commit freetype2 for openSUSE:11.3

h_root Fri, 16 Dec 2011 08:07:10 -0800

Hello community,

here is the log from the commit of package freetype2 for openSUSE:11.3
checked in at Fri Dec 16 17:07:08 CET 2011.




--------
--- old-versions/11.3/UPDATES/all/freetype2/freetype2.changes   2011-07-21 
19:58:10.000000000 +0200
+++ 11.3/freetype2/freetype2.changes    2011-12-16 15:23:01.000000000 +0100
@@ -1,0 +2,13 @@
+Fri Dec 16 15:20:29 CET 2011 - [email protected]
+
+(from evergreen)
+- bnc730124_CVE-2011-3256.patch:
+  FreeType 2 before 2.4.7 allows remote attackers to execute arbitrary
+  code or cause a denial of service (memory corruption) via a crafted
+  font. (CVE-2011-3256, bnc#730124)
+- bnc730124_CVE-2011-3439.patch:
+  FreeType allows remote attackers to execute arbitrary code or cause a
+  denial of service (memory corruption) via a crafted font.
+  (CVE-2011-3439, bnc#730124)
+
+-------------------------------------------------------------------

calling whatdependson for 11.3-i586


New:
----
  bnc730124_CVE-2011-3256.patch
  bnc730124_CVE-2011-3439.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ freetype2.spec ++++++
--- /var/tmp/diff_new_pack.uIE0Qg/_old  2011-12-16 17:03:32.000000000 +0100
+++ /var/tmp/diff_new_pack.uIE0Qg/_new  2011-12-16 17:03:32.000000000 +0100
@@ -29,7 +29,7 @@
 %endif
 #
 Version:        2.3.12
-Release:        7.<RELEASE5>
+Release:        7.<RELEASE8>
 Url:            http://www.freetype.org
 Summary:        A TrueType Font Library
 # CVS repository:
@@ -69,6 +69,9 @@
 Patch1017:      bnc647375_CVE-2010-3855.diff
 Patch1018:      bnc704612_othersubr.diff
 
+Patch1019:      bnc730124_CVE-2011-3256.patch
+Patch1020:      bnc730124_CVE-2011-3439.patch
+
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 
 %description
@@ -152,6 +155,10 @@
 # bnc647375_CVE-2010-3855.diff
 %patch1017 -p1
 %patch1018 -p1
+# bnc730124_CVE-2011-3256.patch
+%patch1019 -p1
+# bnc730124_CVE-2011-3439.patch
+%patch1020 -p1
 
 pushd docs
     tar xf $RPM_SOURCE_DIR/freetype-doc-reference.tar.bz2

++++++ ft2demos.spec ++++++
--- /var/tmp/diff_new_pack.uIE0Qg/_old  2011-12-16 17:03:32.000000000 +0100
+++ /var/tmp/diff_new_pack.uIE0Qg/_new  2011-12-16 17:03:32.000000000 +0100
@@ -25,7 +25,7 @@
 AutoReqProv:    on
 Supplements:    fonts-config
 Version:        2.3.12
-Release:        7.<RELEASE5>
+Release:        7.<RELEASE6>
 %define freetype_version %{version}
 Url:            http://www.freetype.org
 Summary:        Freetype2 Utilities and Demo Programs



++++++ bnc730124_CVE-2011-3256.patch ++++++
Index: freetype-2.3.12/src/base/ftbitmap.c
===================================================================
--- freetype-2.3.12.orig/src/base/ftbitmap.c
+++ freetype-2.3.12/src/base/ftbitmap.c
@@ -417,6 +417,10 @@
 
         target->pitch = source->width + pad;
 
+        if ( target->pitch > 0                           &&
+             target->rows > FT_ULONG_MAX / target->pitch )
+          return FT_Err_Invalid_Argument;
+
         if ( target->rows * target->pitch > old_size             &&
              FT_QREALLOC( target->buffer,
                           old_size, target->rows * target->pitch ) )
Index: freetype-2.3.12/src/psaux/t1decode.c
===================================================================
--- freetype-2.3.12.orig/src/psaux/t1decode.c
+++ freetype-2.3.12/src/psaux/t1decode.c
@@ -754,6 +754,13 @@
             if ( arg_cnt != 0 )
               goto Unexpected_OtherSubr;
 
+            if ( decoder->flex_state == 0 )
+            {
+              FT_ERROR(( "t1_decoder_parse_charstrings:"
+                         " missing flex start\n" ));
+              goto Syntax_Error;
+            }
+
             /* note that we should not add a point for index 0; */
             /* this will move our current position to the flex  */
             /* point without adding any point to the outline    */
Index: freetype-2.3.12/src/raster/ftrend1.c
===================================================================
--- freetype-2.3.12.orig/src/raster/ftrend1.c
+++ freetype-2.3.12/src/raster/ftrend1.c
@@ -168,6 +168,13 @@
 
     width  = (FT_UInt)( ( cbox.xMax - cbox.xMin ) >> 6 );
     height = (FT_UInt)( ( cbox.yMax - cbox.yMin ) >> 6 );
+
+    if ( width > FT_USHORT_MAX || height > FT_USHORT_MAX )
+    {
+      error = Raster_Err_Invalid_Argument;
+      goto Exit;
+    }
+
     bitmap = &slot->bitmap;
     memory = render->root.memory;
 
Index: freetype-2.3.12/src/truetype/ttgxvar.c
===================================================================
--- freetype-2.3.12.orig/src/truetype/ttgxvar.c
+++ freetype-2.3.12/src/truetype/ttgxvar.c
@@ -1470,6 +1470,9 @@
       {
         for ( j = 0; j < point_count; ++j )
         {
+          if ( localpoints[j] >= n_points )
+            continue;
+
           delta_xy[localpoints[j]].x += FT_MulFix( deltas_x[j], apply );
           delta_xy[localpoints[j]].y += FT_MulFix( deltas_y[j], apply );
         }
Index: freetype-2.3.12/include/freetype/config/ftstdlib.h
===================================================================
--- freetype-2.3.12.orig/include/freetype/config/ftstdlib.h
+++ freetype-2.3.12/include/freetype/config/ftstdlib.h
@@ -63,6 +63,7 @@
 #define FT_INT_MAX    INT_MAX
 #define FT_INT_MIN    INT_MIN
 #define FT_UINT_MAX   UINT_MAX
+#define FT_USHORT_MAX USHRT_MAX
 #define FT_ULONG_MAX  ULONG_MAX
 
 
++++++ bnc730124_CVE-2011-3439.patch ++++++
Index: freetype-2.3.12/src/cid/cidload.c
===================================================================
--- freetype-2.3.12.orig/src/cid/cidload.c
+++ freetype-2.3.12/src/cid/cidload.c
@@ -110,7 +110,7 @@
         CID_FaceDict  dict;
 
 
-        if ( parser->num_dict < 0 )
+        if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts )
         {
           FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n",
                      keyword->ident ));
@@ -158,7 +158,7 @@
     FT_Fixed      temp_scale;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict   = face->cid.font_dicts + parser->num_dict;
       matrix = &dict->font_matrix;
@@ -249,7 +249,7 @@
     CID_FaceDict  dict;
 
 
-    if ( parser->num_dict >= 0 )
+    if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts )
     {
       dict = face->cid.font_dicts + parser->num_dict;
 
@@ -413,12 +413,25 @@
       FT_Byte*      p;
 
 
+      /* Check for possible overflow. */
+      if ( num_subrs == FT_UINT_MAX )
+      {
+        error = CID_Err_Syntax_Error;
+        goto Fail;
+      }
+
       /* reallocate offsets array if needed */
       if ( num_subrs + 1 > max_offsets )
       {
         FT_UInt  new_max = FT_PAD_CEIL( num_subrs + 1, 4 );
 
 
+        if ( new_max <= max_offsets )
+        {
+          error = CID_Err_Syntax_Error;
+          goto Fail;
+        }
+
         if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) )
           goto Fail;
 
@@ -436,6 +449,11 @@
 
       FT_FRAME_EXIT();
 
+      /* offsets must be ordered */
+      for ( count = 1; count <= num_subrs; count++ )
+        if ( offsets[count - 1] > offsets[count] )
+          goto Fail;
+
       /* now, compute the size of subrs charstrings, */
       /* allocate, and read them                     */
       data_len = offsets[num_subrs] - offsets[0];



continue with "q"...



Remember to have fun...

-- 
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

commit freetype2 for openSUSE:11.3

Reply via email to