Bug#524925: intent to NMU

Nico Golde Fri, 24 Apr 2009 07:48:58 -0700

Hi,
attached is a patch for an NMU to fix the above issues.

Cheers
Nico


-- 
Nico Golde - http://www.ngolde.de - n...@jabber.ccc.de - GPG: 0x73647CFF
For security reasons, all text in this mail is double-rot13 encrypted.

diff -u freetype-2.3.9/debian/changelog freetype-2.3.9/debian/changelog
--- freetype-2.3.9/debian/changelog
+++ freetype-2.3.9/debian/changelog
@@ -1,3 +1,11 @@
+freetype (2.3.9-4.1) unstable; urgency=high
+
+  * Non-maintainer upload by the Security Team.
+  * Fix multiple integer overflows leading to arbitrary code execution
+    or DoS (CVE-2009-0946; Closes: #524925).
+
+ -- Nico Golde <n...@debian.org>  Thu, 23 Apr 2009 21:13:11 +0200
+
 freetype (2.3.9-4) unstable; urgency=low
 
   * debian/patches-ft2demos/compiler-hardening-fixes.patch: always check the
diff -u freetype-2.3.9/debian/patches-freetype/series freetype-2.3.9/debian/patches-freetype/series
--- freetype-2.3.9/debian/patches-freetype/series
+++ freetype-2.3.9/debian/patches-freetype/series
@@ -7,0 +8 @@
+CVE-2009-0946.patch
only in patch2:
unchanged:
--- freetype-2.3.9.orig/debian/patches-freetype/CVE-2009-0946.patch
+++ freetype-2.3.9/debian/patches-freetype/CVE-2009-0946.patch
@@ -0,0 +1,142 @@
+diff --git a/src/cff/cffload.c b/src/cff/cffload.c
+index 22163fb..24b899d 100644
+--- a/src/cff/cffload.c
++++ b/src/cff/cffload.c
+@@ -842,7 +842,20 @@
+             goto Exit;
+ 
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+ 
+           FT_FRAME_EXIT();
+         }
+@@ -875,6 +888,20 @@
+                 goto Exit;
+             }
+ 
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification             */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;
+diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
+index fc78315..c0483de 100644
+--- a/src/lzw/ftzopen.c
++++ b/src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+ 
+           while ( code >= 256U )
+           {
++            if ( !state->prefix )
++              goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 6830391..1bd2ce7 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1635,7 +1635,7 @@
+       FT_INVALID_TOO_SHORT;
+ 
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+ 
+     is32       = table + 12;
+@@ -1863,7 +1863,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+ 
+ 
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+           FT_ULong  i, lastUni = 0;
+ 
+ 
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+ 
+           for ( i = 0; i < numMappings; ++i )
+diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
+index a6db504..cacc490 100644
+--- a/src/smooth/ftsmooth.c
++++ b/src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+ 
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ 
+ #endif
+ 
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;
+--
+cgit v0.8.2.1

pgpPKD9i7o7Qe.pgp
Description: PGP signature

Bug#524925: intent to NMU

Reply via email to