diff --git a/SOURCES/freetype-2.10.4-cve-2025-27363.patch b/SOURCES/freetype-2.10.4-cve-2025-27363.patch index 616da23..a44bda2 100644 --- a/SOURCES/freetype-2.10.4-cve-2025-27363.patch +++ b/SOURCES/freetype-2.10.4-cve-2025-27363.patch @@ -1,168 +1,18 @@ +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 1dd319d..9a77bab 100644 --- a/src/truetype/ttgload.c +++ b/src/truetype/ttgload.c -@@ -972,7 +972,7 @@ - - if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) ) - { -- if ( FT_NEW_ARRAY( unrounded, n_points ) ) -+ if ( FT_QNEW_ARRAY( unrounded, n_points ) ) - goto Exit; - - /* Deltas apply to the unscaled data. */ -@@ -1941,33 +1941,25 @@ - if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) || - FT_IS_VARIATION( FT_FACE( face ) ) ) - { -- short i, limit; -+ FT_UShort i, limit; - FT_SubGlyph subglyph; - -- FT_Outline outline; -- FT_Vector* points = NULL; -- char* tags = NULL; -- short* contours = NULL; -+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 }; - FT_Vector* unrounded = NULL; - - -- limit = (short)gloader->current.num_subglyphs; -+ limit = (FT_UShort)gloader->current.num_subglyphs; - +@@ -1953,6 +1953,13 @@ + + limit = (short)gloader->current.num_subglyphs; + ++ /* make sure this isn't negative as we're going to add 4 later */ ++ if ( limit < 0 ) ++ { ++ error = FT_THROW( Invalid_Argument ); ++ goto Exit; ++ } ++ /* construct an outline structure for */ /* communication with `TT_Vary_Apply_Glyph_Deltas' */ -- outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); -- outline.n_contours = outline.n_points; -- -- outline.points = NULL; -- outline.tags = NULL; -- outline.contours = NULL; -- -- if ( FT_NEW_ARRAY( points, outline.n_points ) || -- FT_NEW_ARRAY( tags, outline.n_points ) || -- FT_NEW_ARRAY( contours, outline.n_points ) || -- FT_NEW_ARRAY( unrounded, outline.n_points ) ) -+ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) || -+ FT_QNEW_ARRAY( outline.tags, limit ) || -+ FT_QNEW_ARRAY( outline.contours, limit ) || -+ FT_QNEW_ARRAY( unrounded, limit + 4 ) ) - goto Exit1; - -+ outline.n_contours = outline.n_points = limit; -+ - subglyph = gloader->current.subglyphs; - - for ( i = 0; i < limit; i++, subglyph++ ) -@@ -1975,38 +1967,16 @@ - /* applying deltas for anchor points doesn't make sense, */ - /* but we don't have to specially check this since */ - /* unused delta values are zero anyways */ -- points[i].x = subglyph->arg1; -- points[i].y = subglyph->arg2; -- tags[i] = 1; -- contours[i] = i; -+ outline.points[i].x = subglyph->arg1; -+ outline.points[i].y = subglyph->arg2; -+ outline.tags[i] = ON_CURVE_POINT; -+ outline.contours[i] = i; - } - -- points[i].x = loader->pp1.x; -- points[i].y = loader->pp1.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp2.x; -- points[i].y = loader->pp2.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp3.x; -- points[i].y = loader->pp3.y; -- tags[i] = 1; -- contours[i] = i; -- -- i++; -- points[i].x = loader->pp4.x; -- points[i].y = loader->pp4.y; -- tags[i] = 1; -- contours[i] = i; -- -- outline.points = points; -- outline.tags = tags; -- outline.contours = contours; -+ outline.points[i++] = loader->pp1; -+ outline.points[i++] = loader->pp2; -+ outline.points[i++] = loader->pp3; -+ outline.points[i ] = loader->pp4; - - /* this call provides additional offsets */ - /* for each component's translation */ -@@ -2024,20 +1994,20 @@ - { - if ( subglyph->flags & ARGS_ARE_XY_VALUES ) - { -- subglyph->arg1 = (FT_Int16)points[i].x; -- subglyph->arg2 = (FT_Int16)points[i].y; -+ subglyph->arg1 = (FT_Int16)outline.points[i].x; -+ subglyph->arg2 = (FT_Int16)outline.points[i].y; - } - } - -- loader->pp1.x = points[i + 0].x; -- loader->pp1.y = points[i + 0].y; -- loader->pp2.x = points[i + 1].x; -- loader->pp2.y = points[i + 1].y; -- -- loader->pp3.x = points[i + 2].x; -- loader->pp3.y = points[i + 2].y; -- loader->pp4.x = points[i + 3].x; -- loader->pp4.y = points[i + 3].y; -+ loader->pp1.x = outline.points[i + 0].x; -+ loader->pp1.y = outline.points[i + 0].y; -+ loader->pp2.x = outline.points[i + 1].x; -+ loader->pp2.y = outline.points[i + 1].y; -+ -+ loader->pp3.x = outline.points[i + 2].x; -+ loader->pp3.y = outline.points[i + 2].y; -+ loader->pp4.x = outline.points[i + 3].x; -+ loader->pp4.y = outline.points[i + 3].y; - - /* recalculate linear horizontal and vertical advances */ - /* if we don't have HVAR and VVAR, respectively */ ---- a/include/freetype/internal/ftmemory.h -+++ b/include/freetype/internal/ftmemory.h -@@ -344,14 +344,13 @@ extern "C++" - #define FT_RENEW_ARRAY( ptr, curcnt, newcnt ) \ - FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) - --#define FT_QNEW( ptr ) \ -- FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) ) -+#define FT_QNEW( ptr ) FT_MEM_SET_ERROR( FT_MEM_QNEW( ptr ) ) - --#define FT_QNEW_ARRAY( ptr, count ) \ -- FT_MEM_SET_ERROR( FT_MEM_NEW_ARRAY( ptr, count ) ) -+#define FT_QNEW_ARRAY( ptr, count ) \ -+ FT_MEM_SET_ERROR( FT_MEM_QNEW_ARRAY( ptr, count ) ) - --#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \ -- FT_MEM_SET_ERROR( FT_MEM_RENEW_ARRAY( ptr, curcnt, newcnt ) ) -+#define FT_QRENEW_ARRAY( ptr, curcnt, newcnt ) \ -+ FT_MEM_SET_ERROR( FT_MEM_QRENEW_ARRAY( ptr, curcnt, newcnt ) ) - - - FT_BASE( FT_Pointer ) ---- a/src/sfnt/ttload.c -+++ b/src/sfnt/ttload.c -@@ -987,6 +987,9 @@ - } - } - -+ /* mark the string as not yet converted */ -+ entry->string = NULL; -+ - entry++; - } - - + outline.n_points = (short)( gloader->current.num_subglyphs + 4 ); diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec index a9a96fe..7ce77c5 100644 --- a/SPECS/freetype.spec +++ b/SPECS/freetype.spec @@ -4,7 +4,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.10.4 -Release: 9%{?dist}.alma.1 +Release: 9%{?dist}.alma.2 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement URL: http://www.freetype.org Source: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz @@ -42,11 +42,8 @@ Patch10: freetype-2.10.4-properly-guard-face_index.patch Patch11: freetype-2.10.4-guard-face-size.patch # CVE-2025-27363 -# https://issues.redhat.com/browse/RHEL-83280 -# https://gitlab.com/redhat/centos-stream/rpms/freetype/-/merge_requests/8 -# backported from -# https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d -# https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442 +# https://access.redhat.com/security/cve/cve-2025-27363 +# Patch by Marc Deslauriers of Canonical Patch12: freetype-2.10.4-cve-2025-27363.patch BuildRequires: gcc @@ -258,12 +255,16 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog -* Wed Mar 12 2025 Jonathan Wright - 20.10.4-9.alma.1 +* Fri Mar 14 2025 Jonathan Wright - 2.10.4-9.alma.2 +- Rebase CVE-2025-27363 to simpler patch by Marc Deslauriers of Canonical +- Resolves: RHEL-83280 +- Fix previous changelog version + +* Wed Mar 12 2025 Jonathan Wright - 2.10.4-9.alma.1 - Backport from CentOS Stream 9 PR by Michel Lind - TrueType clean up and unsigned fixes for CVE-2025-27363 - Resolves: RHEL-83280 - * Tue May 31 2022 Marek Kasik - 2.10.4-9 - Guard face->size - Resolves: #2079280