import freetype-2.9.1-4.el8_3.1

2021-03-30 08:20:26 -04:00 · 2021-03-30 08:20:26 -04:00 · dfad8045d7
commit dfad8045d7
parent 2914181c13
3 changed files with 88 additions and 1 deletions
--- a/SOURCES/freetype-2.9.1-png-bitmap-size.patch
+++ b/SOURCES/freetype-2.9.1-png-bitmap-size.patch
@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ ChangeLog          |  8 ++++++++
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 2 files changed, 15 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -340,13 +347,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+2.26.2
+
--- a/SOURCES/freetype-2.9.1-png-memory-leak.patch
+++ b/SOURCES/freetype-2.9.1-png-memory-leak.patch
@ -0,0 +1,28 @@
+From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001
+From: Ben Wagner <bungeman@google.com>
+Date: Fri, 23 Oct 2020 08:29:14 +0200
+Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak
+ (#59322).
+
+The issue is that `rows` is allocated but will not be freed in the
+event that the call to `png_read_image` fails and calls `longjmp`.
+---
+ ChangeLog          | 7 +++++++
+ src/sfnt/pngshim.c | 1 +
+ 2 files changed, 8 insertions(+)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index f55016122..d4e43a9f4 100644
+--- a/src/sfnt/pngshim.c
+++ b/src/sfnt/pngshim.c
+@@ -443,6 +443,7 @@
+     png_read_end( png, info );
+ 
+   DestroyExit:
+    FT_FREE( rows );
+     png_destroy_read_struct( &png, &info, NULL );
+     FT_Stream_Close( &stream );
+ 
+-- 
+2.26.2
+
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@ -3,7 +3,7 @@
 Summary: A free and portable font rendering engine
 Name: freetype
 Version: 2.9.1
-Release: 4%{?dist}
+Release: 4%{?dist}.1
 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 Group: System Environment/Libraries
 URL: http://www.freetype.org
@ -28,6 +28,10 @@ Patch5:  freetype-2.9-ftsmooth.patch
 # https://bugzilla.redhat.com/show_bug.cgi?id=1602501
 Patch6:  freetype-2.9.1-covscan.patch

+# https://bugzilla.redhat.com/show_bug.cgi?id=1890210
+Patch7:  freetype-2.9.1-png-bitmap-size.patch
+Patch8:  freetype-2.9.1-png-memory-leak.patch
+
 BuildRequires: libX11-devel
 BuildRequires: libpng-devel
 BuildRequires: zlib-devel
@ -86,6 +90,8 @@ popd
 %patch4 -p1 -b .multilib
 %patch5 -p1 -b .ftsmooth
 %patch6 -p1 -b .covscan
+%patch7 -p1 -b .png-bitmap-size
+%patch8 -p1 -b .png-memory-leak

 %build

@ -198,6 +204,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la}
 %{_mandir}/man1/*

 %changelog
+* Fri Oct 30 2020 Marek Kasik <mkasik@redhat.com> - 2.9.1-4.el8_3.1
+- Test bitmap size earlier for PNGs
+- Fix memory leak in pngshim.c
+- Resolves: #1891905
+
 * Fri Dec  7 2018 Marek Kasik <mkasik@redhat.com> - 2.9.1-4
 - Use pkgconf in freetype-config.in directly (RPMDiff)
 - Related: #1651252