From 2e8929eabbadc25de23ddad27514d220d85a6b45 Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Tue, 2 May 2017 15:12:57 +0200 Subject: [PATCH] Better protect `flex' handling (CVE-2017-8105) Resolves: #1446502 --- freetype-2.7.1-protect-flex-handling.patch | 47 ++++++++++++++++++++++ freetype.spec | 37 ++++++++++------- 2 files changed, 69 insertions(+), 15 deletions(-) create mode 100644 freetype-2.7.1-protect-flex-handling.patch diff --git a/freetype-2.7.1-protect-flex-handling.patch b/freetype-2.7.1-protect-flex-handling.patch new file mode 100644 index 0000000..01ff261 --- /dev/null +++ b/freetype-2.7.1-protect-flex-handling.patch @@ -0,0 +1,47 @@ +From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Fri, 24 Mar 2017 09:15:10 +0100 +Subject: [PATCH] [psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465e..7dd45135 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +2.12.2 + diff --git a/freetype.spec b/freetype.spec index 21d2261..b533d3d 100644 --- a/freetype.spec +++ b/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.7.1 -Release: 4%{?dist} +Release: 5%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -16,20 +16,24 @@ Source1: http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{versi Source2: http://download.savannah.gnu.org/releases/freetype/ft2demos-%{version}.tar.bz2 Source3: ftconfig.h -Patch21: freetype-2.3.0-enable-spr.patch +Patch0: freetype-2.3.0-enable-spr.patch # Enable otvalid and gxvalid modules -Patch46: freetype-2.2.1-enable-valid.patch +Patch1: freetype-2.2.1-enable-valid.patch # Enable additional demos -Patch47: freetype-2.5.2-more-demos.patch +Patch2: freetype-2.5.2-more-demos.patch # Fix multilib conflicts -Patch88: freetype-multilib.patch +Patch3: freetype-multilib.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1161963 -Patch92: freetype-2.5.3-freetype-config-prefix.patch +Patch4: freetype-2.5.3-freetype-config-prefix.patch + +Patch5: freetype-2.6.5-libtool.patch + +# https://bugzilla.redhat.com/show_bug.cgi?id=1446500 +Patch6: freetype-2.7.1-protect-flex-handling.patch -Patch93: freetype-2.6.5-libtool.patch BuildRequires: libX11-devel BuildRequires: libpng-devel @@ -79,20 +83,19 @@ FreeType. %setup -q -b 1 -a 2 %if %{?_with_subpixel_rendering:1}%{!?_with_subpixel_rendering:0} -%patch21 -p1 -b .enable-spr +%patch0 -p1 -b .enable-spr %endif -%patch46 -p1 -b .enable-valid +%patch1 -p1 -b .enable-valid pushd ft2demos-%{version} -%patch47 -p1 -b .more-demos +%patch2 -p1 -b .more-demos popd -%patch88 -p1 -b .multilib - -%patch92 -p1 -b .freetype-config-prefix - -%patch93 -p1 -b .libtool +%patch3 -p1 -b .multilib +%patch4 -p1 -b .freetype-config-prefix +%patch5 -p1 -b .libtool +%patch6 -p1 -b .protect-flex-handling %build @@ -208,6 +211,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog +* Tue May 2 2017 Marek Kasik - 2.7.1-5 +- Better protect `flex' handling (CVE-2017-8105) +- Resolves: #1446502 + * Mon Apr 10 2017 Marek Kasik - 2.7.1-4 - Revert previous commit - Related: #1437999