ++ if ( arg_cnt >= 0 && subr_no >= 0 ) ++ { ++ FT_ERROR(( "t1_decoder_parse_charstrings:" ++ " unknown othersubr [%d %d], wish me luck\n", ++ arg_cnt, subr_no )); ++ unknown_othersubr_result_cnt = arg_cnt; ++ break; ++ } ++ /* fall through */ + + Unexpected_OtherSubr: + FT_ERROR(( "t1_decoder_parse_charstrings:" +@@ -1139,8 +1145,8 @@ + top[0], + top[1], + top[2], +- (FT_Int)( top[3] >> 16 ), +- (FT_Int)( top[4] >> 16 ) ); ++ Fix2Int( top[3] ), ++ Fix2Int( top[4] ) ); + + case op_sbw: + FT_TRACE4(( " sbw" )); +@@ -1324,7 +1330,7 @@ + + FT_TRACE4(( " callsubr" )); + +- idx = (FT_Int)( top[0] >> 16 ); ++ idx = Fix2Int( top[0] ); + if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs ) + { + FT_ERROR(( "t1_decoder_parse_charstrings:" diff --git a/freetype.spec b/freetype.spec index b21b55e..1b24642 100644 --- a/freetype.spec +++ b/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.4.5 -Release: 1%{?dist} +Release: 2%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -26,6 +26,7 @@ Patch47: freetype-2.3.11-more-demos.patch Patch88: freetype-multilib.patch Patch89: freetype-2.4.2-CVE-2010-3311.patch +Patch90: freetype-2.4.5-CVE-2011-0226.patch Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n) @@ -87,6 +88,7 @@ popd %patch88 -p1 -b .multilib %patch89 -p1 -b .CVE-2010-3311 +%patch90 -p1 -b .CVE-2011-0226 %build @@ -219,6 +221,13 @@ rm -rf $RPM_BUILD_ROOT %doc docs/tutorial %changelog +* Wed Jul 20 2011 Marek Kasik 2.4.5-2 +- Add freetype-2.4.5-CVE-2011-0226.patch + (Add better argument check for `callothersubr'.) + - based on patches by Werner Lemberg, + Alexei Podtelezhnikov and Matthias Drochner +- Resolves: #723469 + * Tue Jun 28 2011 Marek Kasik 2.4.5-1 - Update to 2.4.5