import fontforge-20170731-15.el8
This commit is contained in:
		
							parent
							
								
									127ebc751e
								
							
						
					
					
						commit
						e49dd4c89a
					
				
							
								
								
									
										28
									
								
								SOURCES/fontforge-20170731-cve-2020-5395-followup-fix.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										28
									
								
								SOURCES/fontforge-20170731-cve-2020-5395-followup-fix.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,28 @@ | ||||
| From b96273acc691ac8a36c6a8dd4de8e6edd7eaae59 Mon Sep 17 00:00:00 2001 | ||||
| From: Fredrick Brennan <copypaste@kittens.ph> | ||||
| Date: Tue, 21 Jan 2020 15:16:00 +0800 | ||||
| Subject: [PATCH] Fix crash on exit introduced in previous commit | ||||
| 
 | ||||
| When the number of layers is greater than 2, as in Chomsky.sfd and most | ||||
| of my other fonts, FontForge will crash on exiting. | ||||
| 
 | ||||
| This is just a simple mistake @skef made. | ||||
| ---
 | ||||
|  fontforge/sfd.c | 2 +- | ||||
|  1 file changed, 1 insertion(+), 1 deletion(-) | ||||
| 
 | ||||
| diff --git a/fontforge/sfd.c b/fontforge/sfd.c
 | ||||
| index e8ca39ba83..9517d8cb12 100644
 | ||||
| --- a/fontforge/sfd.c
 | ||||
| +++ b/fontforge/sfd.c
 | ||||
| @@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd,
 | ||||
|  	int layer_cnt_tmp; | ||||
|  	getint(sfd,&layer_cnt_tmp); | ||||
|  	if ( layer_cnt_tmp>2 ) { | ||||
| +	    sf->layer_cnt = layer_cnt_tmp;
 | ||||
|  	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); | ||||
|  	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); | ||||
| -	    sf->layer_cnt = layer_cnt_tmp;
 | ||||
|  	} | ||||
|      } | ||||
|      else if ( strmatch(tok,"Layer:")==0 ) | ||||
							
								
								
									
										78
									
								
								SOURCES/fontforge-20170731-cve-2020-5395.patch
									
									
									
									
									
										Normal file
									
								
							
							
						
						
									
										78
									
								
								SOURCES/fontforge-20170731-cve-2020-5395.patch
									
									
									
									
									
										Normal file
									
								
							| @ -0,0 +1,78 @@ | ||||
| From 048a91e2682c1a8936ae34dbc7bd70291ec05410 Mon Sep 17 00:00:00 2001 | ||||
| From: Skef Iterum <unknown> | ||||
| Date: Mon, 6 Jan 2020 03:05:06 -0800 | ||||
| Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the | ||||
|  SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the | ||||
|  SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the | ||||
|  SFD_AssignLookups() function Add empty sf->fontname string if it isn't set, | ||||
|  fixing #4089 #4090 and many   other potential issues (many downstream calls | ||||
|  to strlen() on the value). | ||||
| 
 | ||||
| ---
 | ||||
|  fontforge/sfd.c  | 19 ++++++++++++++----- | ||||
|  fontforge/sfd1.c |  2 +- | ||||
|  2 files changed, 15 insertions(+), 6 deletions(-) | ||||
| 
 | ||||
| diff --git a/fontforge/sfd.c b/fontforge/sfd.c
 | ||||
| index 731be201e0..e8ca39ba83 100644
 | ||||
| --- a/fontforge/sfd.c
 | ||||
| +++ b/fontforge/sfd.c
 | ||||
| @@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
 | ||||
|      while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { | ||||
|  	if ( cur!=NULL ) { | ||||
|  	    if ( cur->spiro_cnt>=cur->spiro_max ) | ||||
| -		cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
 | ||||
| +		cur->spiros = realloc(cur->spiros,
 | ||||
| +		                      (cur->spiro_max+=10)*sizeof(spiro_cp));
 | ||||
|  	    cur->spiros[cur->spiro_cnt++] = cp; | ||||
|  	} | ||||
|      } | ||||
| -    if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
 | ||||
| +    if (    cur!=NULL && cur->spiro_cnt>0
 | ||||
| +         && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
 | ||||
|  	if ( cur->spiro_cnt>=cur->spiro_max ) | ||||
| -	    cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
 | ||||
| +	    cur->spiros = realloc(cur->spiros,
 | ||||
| +	                          (cur->spiro_max+=1)*sizeof(spiro_cp));
 | ||||
|  	memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); | ||||
|  	cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; | ||||
|      } | ||||
| @@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
 | ||||
|      else if ( strmatch(tok,"LayerCount:")==0 ) | ||||
|      { | ||||
|  	d->had_layer_cnt = true; | ||||
| -	getint(sfd,&sf->layer_cnt);
 | ||||
| -	if ( sf->layer_cnt>2 ) {
 | ||||
| +	int layer_cnt_tmp;
 | ||||
| +	getint(sfd,&layer_cnt_tmp);
 | ||||
| +	if ( layer_cnt_tmp>2 ) {
 | ||||
|  	    sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); | ||||
|  	    memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); | ||||
| +	    sf->layer_cnt = layer_cnt_tmp;
 | ||||
|  	} | ||||
|      } | ||||
|      else if ( strmatch(tok,"Layer:")==0 ) | ||||
| @@ -8948,6 +8953,10 @@ exit( 1 );
 | ||||
|  	} | ||||
|      } | ||||
|   | ||||
| +    // Many downstream functions assume this isn't NULL (use strlen, etc.)
 | ||||
| +    if ( sf->fontname==NULL)
 | ||||
| +	sf->fontname = copy("");
 | ||||
| +
 | ||||
|      if ( fromdir ) | ||||
|  	sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); | ||||
|      else if ( sf->subfontcnt!=0 ) { | ||||
| diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
 | ||||
| index cf931059d0..b42f832678 100644
 | ||||
| --- a/fontforge/sfd1.c
 | ||||
| +++ b/fontforge/sfd1.c
 | ||||
| @@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
 | ||||
|   | ||||
|      /* Fix up some gunk from really old versions of the sfd format */ | ||||
|      SFDCleanupAnchorClasses(&sf->sf); | ||||
| -    if ( sf->sf.uni_interp==ui_unset )
 | ||||
| +    if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
 | ||||
|  	sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); | ||||
|   | ||||
|      /* Fixup for an old bug */ | ||||
| @ -4,7 +4,7 @@ | ||||
| 
 | ||||
| Name:           fontforge | ||||
| Version:        %{gittag0} | ||||
| Release:        13%{?dist} | ||||
| Release:        15%{?dist} | ||||
| Summary:        Outline and bitmap font editor | ||||
| 
 | ||||
| License:        GPLv3+ | ||||
| @ -18,6 +18,10 @@ Patch0:         fontforge-20140813-use-system-uthash.patch | ||||
| Patch1:         Add-python3-support.patch | ||||
| Patch2:         fontforge-20170731-covscan-issue-fix.patch | ||||
| Patch3:         fontforge-20170731-override-upstream-optimization-flags-splinerefigure-c.patch | ||||
| # https://github.com/fontforge/fontforge/issues/4084 | ||||
| Patch4:         fontforge-20170731-cve-2020-5395.patch | ||||
| # https://github.com/fontforge/fontforge/issues/4164 | ||||
| Patch5:         fontforge-20170731-cve-2020-5395-followup-fix.patch | ||||
| 
 | ||||
| Requires:       xdg-utils | ||||
| Requires:       autotrace | ||||
| @ -157,6 +161,12 @@ chmod 644 $RPM_BUILD_ROOT%{_datadir}/fontforge/nodejs/collabwebview/js/contentEd | ||||
| %doc htdocs | ||||
| 
 | ||||
| %changelog | ||||
| * Wed Apr 08 2020 Parag Nemade <pnemade AT redhat DOT com> - 20170731-15 | ||||
| - Resolves:rh#1821664 - CVE-2020-5395:out-of-bounds write in sfd.c | ||||
| 
 | ||||
| * Thu Jan 16 2020 Parag Nemade <pnemade AT redhat DOT com> - 20170731-14 | ||||
| - Resolves:rh#1790974 - CVE-2020-5395:out-of-bounds write in sfd.c | ||||
| 
 | ||||
| * Sun Jun 02 2019 Parag Nemade <pnemade AT redhat DOT com> - 20170731-13 | ||||
| - Resolves:rh#1665940 - harden the missing splinerefigure.c file | ||||
| 
 | ||||
|  | ||||
		Loading…
	
		Reference in New Issue
	
	Block a user