Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c
This commit is contained in:
Parag Nemade
parent
f6215c5a27
commit
13ee59152e
78
fontforge-20190801-cve-2020-5395.patch
Normal file
78
fontforge-20190801-cve-2020-5395.patch
Normal file
@ -0,0 +1,78 @@
|
|||||||
|
From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Skef Iterum <unknown>
|
||||||
|
Date: Mon, 6 Jan 2020 03:05:06 -0800
|
||||||
|
Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the
|
||||||
|
SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the
|
||||||
|
SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the
|
||||||
|
SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,
|
||||||
|
fixing #4089 #4090 and many other potential issues (many downstream calls
|
||||||
|
to strlen() on the value).
|
||||||
|
|
||||||
|
---
|
||||||
|
fontforge/sfd.c | 19 ++++++++++++++-----
|
||||||
|
fontforge/sfd1.c | 2 +-
|
||||||
|
2 files changed, 15 insertions(+), 6 deletions(-)
|
||||||
|
|
||||||
|
diff --git a/fontforge/sfd.c b/fontforge/sfd.c
|
||||||
|
index 731be201e0..e8ca39ba83 100644
|
||||||
|
--- a/fontforge/sfd.c
|
||||||
|
+++ b/fontforge/sfd.c
|
||||||
|
@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
|
||||||
|
while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
|
||||||
|
if ( cur!=NULL ) {
|
||||||
|
if ( cur->spiro_cnt>=cur->spiro_max )
|
||||||
|
- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
|
||||||
|
+ cur->spiros = realloc(cur->spiros,
|
||||||
|
+ (cur->spiro_max+=10)*sizeof(spiro_cp));
|
||||||
|
cur->spiros[cur->spiro_cnt++] = cp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
|
||||||
|
+ if ( cur!=NULL && cur->spiro_cnt>0
|
||||||
|
+ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
|
||||||
|
if ( cur->spiro_cnt>=cur->spiro_max )
|
||||||
|
- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
|
||||||
|
+ cur->spiros = realloc(cur->spiros,
|
||||||
|
+ (cur->spiro_max+=1)*sizeof(spiro_cp));
|
||||||
|
memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
|
||||||
|
cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
|
||||||
|
}
|
||||||
|
@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
|
||||||
|
else if ( strmatch(tok,"LayerCount:")==0 )
|
||||||
|
{
|
||||||
|
d->had_layer_cnt = true;
|
||||||
|
- getint(sfd,&sf->layer_cnt);
|
||||||
|
- if ( sf->layer_cnt>2 ) {
|
||||||
|
+ int layer_cnt_tmp;
|
||||||
|
+ getint(sfd,&layer_cnt_tmp);
|
||||||
|
+ if ( layer_cnt_tmp>2 ) {
|
||||||
|
sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
|
||||||
|
memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
|
||||||
|
+ sf->layer_cnt = layer_cnt_tmp;
|
||||||
|
}
|
||||||
|
}
|
||||||
|
else if ( strmatch(tok,"Layer:")==0 )
|
||||||
|
@@ -8948,6 +8953,10 @@ exit( 1 );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
|
+ // Many downstream functions assume this isn't NULL (use strlen, etc.)
|
||||||
|
+ if ( sf->fontname==NULL)
|
||||||
|
+ sf->fontname = copy("");
|
||||||
|
+
|
||||||
|
if ( fromdir )
|
||||||
|
sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
|
||||||
|
else if ( sf->subfontcnt!=0 ) {
|
||||||
|
diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
|
||||||
|
index cf931059d0..b42f832678 100644
|
||||||
|
--- a/fontforge/sfd1.c
|
||||||
|
+++ b/fontforge/sfd1.c
|
||||||
|
@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
|
||||||
|
|
||||||
|
/* Fix up some gunk from really old versions of the sfd format */
|
||||||
|
SFDCleanupAnchorClasses(&sf->sf);
|
||||||
|
- if ( sf->sf.uni_interp==ui_unset )
|
||||||
|
+ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
|
||||||
|
sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
|
||||||
|
|
||||||
|
/* Fixup for an old bug */
|
||||||
@ -3,7 +3,7 @@
|
|||||||
|
|
||||||
Name: fontforge
|
Name: fontforge
|
||||||
Version: 20190801
|
Version: 20190801
|
||||||
Release: 3%{?dist}
|
Release: 4%{?dist}
|
||||||
Summary: Outline and bitmap font editor
|
Summary: Outline and bitmap font editor
|
||||||
|
|
||||||
License: GPLv3+
|
License: GPLv3+
|
||||||
@ -12,6 +12,7 @@ Source0: https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/
|
|||||||
Patch0: fontforge-20190413-python-3.8-pkg-config.patch
|
Patch0: fontforge-20190413-python-3.8-pkg-config.patch
|
||||||
# Below are upstream patches
|
# Below are upstream patches
|
||||||
Patch1: fontforge-20190801-fix-metainfo.xml-file.patch
|
Patch1: fontforge-20190801-fix-metainfo.xml-file.patch
|
||||||
|
Patch2: fontforge-20190801-cve-2020-5395.patch
|
||||||
|
|
||||||
Requires: xdg-utils
|
Requires: xdg-utils
|
||||||
Requires: autotrace
|
Requires: autotrace
|
||||||
@ -75,6 +76,7 @@ This package contains documentation files for %{name}.
|
|||||||
%patch0 -p1
|
%patch0 -p1
|
||||||
%endif
|
%endif
|
||||||
%patch1 -p1
|
%patch1 -p1
|
||||||
|
%patch2 -p1
|
||||||
|
|
||||||
mkdir htdocs
|
mkdir htdocs
|
||||||
cp -pr doc/html/* htdocs
|
cp -pr doc/html/* htdocs
|
||||||
@ -143,6 +145,9 @@ find $RPM_BUILD_ROOT -name '*.a' -exec rm -f {} ';'
|
|||||||
%doc htdocs
|
%doc htdocs
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Thu Jan 16 2020 Parag Nemade <pnemade@fedoraproject.org> - 20190801-4
|
||||||
|
- Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c
|
||||||
|
|
||||||
* Tue Aug 27 2019 Kevin Fenzi <kevin@scrye.com> - 20190801-3
|
* Tue Aug 27 2019 Kevin Fenzi <kevin@scrye.com> - 20190801-3
|
||||||
- Rebuild for new libspiro
|
- Rebuild for new libspiro
|
||||||
|
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user