From 5e36bb94c73ff1ecf6fb032276cba5da3bfdca40 Mon Sep 17 00:00:00 2001 From: Marek Kasik Date: Tue, 2 May 2017 17:04:30 +0200 Subject: [PATCH] Add safety guard (CVE-2017-8287) Resolves: #1446075 --- freetype-2.7.1-safety-guard.patch | 36 +++++++++++++++++++++++++++++++ freetype.spec | 10 ++++++++- 2 files changed, 45 insertions(+), 1 deletion(-) create mode 100644 freetype-2.7.1-safety-guard.patch diff --git a/freetype-2.7.1-safety-guard.patch b/freetype-2.7.1-safety-guard.patch new file mode 100644 index 0000000..65ee149 --- /dev/null +++ b/freetype-2.7.1-safety-guard.patch @@ -0,0 +1,36 @@ +From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sun, 26 Mar 2017 08:32:09 +0200 +Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety + guard. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941 +--- + ChangeLog | 8 ++++++++ + src/psaux/psobjs.c | 8 ++++++++ + 2 files changed, 16 insertions(+) + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821a..0baf8368 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) +-- +2.12.2 + diff --git a/freetype.spec b/freetype.spec index b533d3d..ca996f0 100644 --- a/freetype.spec +++ b/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.7.1 -Release: 5%{?dist} +Release: 6%{?dist} License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -34,6 +34,9 @@ Patch5: freetype-2.6.5-libtool.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1446500 Patch6: freetype-2.7.1-protect-flex-handling.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1446073 +Patch7: freetype-2.7.1-safety-guard.patch + BuildRequires: libX11-devel BuildRequires: libpng-devel @@ -96,6 +99,7 @@ popd %patch4 -p1 -b .freetype-config-prefix %patch5 -p1 -b .libtool %patch6 -p1 -b .protect-flex-handling +%patch7 -p1 -b .safety-guard %build @@ -211,6 +215,10 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog +* Tue May 2 2017 Marek Kasik - 2.7.1-6 +- Add safety guard (CVE-2017-8287) +- Resolves: #1446075 + * Tue May 2 2017 Marek Kasik - 2.7.1-5 - Better protect `flex' handling (CVE-2017-8105) - Resolves: #1446502