import fontforge-20170731-15.el8

2020-07-28 05:48:39 -04:00 · 2020-07-28 05:48:39 -04:00 · e49dd4c89a
commit e49dd4c89a
parent 127ebc751e
3 changed files with 117 additions and 1 deletions
--- a/SOURCES/fontforge-20170731-cve-2020-5395-followup-fix.patch
+++ b/SOURCES/fontforge-20170731-cve-2020-5395-followup-fix.patch
@ -0,0 +1,28 @@
+From b96273acc691ac8a36c6a8dd4de8e6edd7eaae59 Mon Sep 17 00:00:00 2001
+From: Fredrick Brennan <copypaste@kittens.ph>
+Date: Tue, 21 Jan 2020 15:16:00 +0800
+Subject: [PATCH] Fix crash on exit introduced in previous commit
+
+When the number of layers is greater than 2, as in Chomsky.sfd and most
+of my other fonts, FontForge will crash on exiting.
+
+This is just a simple mistake @skef made.
+---
+ fontforge/sfd.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index e8ca39ba83..9517d8cb12 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd,
+ 	int layer_cnt_tmp;
+ 	getint(sfd,&layer_cnt_tmp);
+ 	if ( layer_cnt_tmp>2 ) {
+	    sf->layer_cnt = layer_cnt_tmp;
+ 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+ 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+-	    sf->layer_cnt = layer_cnt_tmp;
+ 	}
+     }
+     else if ( strmatch(tok,"Layer:")==0 )
--- a/SOURCES/fontforge-20170731-cve-2020-5395.patch
+++ b/SOURCES/fontforge-20170731-cve-2020-5395.patch
@ -0,0 +1,78 @@
+From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001
+From: Skef Iterum <unknown>
+Date: Mon, 6 Jan 2020 03:05:06 -0800
+Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the
+ SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the
+ SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the
+ SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,
+ fixing #4089 #4090 and many   other potential issues (many downstream calls
+ to strlen() on the value).
+
+---
+ fontforge/sfd.c  | 19 ++++++++++++++-----
+ fontforge/sfd1.c |  2 +-
+ 2 files changed, 15 insertions(+), 6 deletions(-)
+
+diff --git a/fontforge/sfd.c b/fontforge/sfd.c
+index 731be201e0..e8ca39ba83 100644
+--- a/fontforge/sfd.c
+++ b/fontforge/sfd.c
+@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
+     while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
+ 	if ( cur!=NULL ) {
+ 	    if ( cur->spiro_cnt>=cur->spiro_max )
+-		cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
+		cur->spiros = realloc(cur->spiros,
+		                      (cur->spiro_max+=10)*sizeof(spiro_cp));
+ 	    cur->spiros[cur->spiro_cnt++] = cp;
+ 	}
+     }
+-    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+    if (    cur!=NULL && cur->spiro_cnt>0
+         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
+ 	if ( cur->spiro_cnt>=cur->spiro_max )
+-	    cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
+	    cur->spiros = realloc(cur->spiros,
+	                          (cur->spiro_max+=1)*sizeof(spiro_cp));
+ 	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
+ 	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
+     }
+@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
+     else if ( strmatch(tok,"LayerCount:")==0 )
+     {
+ 	d->had_layer_cnt = true;
+-	getint(sfd,&sf->layer_cnt);
+-	if ( sf->layer_cnt>2 ) {
+	int layer_cnt_tmp;
+	getint(sfd,&layer_cnt_tmp);
+	if ( layer_cnt_tmp>2 ) {
+ 	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
+ 	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
+	    sf->layer_cnt = layer_cnt_tmp;
+ 	}
+     }
+     else if ( strmatch(tok,"Layer:")==0 )
+@@ -8948,6 +8953,10 @@ exit( 1 );
+ 	}
+     }
+ 
+    // Many downstream functions assume this isn't NULL (use strlen, etc.)
+    if ( sf->fontname==NULL)
+	sf->fontname = copy("");
+
+     if ( fromdir )
+ 	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
+     else if ( sf->subfontcnt!=0 ) {
+diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
+index cf931059d0..b42f832678 100644
+--- a/fontforge/sfd1.c
+++ b/fontforge/sfd1.c
+@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
+ 
+     /* Fix up some gunk from really old versions of the sfd format */
+     SFDCleanupAnchorClasses(&sf->sf);
+-    if ( sf->sf.uni_interp==ui_unset )
+    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
+ 	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
+ 
+     /* Fixup for an old bug */
--- a/SPECS/fontforge.spec
+++ b/SPECS/fontforge.spec
@ -4,7 +4,7 @@

 Name:           fontforge
 Version:        %{gittag0}
-Release:        13%{?dist}
+Release:        15%{?dist}
 Summary:        Outline and bitmap font editor

 License:        GPLv3+
@ -18,6 +18,10 @@ Patch0:         fontforge-20140813-use-system-uthash.patch
 Patch1:         Add-python3-support.patch
 Patch2:         fontforge-20170731-covscan-issue-fix.patch
 Patch3:         fontforge-20170731-override-upstream-optimization-flags-splinerefigure-c.patch
+# https://github.com/fontforge/fontforge/issues/4084
+Patch4:         fontforge-20170731-cve-2020-5395.patch
+# https://github.com/fontforge/fontforge/issues/4164
+Patch5:         fontforge-20170731-cve-2020-5395-followup-fix.patch

 Requires:       xdg-utils
 Requires:       autotrace
@ -157,6 +161,12 @@ chmod 644 $RPM_BUILD_ROOT%{_datadir}/fontforge/nodejs/collabwebview/js/contentEd
 %doc htdocs

 %changelog
+* Wed Apr 08 2020 Parag Nemade <pnemade AT redhat DOT com> - 20170731-15
+- Resolves:rh#1821664 - CVE-2020-5395:out-of-bounds write in sfd.c
+
+* Thu Jan 16 2020 Parag Nemade <pnemade AT redhat DOT com> - 20170731-14
+- Resolves:rh#1790974 - CVE-2020-5395:out-of-bounds write in sfd.c
+
 * Sun Jun 02 2019 Parag Nemade <pnemade AT redhat DOT com> - 20170731-13
 - Resolves:rh#1665940 - harden the missing splinerefigure.c file