Fix CVE-2011-0226
Add freetype-2.4.5-CVE-2011-0226.patch (Add better argument check for `callothersubr'.) based on patches by Werner Lemberg, Alexei Podtelezhnikov and Matthias Drochner Resolves: #723469
This commit is contained in:
parent
ec4243ebc8
commit
36cb801677
99
freetype-2.4.5-CVE-2011-0226.patch
Normal file
99
freetype-2.4.5-CVE-2011-0226.patch
Normal file
@ -0,0 +1,99 @@
|
||||
--- freetype-2.4.5/src/psaux/t1decode.c 2010-11-23 19:28:53.000000000 +0100
|
||||
+++ freetype-2.4.5/src/psaux/t1decode.c 2011-07-20 15:00:39.000000000 +0200
|
||||
@@ -28,6 +28,8 @@
|
||||
|
||||
#include "psauxerr.h"
|
||||
|
||||
+/* ensure proper sign extension */
|
||||
+#define Fix2Int( f ) ( (FT_Int)(FT_Short)( (f) >> 16 ) )
|
||||
|
||||
/*************************************************************************/
|
||||
/* */
|
||||
@@ -662,7 +664,7 @@
|
||||
if ( large_int )
|
||||
FT_TRACE4(( " %ld", value ));
|
||||
else
|
||||
- FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
|
||||
+ FT_TRACE4(( " %ld", Fix2Int( value ) ));
|
||||
#endif
|
||||
|
||||
*top++ = value;
|
||||
@@ -684,8 +686,8 @@
|
||||
|
||||
top -= 2;
|
||||
|
||||
- subr_no = (FT_Int)( top[1] >> 16 );
|
||||
- arg_cnt = (FT_Int)( top[0] >> 16 );
|
||||
+ subr_no = Fix2Int( top[1] );
|
||||
+ arg_cnt = Fix2Int( top[0] );
|
||||
|
||||
/***********************************************************/
|
||||
/* */
|
||||
@@ -862,7 +864,7 @@
|
||||
if ( arg_cnt != 1 || blend == NULL )
|
||||
goto Unexpected_OtherSubr;
|
||||
|
||||
- idx = (FT_Int)( top[0] >> 16 );
|
||||
+ idx = Fix2Int( top[0] );
|
||||
|
||||
if ( idx < 0 ||
|
||||
idx + blend->num_designs > decoder->len_buildchar )
|
||||
@@ -930,7 +932,7 @@
|
||||
if ( arg_cnt != 2 || blend == NULL )
|
||||
goto Unexpected_OtherSubr;
|
||||
|
||||
- idx = (FT_Int)( top[1] >> 16 );
|
||||
+ idx = Fix2Int( top[1] );
|
||||
|
||||
if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
|
||||
goto Unexpected_OtherSubr;
|
||||
@@ -951,7 +953,7 @@
|
||||
if ( arg_cnt != 1 || blend == NULL )
|
||||
goto Unexpected_OtherSubr;
|
||||
|
||||
- idx = (FT_Int)( top[0] >> 16 );
|
||||
+ idx = Fix2Int( top[0] );
|
||||
|
||||
if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
|
||||
goto Unexpected_OtherSubr;
|
||||
@@ -1009,11 +1011,15 @@
|
||||
break;
|
||||
|
||||
default:
|
||||
- FT_ERROR(( "t1_decoder_parse_charstrings:"
|
||||
- " unknown othersubr [%d %d], wish me luck\n",
|
||||
- arg_cnt, subr_no ));
|
||||
- unknown_othersubr_result_cnt = arg_cnt;
|
||||
- break;
|
||||
+ if ( arg_cnt >= 0 && subr_no >= 0 )
|
||||
+ {
|
||||
+ FT_ERROR(( "t1_decoder_parse_charstrings:"
|
||||
+ " unknown othersubr [%d %d], wish me luck\n",
|
||||
+ arg_cnt, subr_no ));
|
||||
+ unknown_othersubr_result_cnt = arg_cnt;
|
||||
+ break;
|
||||
+ }
|
||||
+ /* fall through */
|
||||
|
||||
Unexpected_OtherSubr:
|
||||
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
||||
@@ -1139,8 +1145,8 @@
|
||||
top[0],
|
||||
top[1],
|
||||
top[2],
|
||||
- (FT_Int)( top[3] >> 16 ),
|
||||
- (FT_Int)( top[4] >> 16 ) );
|
||||
+ Fix2Int( top[3] ),
|
||||
+ Fix2Int( top[4] ) );
|
||||
|
||||
case op_sbw:
|
||||
FT_TRACE4(( " sbw" ));
|
||||
@@ -1324,7 +1330,7 @@
|
||||
|
||||
FT_TRACE4(( " callsubr" ));
|
||||
|
||||
- idx = (FT_Int)( top[0] >> 16 );
|
||||
+ idx = Fix2Int( top[0] );
|
||||
if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
|
||||
{
|
||||
FT_ERROR(( "t1_decoder_parse_charstrings:"
|
@ -7,7 +7,7 @@
|
||||
Summary: A free and portable font rendering engine
|
||||
Name: freetype
|
||||
Version: 2.4.5
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
License: FTL or GPLv2+
|
||||
Group: System Environment/Libraries
|
||||
URL: http://www.freetype.org
|
||||
@ -26,6 +26,7 @@ Patch47: freetype-2.3.11-more-demos.patch
|
||||
Patch88: freetype-multilib.patch
|
||||
|
||||
Patch89: freetype-2.4.2-CVE-2010-3311.patch
|
||||
Patch90: freetype-2.4.5-CVE-2011-0226.patch
|
||||
|
||||
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
|
||||
|
||||
@ -87,6 +88,7 @@ popd
|
||||
|
||||
%patch88 -p1 -b .multilib
|
||||
%patch89 -p1 -b .CVE-2010-3311
|
||||
%patch90 -p1 -b .CVE-2011-0226
|
||||
|
||||
%build
|
||||
|
||||
@ -219,6 +221,13 @@ rm -rf $RPM_BUILD_ROOT
|
||||
%doc docs/tutorial
|
||||
|
||||
%changelog
|
||||
* Wed Jul 20 2011 Marek Kasik <mkasik@redhat.com> 2.4.5-2
|
||||
- Add freetype-2.4.5-CVE-2011-0226.patch
|
||||
(Add better argument check for `callothersubr'.)
|
||||
- based on patches by Werner Lemberg,
|
||||
Alexei Podtelezhnikov and Matthias Drochner
|
||||
- Resolves: #723469
|
||||
|
||||
* Tue Jun 28 2011 Marek Kasik <mkasik@redhat.com> 2.4.5-1
|
||||
- Update to 2.4.5
|
||||
|
||||
|
Loading…
Reference in New Issue
Block a user