Update to 2.4.9

Fixes various CVEs
Resolves: #806270, #802933
This commit is contained in:
Marek Kasik 2012-03-30 16:29:22 +02:00
parent 1a9ea0607b
commit e50e9306ff
7 changed files with 151 additions and 5 deletions

3
.gitignore vendored
View File

@ -22,3 +22,6 @@ ft2demos-2.4.2.tar.bz2
/freetype-2.4.8.tar.bz2
/freetype-doc-2.4.8.tar.bz2
/ft2demos-2.4.8.tar.bz2
/freetype-2.4.9.tar.bz2
/freetype-doc-2.4.9.tar.bz2
/ft2demos-2.4.9.tar.bz2

View File

@ -0,0 +1,11 @@
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -842,7 +842,7 @@
};
-#define isdigok( m, d ) (m[(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
+#define isdigok( m, d ) (m[(unsigned char)(d) >> 3] & ( 1 << ( (d) & 7 ) ) )
/* Routine to convert an ASCII string into an unsigned long integer. */

View File

@ -0,0 +1,10 @@
--- a/src/bdf/bdflib.c
+++ b/src/bdf/bdflib.c
@@ -569,6 +569,7 @@
list->field[1] = (char*)empty;
list->field[2] = (char*)empty;
list->field[3] = (char*)empty;
+ list->field[4] = (char*)empty;
}
/* If the line is empty, then simply return. */

View File

@ -0,0 +1,88 @@
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -71,6 +71,13 @@
#include "t1errors.h"
+#ifdef FT_CONFIG_OPTION_INCREMENTAL
+#define IS_INCREMENTAL ( face->root.internal->incremental_interface != 0 )
+#else
+#define IS_INCREMENTAL 0
+#endif
+
+
/*************************************************************************/
/* */
/* The macro FT_COMPONENT is used in trace mode. It is an implicit */
@@ -1030,7 +1037,8 @@
static int
read_binary_data( T1_Parser parser,
FT_Long* size,
- FT_Byte** base )
+ FT_Byte** base,
+ FT_Bool incremental )
{
FT_Byte* cur;
FT_Byte* limit = parser->root.limit;
@@ -1065,8 +1073,12 @@
}
}
- FT_ERROR(( "read_binary_data: invalid size field\n" ));
- parser->root.error = T1_Err_Invalid_File_Format;
+ if( !incremental )
+ {
+ FT_ERROR(( "read_binary_data: invalid size field\n" ));
+ parser->root.error = T1_Err_Invalid_File_Format;
+ }
+
return 0;
}
@@ -1396,7 +1408,7 @@
idx = T1_ToInt( parser );
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* The binary string is followed by one token, e.g. `NP' */
@@ -1582,7 +1594,7 @@
cur++; /* skip `/' */
len = parser->root.cursor - cur;
- if ( !read_binary_data( parser, &size, &base ) )
+ if ( !read_binary_data( parser, &size, &base, IS_INCREMENTAL ) )
return;
/* for some non-standard fonts like `Optima' which provides */
@@ -1871,7 +1883,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -1884,7 +1896,7 @@
parser->root.cursor = start_binary;
- if ( !read_binary_data( parser, &s, &b ) )
+ if ( !read_binary_data( parser, &s, &b, IS_INCREMENTAL ) )
return T1_Err_Invalid_File_Format;
have_integer = 0;
}
@@ -2160,9 +2172,7 @@
type1->subrs_len = loader.subrs.lengths;
}
-#ifdef FT_CONFIG_OPTION_INCREMENTAL
- if ( !face->root.internal->incremental_interface )
-#endif
+ if ( !IS_INCREMENTAL )
if ( !loader.charstrings.init )
{
FT_ERROR(( "T1_Open_Face: no `/CharStrings' array in face\n" ));

View File

@ -0,0 +1,16 @@
--- a/src/type1/t1load.c
+++ b/src/type1/t1load.c
@@ -1399,9 +1399,10 @@
FT_Byte* base;
- /* If the next token isn't `dup' we are done. */
- if ( parser->root.cursor + 4 < parser->root.limit &&
- ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
+ /* If we are out of data, or if the next token isn't `dup', */
+ /* we are done. */
+ if ( parser->root.cursor + 4 >= parser->root.limit ||
+ ft_strncmp( (char*)parser->root.cursor, "dup", 3 ) != 0 )
break;
T1_Skip_PS_Token( parser ); /* `dup' */

View File

@ -6,8 +6,8 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.8
Release: 2%{?dist}
Version: 2.4.9
Release: 1%{?dist}
License: FTL or GPLv2+
Group: System Environment/Libraries
URL: http://www.freetype.org
@ -25,6 +25,15 @@ Patch47: freetype-2.3.11-more-demos.patch
# Fix multilib conflicts
Patch88: freetype-multilib.patch
Patch89: freetype-2.4.9-CVE-2012-1139.patch
Patch90: freetype-2.4.9-CVE-2012-1141.patch
# https://savannah.nongnu.org/bugs/?35833
Patch91: freetype-2.4.9-loop-exit-condition.patch
#https://savannah.nongnu.org/bugs/?35847
Patch92: freetype-2.4.9-incremental-interface.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@ -84,6 +93,10 @@ pushd ft2demos-%{version}
popd
%patch88 -p1 -b .multilib
%patch89 -p1 -b .CVE-2012-1139
%patch90 -p1 -b .CVE-2012-1141
%patch91 -p1 -b .loop-exit-condition
%patch92 -p1 -b .incremental-interface
%build
@ -216,6 +229,11 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
* Fri Mar 30 2012 Marek Kasik <mkasik@redhat.com> 2.4.9-1
- Update to 2.4.9
- Fixes various CVEs
- Resolves: #806270
* Fri Jan 13 2012 Fedora Release Engineering <rel-eng@lists.fedoraproject.org> - 2.4.8-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_17_Mass_Rebuild

View File

@ -1,3 +1,3 @@
dbf2caca1d3afd410a29217a9809d397 freetype-2.4.8.tar.bz2
538c925059e90be23928b454c14df728 freetype-doc-2.4.8.tar.bz2
f44562cf0b434b6dc3488751f82d99ec ft2demos-2.4.8.tar.bz2
77a893dae81fd5b896632715ca041179 freetype-2.4.9.tar.bz2
39c0881d426db837aa6ff1856e44af86 freetype-doc-2.4.9.tar.bz2
52e6a7e7ba4fecd39562199baac6a7d2 ft2demos-2.4.9.tar.bz2