From 13ee59152ecf86cf3f216f460b8b71cb6cf997d2 Mon Sep 17 00:00:00 2001 From: Parag Nemade Date: Thu, 16 Jan 2020 14:27:07 +0530 Subject: [PATCH] Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c --- fontforge-20190801-cve-2020-5395.patch | 78 ++++++++++++++++++++++++++ fontforge.spec | 7 ++- 2 files changed, 84 insertions(+), 1 deletion(-) create mode 100644 fontforge-20190801-cve-2020-5395.patch diff --git a/fontforge-20190801-cve-2020-5395.patch b/fontforge-20190801-cve-2020-5395.patch new file mode 100644 index 0000000..51b5245 --- /dev/null +++ b/fontforge-20190801-cve-2020-5395.patch @@ -0,0 +1,78 @@ +From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001 +From: Skef Iterum +Date: Mon, 6 Jan 2020 03:05:06 -0800 +Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the + SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the + SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the + SFD_AssignLookups() function Add empty sf->fontname string if it isn't set, + fixing #4089 #4090 and many other potential issues (many downstream calls + to strlen() on the value). + +--- + fontforge/sfd.c | 19 ++++++++++++++----- + fontforge/sfd1.c | 2 +- + 2 files changed, 15 insertions(+), 6 deletions(-) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index 731be201e0..e8ca39ba83 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) { + while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { + if ( cur!=NULL ) { + if ( cur->spiro_cnt>=cur->spiro_max ) +- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp)); ++ cur->spiros = realloc(cur->spiros, ++ (cur->spiro_max+=10)*sizeof(spiro_cp)); + cur->spiros[cur->spiro_cnt++] = cp; + } + } +- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { ++ if ( cur!=NULL && cur->spiro_cnt>0 ++ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { + if ( cur->spiro_cnt>=cur->spiro_max ) +- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp)); ++ cur->spiros = realloc(cur->spiros, ++ (cur->spiro_max+=1)*sizeof(spiro_cp)); + memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); + cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; + } +@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd, + else if ( strmatch(tok,"LayerCount:")==0 ) + { + d->had_layer_cnt = true; +- getint(sfd,&sf->layer_cnt); +- if ( sf->layer_cnt>2 ) { ++ int layer_cnt_tmp; ++ getint(sfd,&layer_cnt_tmp); ++ if ( layer_cnt_tmp>2 ) { + sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); + memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); ++ sf->layer_cnt = layer_cnt_tmp; + } + } + else if ( strmatch(tok,"Layer:")==0 ) +@@ -8948,6 +8953,10 @@ exit( 1 ); + } + } + ++ // Many downstream functions assume this isn't NULL (use strlen, etc.) ++ if ( sf->fontname==NULL) ++ sf->fontname = copy(""); ++ + if ( fromdir ) + sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); + else if ( sf->subfontcnt!=0 ) { +diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c +index cf931059d0..b42f832678 100644 +--- a/fontforge/sfd1.c ++++ b/fontforge/sfd1.c +@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) { + + /* Fix up some gunk from really old versions of the sfd format */ + SFDCleanupAnchorClasses(&sf->sf); +- if ( sf->sf.uni_interp==ui_unset ) ++ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL ) + sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); + + /* Fixup for an old bug */ diff --git a/fontforge.spec b/fontforge.spec index c414401..39281a2 100644 --- a/fontforge.spec +++ b/fontforge.spec @@ -3,7 +3,7 @@ Name: fontforge Version: 20190801 -Release: 3%{?dist} +Release: 4%{?dist} Summary: Outline and bitmap font editor License: GPLv3+ @@ -12,6 +12,7 @@ Source0: https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/ Patch0: fontforge-20190413-python-3.8-pkg-config.patch # Below are upstream patches Patch1: fontforge-20190801-fix-metainfo.xml-file.patch +Patch2: fontforge-20190801-cve-2020-5395.patch Requires: xdg-utils Requires: autotrace @@ -75,6 +76,7 @@ This package contains documentation files for %{name}. %patch0 -p1 %endif %patch1 -p1 +%patch2 -p1 mkdir htdocs cp -pr doc/html/* htdocs @@ -143,6 +145,9 @@ find $RPM_BUILD_ROOT -name '*.a' -exec rm -f {} ';' %doc htdocs %changelog +* Thu Jan 16 2020 Parag Nemade - 20190801-4 +- Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c + * Tue Aug 27 2019 Kevin Fenzi - 20190801-3 - Rebuild for new libspiro