Hello community, here is the log from the commit of package pango for openSUSE:11.2 checked in at Tue Mar 1 16:08:04 CET 2011.
-------- --- old-versions/11.2/UPDATES/all/pango/pango.changes 2009-12-15 09:42:59.000000000 +0100 +++ 11.2/pango/pango.changes 2011-03-01 08:43:21.000000000 +0100 @@ -1,0 +2,10 @@ +Mon Feb 28 09:29:03 CET 2011 - [email protected] + +- Add pango-CVE-2011-0020.patch: fixes heap corruption in font + parsing with FreeType2 backend. Fix bnc#666101, CVE-2011-0020. + Note that due to the old version of glib in 11.2, we have to + locally implement g_malloc0_n(). +- Add pango-CVE-2011-0064.patch: handle realloc failure in the + buffer to fix potential crashes. Fix bnc#672502, CVE-2011-0064. + +------------------------------------------------------------------- calling whatdependson for 11.2-i586 New: ---- pango-CVE-2011-0020.patch pango-CVE-2011-0064.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ pango.spec ++++++ --- /var/tmp/diff_new_pack.Z0xgeI/_old 2011-03-01 16:06:37.000000000 +0100 +++ /var/tmp/diff_new_pack.Z0xgeI/_new 2011-03-01 16:06:37.000000000 +0100 @@ -1,7 +1,7 @@ # -# spec file for package pango (Version 1.26.2) +# spec file for package pango # -# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany. +# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -35,12 +35,16 @@ %endif # Version: 1.26.2 -Release: 1.<RELEASE1> +Release: 1.<RELEASE3> Summary: System for Layout and Rendering of Internationalised Text Source: ftp://ftp.gnome.org/pub/GNOME/sources/pango/1.18/%{name}-%{version}.tar.bz2 Source1: README.SuSE # PATCH-FIX-UPSTREAM pango64.patch bgo129534 -- needed for biarch. Unfortunately, this is not good enough for usptream. Patch0: pango64.patch +# PATCH-FIX-UPSTREAM pango-CVE-2011-0020.patch bnc#666101 CVE-2011-0020 [email protected] -- heap corruption in font parsing with FreeType2 backend +Patch1: pango-CVE-2011-0020.patch +# PATCH-FIX-UPSTREAM pango-CVE-2011-0064.patch bnc#672502 CVE-2011-0064. [email protected] -- handle realloc failure in the buffer +Patch2: pango-CVE-2011-0064.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build PreReq: xorg-x11-libXrender xorg-x11-libX11 xorg-x11-libXdmcp @@ -110,6 +114,8 @@ cp -a %{S:1} . %patch0 -p0 %endif +%patch1 -p1 +%patch2 -p1 %build %configure --disable-static --with-pic ++++++ pango-CVE-2011-0020.patch ++++++ >From 4e6248d76f55c6184f28afe614d7d76b6fa3d455 Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod <[email protected]> Date: Thu, 17 Feb 2011 16:19:48 +0000 Subject: Bug 639882 - Heap corruption in font parsing with FreeType2 backend --- Index: pango-1.26.2/pango/pangoft2-render.c =================================================================== --- pango-1.26.2.orig/pango/pangoft2-render.c +++ pango-1.26.2/pango/pangoft2-render.c @@ -99,6 +99,20 @@ pango_ft2_free_rendered_glyph (PangoFT2R g_slice_free (PangoFT2RenderedGlyph, rendered); } +#define SIZE_OVERFLOWS(a,b) (G_UNLIKELY ((b) > 0 && (a) > G_MAXSIZE / (b))) +static gpointer +pango_g_malloc0_n (gsize n_blocks, + gsize n_block_bytes) +{ + if (SIZE_OVERFLOWS (n_blocks, n_block_bytes)) + { + g_error ("%s: overflow allocating %"G_GSIZE_FORMAT"*%"G_GSIZE_FORMAT" bytes", + G_STRLOC, n_blocks, n_block_bytes); + } + + return g_malloc0 (n_blocks * n_block_bytes); +} + static PangoFT2RenderedGlyph * pango_ft2_font_render_box_glyph (int width, int height, @@ -121,9 +135,14 @@ pango_ft2_font_render_box_glyph (int box->bitmap.width = width; box->bitmap.rows = height; - box->bitmap.pitch = height; + box->bitmap.pitch = width; - box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch); + box->bitmap.buffer = pango_g_malloc0_n (box->bitmap.rows, box->bitmap.pitch); + + if (G_UNLIKELY (!box->bitmap.buffer)) { + g_slice_free (PangoFT2RenderedGlyph, box); + return NULL; + } /* draw the box */ for (j = 0; j < line_width; j++) @@ -226,6 +245,11 @@ pango_ft2_font_render_glyph (PangoFont * rendered->bitmap_left = face->glyph->bitmap_left; rendered->bitmap_top = face->glyph->bitmap_top; + if (G_UNLIKELY (!rendered->bitmap.buffer)) { + g_slice_free (PangoFT2RenderedGlyph, rendered); + return NULL; + } + return rendered; } else @@ -276,6 +300,8 @@ pango_ft2_renderer_draw_glyph (PangoRend if (rendered_glyph == NULL) { rendered_glyph = pango_ft2_font_render_glyph (font, glyph); + if (rendered_glyph == NULL) + return; add_glyph_to_cache = TRUE; } ++++++ pango-CVE-2011-0064.patch ++++++ >From 3104961bc0ffaf847d2a1e116e6de4fdc1cd8ada Mon Sep 17 00:00:00 2001 From: Behdad Esfahbod <[email protected]> Date: Thu, 2 Dec 2010 16:00:46 +1300 Subject: [PATCH] Handle realloc failure in the buffer Ported from http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e by Karl Tomlinson <[email protected]> --- pango/opentype/hb-buffer-private.h | 1 + pango/opentype/hb-buffer.c | 70 +++++++++++++++++++++--------------- pango/opentype/hb-buffer.h | 2 +- 3 files changed, 43 insertions(+), 30 deletions(-) diff --git a/pango/opentype/hb-buffer-private.h b/pango/opentype/hb-buffer-private.h index 45cdc4d..f194786 100644 --- a/pango/opentype/hb-buffer-private.h +++ b/pango/opentype/hb-buffer-private.h @@ -72,6 +72,7 @@ struct _hb_buffer_t { unsigned int allocated; hb_bool_t have_output; /* weather we have an output buffer going on */ + hb_bool_t in_error; /* Allocation failed */ unsigned int in_length; unsigned int out_length; unsigned int in_pos; diff --git a/pango/opentype/hb-buffer.c b/pango/opentype/hb-buffer.c index 93b51e5..e9788ad 100644 --- a/pango/opentype/hb-buffer.c +++ b/pango/opentype/hb-buffer.c @@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = { * in_string and out_string. */ -/* XXX err handling */ - /* Internal API */ -static void +static hb_bool_t hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size) { - hb_buffer_ensure (buffer, size); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE; if (buffer->out_string == buffer->in_string) { assert (buffer->have_output); - if (!buffer->positions) - buffer->positions = calloc (buffer->allocated, sizeof (buffer->positions[0])); buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof (buffer->out_string[0])); } + + return TRUE; } /* Public API */ @@ -114,6 +112,7 @@ void hb_buffer_clear (hb_buffer_t *buffer) { buffer->have_output = FALSE; + buffer->in_error = FALSE; buffer->in_length = 0; buffer->out_length = 0; buffer->in_pos = 0; @@ -122,32 +121,42 @@ hb_buffer_clear (hb_buffer_t *buffer) buffer->max_lig_id = 0; } -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size) { - unsigned int new_allocated = buffer->allocated; - - if (size > new_allocated) + if (HB_UNLIKELY (size > buffer->allocated)) { + unsigned int new_allocated = buffer->allocated; + hb_internal_glyph_position_t *new_pos; + hb_internal_glyph_info_t *new_info; + hb_bool_t separate_out; + + if (HB_UNLIKELY (buffer->in_error)) + return FALSE; + + separate_out = buffer->out_string != buffer->in_string; + while (size > new_allocated) new_allocated += (new_allocated >> 1) + 8; - if (buffer->positions) - buffer->positions = realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions, new_allocated * sizeof (buffer->positions[0])); + new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - if (buffer->out_string != buffer->in_string) - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions; - } - else - { - buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof (buffer->in_string[0])); - buffer->out_string = buffer->in_string; - } + if (HB_UNLIKELY (!new_pos || !new_info)) + buffer->in_error = TRUE; + + if (HB_LIKELY (new_pos)) + buffer->positions = new_pos; - buffer->allocated = new_allocated; + if (HB_LIKELY (new_info)) + buffer->in_string = new_info; + + buffer->out_string = separate_out ? (hb_internal_glyph_info_t *) buffer->positions : buffer->in_string; + if (HB_LIKELY (!buffer->in_error)) + buffer->allocated = new_allocated; } + + return HB_LIKELY (!buffer->in_error); } void @@ -158,7 +167,7 @@ hb_buffer_add_glyph (hb_buffer_t *buffer, { hb_internal_glyph_info_t *glyph; - hb_buffer_ensure (buffer, buffer->in_length + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return; glyph = &buffer->in_string[buffer->in_length]; glyph->codepoint = codepoint; @@ -213,6 +222,8 @@ _hb_buffer_swap (hb_buffer_t *buffer) assert (buffer->have_output); + if (HB_UNLIKELY (buffer->in_error)) return; + if (buffer->out_string != buffer->in_string) { hb_internal_glyph_info_t *tmp_string; @@ -265,7 +276,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_t *buffer, if (buffer->out_string != buffer->in_string || buffer->out_pos + num_out > buffer->in_pos + num_in) { - hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out); + if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out))) + return; } mask = buffer->in_string[buffer->in_pos].mask; @@ -302,7 +314,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t *buffer, if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) @@ -332,7 +344,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buffer) if (buffer->out_string != buffer->in_string) { - hb_buffer_ensure (buffer, buffer->out_pos + 1); + if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return; buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos]; } else if (buffer->out_pos != buffer->in_pos) diff --git a/pango/opentype/hb-buffer.h b/pango/opentype/hb-buffer.h index b030ba9..aaf6694 100644 --- a/pango/opentype/hb-buffer.h +++ b/pango/opentype/hb-buffer.h @@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer); void hb_buffer_clear_positions (hb_buffer_t *buffer); -void +hb_bool_t hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size); -- 1.7.2.2 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
