rpms/freetype
7
0
Fork 0
Code Issues Pull Requests Releases Activity

Better protect `flex' handling (CVE-2017-8105)

Browse Source 
Resolves: #1446502
This commit is contained in:
Marek Kasik 2017-05-02 15:12:57 +02:00
parent f9a8cd6a74
commit 2e8929eabb
2 changed files with 69 additions and 15 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
freetype-2.7.1-protect-flex-handling.patch Normal file
View File

@ -0,0 +1,47 @@
From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 24 Mar 2017 09:15:10 +0100
Subject: [PATCH] [psaux] Better protect `flex' handling.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<callothersubr>: Since there is not a single flex operator but a
series of subroutine calls, malformed fonts can call arbitrary other
operators after the start of a flex, possibly adding points. For
this reason we have to check the available number of points before
inserting a point.
---
ChangeLog | 15 +++++++++++++++
src/psaux/t1decode.c | 9 +++++++++
2 files changed, 24 insertions(+)
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index af7b465e..7dd45135 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -780,10 +780,19 @@
/* point without adding any point to the outline */
idx = decoder->num_flex_vectors++;
if ( idx > 0 && idx < 7 )
+ {
+ /* in malformed fonts it is possible to have other */
+ /* opcodes in the middle of a flex (which don't */
+ /* increase `num_flex_vectors'); we thus have to */
+ /* check whether we can add a point */
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+ goto Syntax_Error;
+
t1_builder_add_point( builder,
x,
y,
(FT_Byte)( idx == 3 || idx == 6 ) );
+ }
}
break;
--
2.12.2

37
freetype.spec
View File

@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.7.1
Release: 4%{?dist}
Release: 5%{?dist}
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@ -16,20 +16,24 @@ Source1: http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{versi
Source2: http://download.savannah.gnu.org/releases/freetype/ft2demos-%{version}.tar.bz2
Source3: ftconfig.h
Patch21: freetype-2.3.0-enable-spr.patch
Patch0: freetype-2.3.0-enable-spr.patch
# Enable otvalid and gxvalid modules
Patch46: freetype-2.2.1-enable-valid.patch
Patch1: freetype-2.2.1-enable-valid.patch
# Enable additional demos
Patch47: freetype-2.5.2-more-demos.patch
Patch2: freetype-2.5.2-more-demos.patch
# Fix multilib conflicts
Patch88: freetype-multilib.patch
Patch3: freetype-multilib.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1161963
Patch92: freetype-2.5.3-freetype-config-prefix.patch
Patch4: freetype-2.5.3-freetype-config-prefix.patch
Patch5: freetype-2.6.5-libtool.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1446500
Patch6: freetype-2.7.1-protect-flex-handling.patch
Patch93: freetype-2.6.5-libtool.patch
BuildRequires: libX11-devel
BuildRequires: libpng-devel
@ -79,20 +83,19 @@ FreeType.
%setup -q -b 1 -a 2
%if %{?_with_subpixel_rendering:1}%{!?_with_subpixel_rendering:0}
%patch21 -p1 -b .enable-spr
%patch0 -p1 -b .enable-spr
%endif
%patch46 -p1 -b .enable-valid
%patch1 -p1 -b .enable-valid
pushd ft2demos-%{version}
%patch47 -p1 -b .more-demos
%patch2 -p1 -b .more-demos
popd
%patch88 -p1 -b .multilib
%patch92 -p1 -b .freetype-config-prefix
%patch93 -p1 -b .libtool
%patch3 -p1 -b .multilib
%patch4 -p1 -b .freetype-config-prefix
%patch5 -p1 -b .libtool
%patch6 -p1 -b .protect-flex-handling
%build
@ -208,6 +211,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
* Tue May 2 2017 Marek Kasik <mkasik@redhat.com> - 2.7.1-5
- Better protect `flex' handling (CVE-2017-8105)
- Resolves: #1446502
* Mon Apr 10 2017 Marek Kasik <mkasik@redhat.com> - 2.7.1-4
- Revert previous commit
- Related: #1437999