Hi!
Fixes for:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8287
>From upstream via Arch Linux.
Patches for -current and 6.1.
Ok?
Ciao,
David
Index: src/psaux/psobjs.c
===================================================================
RCS file: /cvs/xenocara/lib/freetype/src/psaux/psobjs.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 psobjs.c
--- src/psaux/psobjs.c 13 Jan 2017 11:19:59 -0000 1.18
+++ src/psaux/psobjs.c 9 May 2017 07:35:12 -0000
@@ -1718,6 +1718,14 @@
first = outline->n_contours <= 1
? 0 : outline->contours[outline->n_contours - 2] + 1;
+ /* in malformed fonts it can happen that a contour was started */
+ /* but no points were added */
+ if ( outline->n_contours && first == outline->n_points )
+ {
+ outline->n_contours--;
+ return;
+ }
+
/* We must not include the last point in the path if it */
/* is located on the first point. */
if ( outline->n_points > 1 )
Index: src/psaux/t1decode.c
===================================================================
RCS file: /cvs/xenocara/lib/freetype/src/psaux/t1decode.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 t1decode.c
--- src/psaux/t1decode.c 13 Jan 2017 11:20:00 -0000 1.18
+++ src/psaux/t1decode.c 9 May 2017 07:35:12 -0000
@@ -780,10 +780,19 @@
/* point without adding any point to the outline */
idx = decoder->num_flex_vectors++;
if ( idx > 0 && idx < 7 )
+ {
+ /* in malformed fonts it is possible to have other */
+ /* opcodes in the middle of a flex (which don't */
+ /* increase `num_flex_vectors'); we thus have to */
+ /* check whether we can add a point */
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+ goto Syntax_Error;
+
t1_builder_add_point( builder,
x,
y,
(FT_Byte)( idx == 3 || idx == 6 ) );
+ }
}
break;
Index: src/psaux/psobjs.c
===================================================================
RCS file: /cvs/xenocara/lib/freetype/src/psaux/psobjs.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 psobjs.c
--- src/psaux/psobjs.c 13 Jan 2017 11:19:59 -0000 1.18
+++ src/psaux/psobjs.c 9 May 2017 07:39:38 -0000
@@ -1718,6 +1718,14 @@
first = outline->n_contours <= 1
? 0 : outline->contours[outline->n_contours - 2] + 1;
+ /* in malformed fonts it can happen that a contour was started */
+ /* but no points were added */
+ if ( outline->n_contours && first == outline->n_points )
+ {
+ outline->n_contours--;
+ return;
+ }
+
/* We must not include the last point in the path if it */
/* is located on the first point. */
if ( outline->n_points > 1 )
Index: src/psaux/t1decode.c
===================================================================
RCS file: /cvs/xenocara/lib/freetype/src/psaux/t1decode.c,v
retrieving revision 1.18
diff -u -p -u -p -r1.18 t1decode.c
--- src/psaux/t1decode.c 13 Jan 2017 11:20:00 -0000 1.18
+++ src/psaux/t1decode.c 9 May 2017 07:39:38 -0000
@@ -780,10 +780,19 @@
/* point without adding any point to the outline */
idx = decoder->num_flex_vectors++;
if ( idx > 0 && idx < 7 )
+ {
+ /* in malformed fonts it is possible to have other */
+ /* opcodes in the middle of a flex (which don't */
+ /* increase `num_flex_vectors'); we thus have to */
+ /* check whether we can add a point */
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+ goto Syntax_Error;
+
t1_builder_add_point( builder,
x,
y,
(FT_Byte)( idx == 3 || idx == 6 ) );
+ }
}
break;
