rpms/freetype
6
0
Fork 1
Code Issues Pull Requests Releases Activity

Fix CVE-2025-27363 (rebase to simpler patch)

Browse Source
This commit is contained in:
Jonathan Wright 2025-03-14 10:06:17 -05:00
parent 5967258e12
commit dbe419ab4f
2 changed files with 23 additions and 172 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

178
SOURCES/freetype-2.10.4-cve-2025-27363.patch
View File

@ -1,168 +1,18 @@
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
index 1dd319d..9a77bab 100644
--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
@@ -972,7 +972,7 @@
if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) )
{
- if ( FT_NEW_ARRAY( unrounded, n_points ) )
+ if ( FT_QNEW_ARRAY( unrounded, n_points ) )
goto Exit;
/* Deltas apply to the unscaled data. */
@@ -1941,33 +1941,25 @@
if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) ||
FT_IS_VARIATION( FT_FACE( face ) ) )
{
- short i, limit;
+ FT_UShort i, limit;
FT_SubGlyph subglyph;
- FT_Outline outline;
- FT_Vector* points = NULL;
- char* tags = NULL;
- short* contours = NULL;
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
FT_Vector* unrounded = NULL;
- limit = (short)gloader->current.num_subglyphs;
+ limit = (FT_UShort)gloader->current.num_subglyphs;
@@ -1953,6 +1953,13 @@
limit = (short)gloader->current.num_subglyphs;
+ /* make sure this isn't negative as we're going to add 4 later */
+ if ( limit < 0 )
+ {
+ error = FT_THROW( Invalid_Argument );
+ goto Exit;
+ }
+
/* construct an outline structure for */
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
- outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
- outline.n_contours = outline.n_points;
-
- outline.points = NULL;
- outline.tags = NULL;
- outline.contours = NULL;
-
- if ( FT_NEW_ARRAY( points, outline.n_points ) ||
- FT_NEW_ARRAY( tags, outline.n_points ) ||
- FT_NEW_ARRAY( contours, outline.n_points ) ||
- FT_NEW_ARRAY( unrounded, outline.n_points ) )
+ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) ||
+ FT_QNEW_ARRAY( outline.tags, limit ) ||
+ FT_QNEW_ARRAY( outline.contours, limit ) ||
+ FT_QNEW_ARRAY( unrounded, limit + 4 ) )
goto Exit1;
+ outline.n_contours = outline.n_points = limit;
+
subglyph = gloader->current.subglyphs;
for ( i = 0; i < limit; i++, subglyph++ )
@@ -1975,38 +1967,16 @@
/* applying deltas for anchor points doesn't make sense, */
/* but we don't have to specially check this since */
/* unused delta values are zero anyways */
- points[i].x = subglyph->arg1;
- points[i].y = subglyph->arg2;
- tags[i] = 1;
- contours[i] = i;
+ outline.points[i].x = subglyph->arg1;
+ outline.points[i].y = subglyph->arg2;
+ outline.tags[i] = ON_CURVE_POINT;
+ outline.contours[i] = i;
}
- points[i].x = loader->pp1.x;
- points[i].y = loader->pp1.y;
- tags[i] = 1;
- contours[i] = i;
-
- i++;
- points[i].x = loader->pp2.x;
- points[i].y = loader->pp2.y;
- tags[i] = 1;
- contours[i] = i;
-
- i++;
- points[i].x = loader->pp3.x;
- points[i].y = loader->pp3.y;
- tags[i] = 1;
- contours[i] = i;
-
- i++;
- points[i].x = loader->pp4.x;
- points[i].y = loader->pp4.y;
- tags[i] = 1;
- contours[i] = i;
-
- outline.points = points;
- outline.tags = tags;
- outline.contours = contours;
+ outline.points[i++] = loader->pp1;
+ outline.points[i++] = loader->pp2;
+ outline.points[i++] = loader->pp3;
+ outline.points[i ] = loader->pp4;
/* this call provides additional offsets */
/* for each component's translation */
@@ -2024,20 +1994,20 @@
{
if ( subglyph->flags & ARGS_ARE_XY_VALUES )
{
- subglyph->arg1 = (FT_Int16)points[i].x;
- subglyph->arg2 = (FT_Int16)points[i].y;
+ subglyph->arg1 = (FT_Int16)outline.points[i].x;
+ subglyph->arg2 = (FT_Int16)outline.points[i].y;
}
}
- loader->pp1.x = points[i + 0].x;
- loader->pp1.y = points[i + 0].y;
- loader->pp2.x = points[i + 1].x;
- loader->pp2.y = points[i + 1].y;
-
- loader->pp3.x = points[i + 2].x;
- loader->pp3.y = points[i + 2].y;
- loader->pp4.x = points[i + 3].x;
- loader->pp4.y = points[i + 3].y;
+ loader->pp1.x = outline.points[i + 0].x;
+ loader->pp1.y = outline.points[i + 0].y;
+ loader->pp2.x = outline.points[i + 1].x;
+ loader->pp2.y = outline.points[i + 1].y;
+
+ loader->pp3.x = outline.points[i + 2].x;
+ loader->pp3.y = outline.points[i + 2].y;
+ loader->pp4.x = outline.points[i + 3].x;
+ loader->pp4.y = outline.points[i + 3].y;
/* recalculate linear horizontal and vertical advances */
/* if we don't have HVAR and VVAR, respectively */
--- a/include/freetype/internal/ftmemory.h
+++ b/include/freetype/internal/ftmemory.h
@@ -344,14 +344,13 @@ extern "C++"
#define FT_RENEW_ARRAY( ptr, curcnt, newcnt ) \
FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) )
-#define FT_QNEW( ptr ) \
- FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) )
+#define FT_QNEW( ptr ) FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) )
-#define FT_QNEW_ARRAY( ptr, count ) \
- FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) )
+#define FT_QNEW_ARRAY( ptr, count ) \
+ FT_MEM_SET_ERROR( FT_MEM_QNEW_ARRAY( ptr, count ) )
-#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \
- FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) )
+#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \
+ FT_MEM_SET_ERROR( FT_MEM_QRENEW_ARRAY( ptr, curcnt, newcnt ) )
FT_BASE( FT_Pointer )
--- a/src/sfnt/ttload.c
+++ b/src/sfnt/ttload.c
@@ -987,6 +987,9 @@
}
}
+ /* mark the string as not yet converted */
+ entry->string = NULL;
+
entry++;
}
outline.n_points = (short)( gloader->current.num_subglyphs + 4 );

17
SPECS/freetype.spec
View File

@ -4,7 +4,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.10.4
Release: 9%{?dist}.alma.1
Release: 9%{?dist}.alma.2
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
URL: http://www.freetype.org
Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz
@ -42,11 +42,8 @@ Patch10: freetype-2.10.4-properly-guard-face_index.patch
Patch11: freetype-2.10.4-guard-face-size.patch
# CVE-2025-27363
# https://issues.redhat.com/browse/RHEL-83280
# https://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8
# backported from
# https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
# https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442
# https://access.redhat.com/security/cve/cve-2025-27363
# Patch by Marc Deslauriers of Canonical
Patch12: freetype-2.10.4-cve-2025-27363.patch
BuildRequires: gcc
@ -258,12 +255,16 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
%{_mandir}/man1/*
%changelog
* Wed Mar 12 2025 Jonathan Wright <jonathan@almalinux.org> - 20.10.4-9.alma.1
* Fri Mar 14 2025 Jonathan Wright <jonathan@almalinux.org> - 2.10.4-9.alma.2
- Rebase CVE-2025-27363 to simpler patch by Marc Deslauriers of Canonical
- Resolves: RHEL-83280
- Fix previous changelog version
* Wed Mar 12 2025 Jonathan Wright <jonathan@almalinux.org> - 2.10.4-9.alma.1
- Backport from CentOS Stream 9 PR by Michel Lind <salimma@centosproject.org>
- TrueType clean up and unsigned fixes for CVE-2025-27363
- Resolves: RHEL-83280
* Tue May 31 2022 Marek Kasik <mkasik@redhat.com> - 2.10.4-9
- Guard face->size
- Resolves: #2079280