From 7f6f786c736c5947d5d73af33e61c81f6552c332 Mon Sep 17 00:00:00 2001 From: Parag Nemade Date: Tue, 18 Feb 2020 13:48:19 +0530 Subject: [PATCH] another fix for rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c --- ...-20190801-cve-2020-5395-followup-fix.patch | 28 +++++++++++++++++++ fontforge.spec | 11 ++++++-- tests/scripts/generate.pe | 3 ++ 3 files changed, 40 insertions(+), 2 deletions(-) create mode 100644 fontforge-20190801-cve-2020-5395-followup-fix.patch diff --git a/fontforge-20190801-cve-2020-5395-followup-fix.patch b/fontforge-20190801-cve-2020-5395-followup-fix.patch new file mode 100644 index 0000000..c69bb48 --- /dev/null +++ b/fontforge-20190801-cve-2020-5395-followup-fix.patch @@ -0,0 +1,28 @@ +From b96273acc691ac8a36c6a8dd4de8e6edd7eaae59 Mon Sep 17 00:00:00 2001 +From: Fredrick Brennan +Date: Tue, 21 Jan 2020 15:16:00 +0800 +Subject: [PATCH] Fix crash on exit introduced in previous commit + +When the number of layers is greater than 2, as in Chomsky.sfd and most +of my other fonts, FontForge will crash on exiting. + +This is just a simple mistake @skef made. +--- + fontforge/sfd.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/fontforge/sfd.c b/fontforge/sfd.c +index e8ca39ba83..9517d8cb12 100644 +--- a/fontforge/sfd.c ++++ b/fontforge/sfd.c +@@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd, + int layer_cnt_tmp; + getint(sfd,&layer_cnt_tmp); + if ( layer_cnt_tmp>2 ) { ++ sf->layer_cnt = layer_cnt_tmp; + sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); + memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); +- sf->layer_cnt = layer_cnt_tmp; + } + } + else if ( strmatch(tok,"Layer:")==0 ) diff --git a/fontforge.spec b/fontforge.spec index 24efea7..ae7a262 100644 --- a/fontforge.spec +++ b/fontforge.spec @@ -3,7 +3,7 @@ Name: fontforge Version: 20190801 -Release: 5%{?dist} +Release: 6%{?dist} Summary: Outline and bitmap font editor License: GPLv3+ @@ -12,7 +12,10 @@ Source0: https://github.com/fontforge/%{name}/archive/%{gittag0}.tar.gz#/ Patch0: fontforge-20190413-python-3.8-pkg-config.patch # Below are upstream patches Patch1: fontforge-20190801-fix-metainfo.xml-file.patch +# https://github.com/fontforge/fontforge/issues/4084 Patch2: fontforge-20190801-cve-2020-5395.patch +# https://github.com/fontforge/fontforge/issues/4164 +Patch3: fontforge-20190801-cve-2020-5395-followup-fix.patch Requires: xdg-utils Requires: autotrace @@ -77,6 +80,7 @@ This package contains documentation files for %{name}. %endif %patch1 -p1 %patch2 -p1 +%patch3 -p1 mkdir htdocs cp -pr doc/html/* htdocs @@ -145,10 +149,13 @@ find $RPM_BUILD_ROOT -name '*.a' -exec rm -f {} ';' %doc htdocs %changelog +* Sun Feb 16 2020 Parag Nemade - 20190801-6 +- another fix for rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c + * Tue Jan 28 2020 Fedora Release Engineering - 20190801-5 - Rebuilt for https://fedoraproject.org/wiki/Fedora_32_Mass_Rebuild -* Thu Jan 16 2020 Parag Nemade - 20190801-4 +* Thu Jan 16 2020 Parag Nemade - 20190801-4 - Resolves:rh#1790042 - CVE-2020-5395:out-of-bounds write in sfd.c * Tue Aug 27 2019 Kevin Fenzi - 20190801-3 diff --git a/tests/scripts/generate.pe b/tests/scripts/generate.pe index d023cea..6ed2dda 100755 --- a/tests/scripts/generate.pe +++ b/tests/scripts/generate.pe @@ -4,4 +4,7 @@ Open($argv[i], 1) #Use gen_flags=Defualt fmflags value as -1 gen_flags = -1 Generate("" + $fontname + ".ttf", "", gen_flags) +Generate("" + $fontname + ".otf", "", gen_flags) +PrintSetup (5) +PrintFont (0, 0, "", $fontname + "-sample.pdf")