Package: release.debian.org Severity: normal User: [email protected] Usertags: unblock
Please unblock package freetype. It fixes multiple security issues. unblock freetype/2.5.2-3 Debdiff: diff -u freetype-2.5.2/debian/changelog freetype-2.5.2/debian/changelog --- freetype-2.5.2/debian/changelog +++ freetype-2.5.2/debian/changelog @@ -1,3 +1,40 @@ +freetype (2.5.2-3) unstable; urgency=medium + + * Fix Savannah bug #43535. CVE-2014-9675 + * [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1 + * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check + in the summation of POST fragment lengths. CVE-2014-0674-part-2 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold + too long tracing messages. CVS-2014-9674-fixup-2 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1 + * Fix Savannah bug #43538. CVE-2014-9674-part-1 + * Fix Savannah bug #43539. CVE-2014-9673 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by + a broken POST table in resource-fork. CVE-2014-9673-fixup + * Fix Savannah bug #43540. CVE-2014-9672 + * Fix Savannah bug #43547. CVE-2014-9671 + * Fix Savannah bug #43548. CVE-2014-9670 + * [sfnt] Fix Savannah bug #43588. CVE-2014-9669 + * [sfnt] Fix Savannah bug #43589. CVE-2014-9668 + * [sfnt] Fix Savannah bug #43590. CVE-2014-9667 + * [sfnt] Fix Savannah bug #43591. CVE-2014-9666 + * Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665 + * Fix uninitialized variable warning. CVE-2014-9665-fixup-2 + * Make `FT_Bitmap_Convert' correctly handle negative `pitch' values. + CVE-2014-9665-fixup + * [type1, type42] Fix Savannah bug #43655. CVE-2014-9664 + * [sfnt] Fix Savannah bug #43656. CVE-2014-9663 + * [cff] Fix Savannah bug #43658. CVE-2014-9662 + * [type42] Allow only embedded TrueType fonts. CVE-2014-9661 + * [bdf] Fix Savannah bug #43660. CVE-2014-9660 + * [cff] Fix Savannah bug #43661. CVE-2014-9659 + * [sfnt] Fix Savannah bug #43672. CVE-2014-9658 + * [truetype] Fix Savannah bug #43679. CVE-2014-9657 + * [sfnt] Fix Savannah bug #43680. CVE-2014-9656 + * All CVEs patched. Closes: #777656. + + -- Keith Packard <[email protected]> Mon, 23 Feb 2015 22:04:36 -0800 + freetype (2.5.2-2) unstable; urgency=medium * Acknowledge security NMU; thanks to Michael Gilbert. diff -u freetype-2.5.2/debian/patches-freetype/series freetype-2.5.2/debian/patches-freetype/series --- freetype-2.5.2/debian/patches-freetype/series +++ freetype-2.5.2/debian/patches-freetype/series @@ -10,0 +11,27 @@ +0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch +0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch +0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch +0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch +0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch +0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch +0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch +0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch +0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch +0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch +0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch +0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch +0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch +0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch +0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch +0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch +0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch +0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch +0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch +0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch +0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch +0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch +0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch +0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch +0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch +0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch +0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch +++ freetype-2.5.2/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch @@ -0,0 +1,33 @@ +From 6de5eb9ffbbad7065ce34b3c267f2f95e4f45ea1 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Mon, 24 Nov 2014 10:51:21 +0100 +Subject: [sfnt] Fix Savannah bug #43680. CVE-2014-9656 + +This adds an additional constraint to make the fix from 2013-01-25 +really work. + +* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: +Check `p' before `num_glyphs'. + +(cherry picked from commit f0292bb9920aa1dbfed5f53861e7c7a89b35833a) +--- + freetype-2.5.2/src/sfnt/ttsbit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c +index 7469ff1..38c680e 100644 +--- freetype-2.5.2/src/sfnt/ttsbit.c ++++ freetype-2.5.2/src/sfnt/ttsbit.c +@@ -1143,7 +1143,8 @@ + num_glyphs = FT_NEXT_ULONG( p ); + + /* overflow check for p + ( num_glyphs + 1 ) * 4 */ +- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) ++ if ( p + 4 > p_limit || ++ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + goto NoBitmap; + + for ( mm = 0; mm < num_glyphs; mm++ ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch +++ freetype-2.5.2/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch @@ -0,0 +1,46 @@ +From aa9ce85c823ad7e26db3106df0a1bfa4cfd03b01 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Mon, 24 Nov 2014 10:22:08 +0100 +Subject: [truetype] Fix Savannah bug #43679. CVE-2014-9657 + +* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of +`record_size'. + +(cherry picked from commit eca0f067068020870a429fe91f6329e499390d55) +--- + freetype-2.5.2/src/truetype/ttpload.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git freetype-2.5.2/src/truetype/ttpload.c freetype-2.5.2/src/truetype/ttpload.c +index 9723a51..9991925 100644 +--- freetype-2.5.2/src/truetype/ttpload.c ++++ freetype-2.5.2/src/truetype/ttpload.c +@@ -508,9 +508,9 @@ + record_size = FT_NEXT_ULONG( p ); + + /* The maximum number of bytes in an hdmx device record is the */ +- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ +- /* the reason why `record_size' is a long (which we read as */ +- /* unsigned long for convenience). In practice, two bytes */ ++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ ++ /* explaining why `record_size' is a long (which we read as */ ++ /* unsigned long for convenience). In practice, two bytes are */ + /* sufficient to hold the size value. */ + /* */ + /* There are at least two fonts, HANNOM-A and HANNOM-B version */ +@@ -522,8 +522,10 @@ + record_size &= 0xFFFFU; + + /* The limit for `num_records' is a heuristic value. */ +- +- if ( version != 0 || num_records > 255 || record_size > 0x10001L ) ++ if ( version != 0 || ++ num_records > 255 || ++ record_size > 0x10001L || ++ record_size < 4 ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch +++ freetype-2.5.2/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch @@ -0,0 +1,29 @@ +From 19389867e134b069bb4462c0a930461a3dc6c2b9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Mon, 24 Nov 2014 09:31:32 +0100 +Subject: [sfnt] Fix Savannah bug #43672. CVE-2014-9658 + +* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for +minimum table length test. + +(cherry picked from commit f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c) +--- + freetype-2.5.2/src/sfnt/ttkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/sfnt/ttkern.c freetype-2.5.2/src/sfnt/ttkern.c +index 32c4008..455e7b5 100644 +--- freetype-2.5.2/src/sfnt/ttkern.c ++++ freetype-2.5.2/src/sfnt/ttkern.c +@@ -99,7 +99,7 @@ + length = FT_NEXT_USHORT( p ); + coverage = FT_NEXT_USHORT( p ); + +- if ( length <= 6 ) ++ if ( length <= 6 + 8 ) + break; + + p_next += length; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch +++ freetype-2.5.2/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch @@ -0,0 +1,99 @@ +From 2c67877c034f28520d4daabf2d24ac94b2d47df0 Mon Sep 17 00:00:00 2001 +From: Dave Arnold <[email protected]> +Date: Thu, 4 Dec 2014 06:10:16 +0100 +Subject: [cff] Fix Savannah bug #43661. CVE-2014-9659 + +* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM, +cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after +hintmask is constructed. + +* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to +avoid reading past end of hintmask. + +(cherry picked from commit 2cdc4562f873237f1c77d43540537c7a721d3fd8) +--- + freetype-2.5.2/src/cff/cf2hints.c | 5 ++++- + freetype-2.5.2/src/cff/cf2intrp.c | 21 ++++++++++++++------- + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git freetype-2.5.2/src/cff/cf2hints.c freetype-2.5.2/src/cff/cf2hints.c +index 5f44161..ba28e0c 100644 +--- freetype-2.5.2/src/cff/cf2hints.c ++++ freetype-2.5.2/src/cff/cf2hints.c +@@ -792,9 +792,12 @@ + maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask ); + + /* use the hStem hints only, which are first in the mask */ +- /* TODO: compare this to cffhintmaskGetBitCount */ + bitCount = cf2_arrstack_size( hStemHintArray ); + ++ /* Defense-in-depth. Should never return here. */ ++ if ( bitCount > hintMask->bitCount ) ++ return; ++ + /* synthetic embox hints get highest priority */ + if ( font->blues.doEmBoxHints ) + { +diff --git freetype-2.5.2/src/cff/cf2intrp.c freetype-2.5.2/src/cff/cf2intrp.c +index 5610917..a269606 100644 +--- freetype-2.5.2/src/cff/cf2intrp.c ++++ freetype-2.5.2/src/cff/cf2intrp.c +@@ -4,7 +4,7 @@ + /* */ + /* Adobe's CFF Interpreter (body). */ + /* */ +-/* Copyright 2007-2013 Adobe Systems Incorporated. */ ++/* Copyright 2007-2014 Adobe Systems Incorporated. */ + /* */ + /* This software, and all works of authorship, whether in source or */ + /* object code form as indicated by the copyright notice(s) included */ +@@ -593,8 +593,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid horizontal hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -614,8 +617,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid vertical hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -1141,15 +1147,16 @@ + /* `cf2_hintmask_read' (which also traces the mask bytes) */ + FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" )); + +- /* if there are arguments on the stack, there this is an */ +- /* implied cf2_cmdVSTEMHM */ +- if ( cf2_stack_count( opStack ) != 0 ) ++ /* never add hints after the mask is computed */ ++ if ( cf2_stack_count( opStack ) > 1 && ++ cf2_hintmask_isValid( &hintMask ) ) + { +- /* never add hints after the mask is computed */ +- if ( cf2_hintmask_isValid( &hintMask ) ) +- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ break; + } + ++ /* if there are arguments on the stack, there this is an */ ++ /* implied cf2_cmdVSTEMHM */ + cf2_doStems( font, + opStack, + &vStemHintArray, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch +++ freetype-2.5.2/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch @@ -0,0 +1,35 @@ +From beec79fa289f8cd246b985d9925dd60964ae5491 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Sat, 22 Nov 2014 13:29:10 +0100 +Subject: [bdf] Fix Savannah bug #43660. CVE-2014-9660 + +* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check +`_BDF_GLYPH_BITS'. + +(cherry picked from commit af8346172a7b573715134f7a51e6c5c60fa7f2ab) +--- + freetype-2.5.2/src/bdf/bdflib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index 0b8412d..d613159 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -1544,6 +1544,14 @@ + /* Check for the ENDFONT field. */ + if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) + { ++ if ( p->flags & _BDF_GLYPH_BITS ) ++ { ++ /* Missing ENDCHAR field. */ ++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); ++ error = FT_THROW( Corrupted_Font_Glyphs ); ++ goto Exit; ++ } ++ + /* Sort the glyphs by encoding. */ + ft_qsort( (char *)font->glyphs, + font->glyphs_used, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch +++ freetype-2.5.2/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch @@ -0,0 +1,34 @@ +From f81e0823c5bbf7692b20819328a2dd78bfa196b8 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Sat, 22 Nov 2014 12:44:33 +0100 +Subject: [type42] Allow only embedded TrueType fonts. CVE-2014-9661 + +This is a follow-up to Savannah bug #43659. + +* src/type42/t42objs.c (T42_Face_Init): Exclusively use the +`truetype' font driver for loading the font contained in the `sfnts' +array. + +(cherry picked from commit 42fcd6693ec7bd6ffc65ddc63e74287a65dda669) +--- + freetype-2.5.2/src/type42/t42objs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/type42/t42objs.c freetype-2.5.2/src/type42/t42objs.c +index f5aa2ca..af64bf7 100644 +--- freetype-2.5.2/src/type42/t42objs.c ++++ freetype-2.5.2/src/type42/t42objs.c +@@ -286,7 +286,9 @@ + FT_Open_Args args; + + +- args.flags = FT_OPEN_MEMORY; ++ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; ++ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), ++ "truetype" ); + args.memory_base = face->ttf_data; + args.memory_size = face->ttf_size; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch +++ freetype-2.5.2/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch @@ -0,0 +1,102 @@ +From 5b1379de7cd336cde51a3fc45cfe5da8f70ebe89 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Sat, 22 Nov 2014 09:16:39 +0100 +Subject: [cff] Fix Savannah bug #43658. CVE-2014-9662 + +* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle +return values of point allocation routines. + +(cherry picked from commit 5f201ab5c24cb69bc96b724fd66e739928d6c5e2) +--- + freetype-2.5.2/src/cff/cf2ft.c | 48 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 38 insertions(+), 10 deletions(-) + +diff --git freetype-2.5.2/src/cff/cf2ft.c freetype-2.5.2/src/cff/cf2ft.c +index 4abbc9d..f8bf1b4 100644 +--- freetype-2.5.2/src/cff/cf2ft.c ++++ freetype-2.5.2/src/cff/cf2ft.c +@@ -140,6 +140,8 @@ + cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -154,15 +156,27 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* `cff_builder_add_point1' includes a check_points call for one point */ +- cff_builder_add_point1( builder, +- params->pt1.x, +- params->pt1.y ); ++ error = cff_builder_add_point1( builder, ++ params->pt1.x, ++ params->pt1.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + +@@ -170,6 +184,8 @@ + cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -184,13 +200,25 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* prepare room for 3 points: 2 off-curve, 1 on-curve */ +- cff_check_points( builder, 3 ); ++ error = cff_check_points( builder, 3 ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + + cff_builder_add_point( builder, + params->pt1.x, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch +++ freetype-2.5.2/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch @@ -0,0 +1,40 @@ +From 82c605d68a03166c21a974b58155f78bce031cd1 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Sat, 22 Nov 2014 06:24:45 +0100 +Subject: [sfnt] Fix Savannah bug #43656. CVE-2014-9663 + +* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity +tests. + +(cherry picked from commit 9bd20b7304aae61de5d50ac359cf27132bafd4c1) +--- + freetype-2.5.2/src/sfnt/ttcmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c +index 9b7856b..c6ed872 100644 +--- freetype-2.5.2/src/sfnt/ttcmap.c ++++ freetype-2.5.2/src/sfnt/ttcmap.c +@@ -825,9 +825,6 @@ + FT_Error error = FT_Err_Ok; + + +- if ( length < 16 ) +- FT_INVALID_TOO_SHORT; +- + /* in certain fonts, the `length' field is invalid and goes */ + /* out of bound. We try to correct this here... */ + if ( table + length > valid->limit ) +@@ -838,6 +835,9 @@ + length = (FT_UInt)( valid->limit - table ); + } + ++ if ( length < 16 ) ++ FT_INVALID_TOO_SHORT; ++ + p = table + 6; + num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch +++ freetype-2.5.2/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch @@ -0,0 +1,43 @@ +From 31fddea8aa48f4c3fed12ff985da0a24b5561f46 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Fri, 21 Nov 2014 22:19:28 +0100 +Subject: [type1, type42] Fix Savannah bug #43655. CVE-2014-9664 + +* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c +(t42_parse_charstrings): Fix boundary testing. + +(cherry picked from commit dd89710f0f643eb0f99a3830e0712d26c7642acd) +--- + freetype-2.5.2/src/type1/t1load.c | 2 +- + freetype-2.5.2/src/type42/t42parse.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/type1/t1load.c freetype-2.5.2/src/type1/t1load.c +index 4b5026b..fca3279 100644 +--- freetype-2.5.2/src/type1/t1load.c ++++ freetype-2.5.2/src/type1/t1load.c +@@ -1599,7 +1599,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +diff --git freetype-2.5.2/src/type42/t42parse.c freetype-2.5.2/src/type42/t42parse.c +index 3cdd8a1..0b3e0c6 100644 +--- freetype-2.5.2/src/type42/t42parse.c ++++ freetype-2.5.2/src/type42/t42parse.c +@@ -832,7 +832,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch +++ freetype-2.5.2/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch @@ -0,0 +1,169 @@ +From 91c554119a126f4476b2675a3729e8890a2b2e4a Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 19 Nov 2014 21:21:23 +0100 +Subject: Make `FT_Bitmap_Convert' correctly handle negative `pitch' values. + CVE-2014-9665-fixup + +* src/base/ftbitmap.c (FT_Bitmap_Convert): Always use positive value +for the pitch while copying data. +Correctly set pitch sign in target bitmap. + +(cherry picked from commit df485774fbbc7fd7dc9d3b278846f454654ad5df) +--- + freetype-2.5.2/src/base/ftbitmap.c | 63 +++++++++++++++++++++----------------- + 1 file changed, 35 insertions(+), 28 deletions(-) + +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index 182b1cc..9223007 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -443,6 +443,8 @@ + FT_Error error = FT_Err_Ok; + FT_Memory memory; + ++ FT_Int source_pitch, target_pitch; ++ + + if ( !library ) + return FT_THROW( Invalid_Library_Handle ); +@@ -459,13 +461,15 @@ + case FT_PIXEL_MODE_LCD_V: + case FT_PIXEL_MODE_BGRA: + { +- FT_Int pad; ++ FT_Int pad, old_target_pitch; + FT_Long old_size; + + +- old_size = target->rows * target->pitch; +- if ( old_size < 0 ) +- old_size = -old_size; ++ old_target_pitch = target->pitch; ++ if ( old_target_pitch < 0 ) ++ old_target_pitch = -old_target_pitch; ++ ++ old_size = target->rows * old_target_pitch; + + target->pixel_mode = FT_PIXEL_MODE_GRAY; + target->rows = source->rows; +@@ -479,16 +483,18 @@ + pad = alignment - pad; + } + +- target->pitch = source->width + pad; ++ target_pitch = source->width + pad; + +- if ( target->pitch > 0 && +- (FT_ULong)target->rows > FT_ULONG_MAX / target->pitch ) ++ if ( target_pitch > 0 && ++ (FT_ULong)target->rows > FT_ULONG_MAX / target_pitch ) + return FT_THROW( Invalid_Argument ); + +- if ( target->rows * target->pitch > old_size && ++ if ( target->rows * target_pitch > old_size && + FT_QREALLOC( target->buffer, +- old_size, target->rows * target->pitch ) ) ++ old_size, target->rows * target_pitch ) ) + return error; ++ ++ target->pitch = target->pitch < 0 ? -target_pitch : target_pitch; + } + break; + +@@ -496,6 +502,10 @@ + error = FT_THROW( Invalid_Argument ); + } + ++ source_pitch = source->pitch; ++ if ( source_pitch < 0 ) ++ source_pitch = -source_pitch; ++ + switch ( source->pixel_mode ) + { + case FT_PIXEL_MODE_MONO: +@@ -548,8 +558,8 @@ + } + } + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -559,11 +569,9 @@ + case FT_PIXEL_MODE_LCD: + case FT_PIXEL_MODE_LCD_V: + { +- FT_Int width = source->width; +- FT_Byte* s = source->buffer; +- FT_Byte* t = target->buffer; +- FT_Int s_pitch = source->pitch; +- FT_Int t_pitch = target->pitch; ++ FT_Int width = source->width; ++ FT_Byte* s = source->buffer; ++ FT_Byte* t = target->buffer; + FT_Int i; + + +@@ -573,8 +581,8 @@ + { + FT_ARRAY_COPY( t, s, width ); + +- s += s_pitch; +- t += t_pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -625,8 +633,8 @@ + } + } + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -664,18 +672,17 @@ + if ( source->width & 1 ) + tt[0] = (FT_Byte)( ( ss[0] & 0xF0 ) >> 4 ); + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; + ++ + case FT_PIXEL_MODE_BGRA: + { +- FT_Byte* s = source->buffer; +- FT_Byte* t = target->buffer; +- FT_Int s_pitch = source->pitch; +- FT_Int t_pitch = target->pitch; ++ FT_Byte* s = source->buffer; ++ FT_Byte* t = target->buffer; + FT_Int i; + + +@@ -696,8 +703,8 @@ + tt += 1; + } + +- s += s_pitch; +- t += t_pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch +++ freetype-2.5.2/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch @@ -0,0 +1,31 @@ +From 3c8cb26b672f02272604a66fd5af0f53cab1c872 Mon Sep 17 00:00:00 2001 +From: Keith Packard <[email protected]> +Date: Mon, 23 Feb 2015 20:47:24 -0800 +Subject: Fix uninitialized variable warning. CVE-2014-9665-fixup-2 + +The 'target_pitch' value is computed in one switch and used in +another; every use case is covered by the computation above, but the +compiler can't figure that out, leaving a warning which we turn into +an error. + +Signed-off-by: Keith Packard <[email protected]> +--- + freetype-2.5.2/src/base/ftbitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index 9223007..b9c2ef4 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -443,7 +443,7 @@ + FT_Error error = FT_Err_Ok; + FT_Memory memory; + +- FT_Int source_pitch, target_pitch; ++ FT_Int source_pitch, target_pitch = 0; + + + if ( !library ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch +++ freetype-2.5.2/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch @@ -0,0 +1,237 @@ +From 6dfb8afb2f8e7018ab20ad4ec001633edda3a96c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 19 Nov 2014 21:28:21 +0100 +Subject: Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665 + +This doesn't break ABI. + +* include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays', +`pixel_mode', and `palette_mode' unsigned types. + +* src/base/ftbitmap.c: Updated. +(FT_Bitmap_Copy): Fix casts. + +* src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c: +Updated. + +(cherry picked from commit b3500af717010137046ec4076d1e1c0641e33727) +--- + freetype-2.5.2/include/ftimage.h | 10 +++++----- + freetype-2.5.2/src/base/ftbitmap.c | 25 +++++++++++++------------ + freetype-2.5.2/src/cache/ftcsbits.c | 8 ++++---- + freetype-2.5.2/src/raster/ftraster.c | 12 ++++++------ + freetype-2.5.2/src/sfnt/pngshim.c | 10 +++++----- + 5 files changed, 33 insertions(+), 32 deletions(-) + +diff --git freetype-2.5.2/include/ftimage.h freetype-2.5.2/include/ftimage.h +index ea71a78..b66f036 100644 +--- freetype-2.5.2/include/ftimage.h ++++ freetype-2.5.2/include/ftimage.h +@@ -318,13 +318,13 @@ FT_BEGIN_HEADER + /* */ + typedef struct FT_Bitmap_ + { +- int rows; +- int width; ++ unsigned int rows; ++ unsigned int width; + int pitch; + unsigned char* buffer; +- short num_grays; +- char pixel_mode; +- char palette_mode; ++ unsigned short num_grays; ++ unsigned char pixel_mode; ++ unsigned char palette_mode; + void* palette; + + } FT_Bitmap; +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index b9c2ef4..127bfc5 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -62,7 +62,7 @@ + + if ( pitch < 0 ) + pitch = -pitch; +- size = (FT_ULong)( pitch * source->rows ); ++ size = (FT_ULong)pitch * source->rows; + + if ( target->buffer ) + { +@@ -72,7 +72,7 @@ + + if ( target_pitch < 0 ) + target_pitch = -target_pitch; +- target_size = (FT_ULong)( target_pitch * target->rows ); ++ target_size = (FT_ULong)target_pitch * target->rows; + + if ( target_size != size ) + (void)FT_QREALLOC( target->buffer, target_size, size ); +@@ -106,7 +106,7 @@ + int pitch; + int new_pitch; + FT_UInt bpp; +- FT_Int i, width, height; ++ FT_UInt i, width, height; + unsigned char* buffer = NULL; + + +@@ -144,17 +144,17 @@ + if ( ypixels == 0 && new_pitch <= pitch ) + { + /* zero the padding */ +- FT_Int bit_width = pitch * 8; +- FT_Int bit_last = ( width + xpixels ) * bpp; ++ FT_UInt bit_width = pitch * 8; ++ FT_UInt bit_last = ( width + xpixels ) * bpp; + + + if ( bit_last < bit_width ) + { + FT_Byte* line = bitmap->buffer + ( bit_last >> 3 ); + FT_Byte* end = bitmap->buffer + pitch; +- FT_Int shift = bit_last & 7; ++ FT_UInt shift = bit_last & 7; + FT_UInt mask = 0xFF00U >> shift; +- FT_Int count = height; ++ FT_UInt count = height; + + + for ( ; count > 0; count--, line += pitch, end += pitch ) +@@ -180,7 +180,7 @@ + + if ( bitmap->pitch > 0 ) + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -189,7 +189,7 @@ + } + else + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -220,7 +220,8 @@ + { + FT_Error error; + unsigned char* p; +- FT_Int i, x, y, pitch; ++ FT_Int i, x, pitch; ++ FT_UInt y; + FT_Int xstr, ystr; + + +@@ -461,8 +462,8 @@ + case FT_PIXEL_MODE_LCD_V: + case FT_PIXEL_MODE_BGRA: + { +- FT_Int pad, old_target_pitch; +- FT_Long old_size; ++ FT_Int pad, old_target_pitch; ++ FT_ULong old_size; + + + old_target_pitch = target->pitch; +diff --git freetype-2.5.2/src/cache/ftcsbits.c freetype-2.5.2/src/cache/ftcsbits.c +index 6df1c19..59727d1 100644 +--- freetype-2.5.2/src/cache/ftcsbits.c ++++ freetype-2.5.2/src/cache/ftcsbits.c +@@ -4,7 +4,7 @@ + /* */ + /* FreeType sbits manager (body). */ + /* */ +-/* Copyright 2000-2006, 2009-2011, 2013 by */ ++/* Copyright 2000-2006, 2009-2011, 2013, 2014 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -142,12 +142,12 @@ + goto BadGlyph; + } + +- /* Check that our values fit into 8-bit containers! */ ++ /* Check whether our values fit into 8-bit containers! */ + /* If this is not the case, our bitmap is too large */ + /* and we will leave it as `missing' with sbit.buffer = 0 */ + +-#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d ) +-#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d ) ++#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d ) ++#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d ) + + /* horizontal advance in pixels */ + xadvance = ( slot->advance.x + 32 ) >> 6; +diff --git freetype-2.5.2/src/raster/ftraster.c freetype-2.5.2/src/raster/ftraster.c +index 8aa1113..6415d66 100644 +--- freetype-2.5.2/src/raster/ftraster.c ++++ freetype-2.5.2/src/raster/ftraster.c +@@ -2550,7 +2550,7 @@ + + e1 = TRUNC( e1 ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + PByte p; + +@@ -2644,7 +2644,7 @@ + /* bounding box instead */ + if ( pxl < 0 ) + pxl = e1; +- else if ( TRUNC( pxl ) >= ras.target.rows ) ++ else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows ) + pxl = e2; + + /* check that the other pixel isn't set */ +@@ -2659,9 +2659,9 @@ + if ( ras.target.pitch > 0 ) + bits += ( ras.target.rows - 1 ) * ras.target.pitch; + +- if ( e1 >= 0 && +- e1 < ras.target.rows && +- *bits & f1 ) ++ if ( e1 >= 0 && ++ (ULong)e1 < ras.target.rows && ++ *bits & f1 ) + return; + } + else +@@ -2673,7 +2673,7 @@ + + e1 = TRUNC( pxl ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + bits -= e1 * ras.target.pitch; + if ( ras.target.pitch > 0 ) +diff --git freetype-2.5.2/src/sfnt/pngshim.c freetype-2.5.2/src/sfnt/pngshim.c +index 878de1f..79374b7 100644 +--- freetype-2.5.2/src/sfnt/pngshim.c ++++ freetype-2.5.2/src/sfnt/pngshim.c +@@ -205,11 +205,11 @@ + goto Exit; + } + +- if ( !populate_map_and_metrics && +- ( x_offset + metrics->width > map->width || +- y_offset + metrics->height > map->rows || +- pix_bits != 32 || +- map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) ++ if ( !populate_map_and_metrics && ++ ( (FT_UInt)x_offset + metrics->width > map->width || ++ (FT_UInt)y_offset + metrics->height > map->rows || ++ pix_bits != 32 || ++ map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) + { + error = FT_THROW( Invalid_Argument ); + goto Exit; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch +++ freetype-2.5.2/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch @@ -0,0 +1,35 @@ +From 4ebd46e114fb98084d937d09e003c9fd8f6f5939 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 12 Nov 2014 21:42:13 +0100 +Subject: [sfnt] Fix Savannah bug #43591. CVE-2014-9666 + +* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition +and multiplication overflow. + +(cherry picked from commit 257c270bd25e15890190a28a1456e7623bba4439) +--- + freetype-2.5.2/src/sfnt/ttsbit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c +index 38c680e..f223c5a 100644 +--- freetype-2.5.2/src/sfnt/ttsbit.c ++++ freetype-2.5.2/src/sfnt/ttsbit.c +@@ -380,9 +380,11 @@ + p += 34; + decoder->bit_depth = *p; + +- if ( decoder->strike_index_array > face->sbit_table_size || +- decoder->strike_index_array + 8 * decoder->strike_index_count > +- face->sbit_table_size ) ++ /* decoder->strike_index_array + */ ++ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ ++ if ( decoder->strike_index_array > face->sbit_table_size || ++ decoder->strike_index_count > ++ ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) + error = FT_THROW( Invalid_File_Format ); + } + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch +++ freetype-2.5.2/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch @@ -0,0 +1,53 @@ +From f4e4eb6ba541c32bbad8a1d8db68e5a4cb9ba423 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 12 Nov 2014 21:26:44 +0100 +Subject: [sfnt] Fix Savannah bug #43590. CVE-2014-9667 + +* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): +Protect against addition overflow. + +(cherry picked from commit 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891) +--- + freetype-2.5.2/src/sfnt/ttload.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttload.c freetype-2.5.2/src/sfnt/ttload.c +index 0a3cd29..8338150 100644 +--- freetype-2.5.2/src/sfnt/ttload.c ++++ freetype-2.5.2/src/sfnt/ttload.c +@@ -5,7 +5,7 @@ + /* Load the basic TrueType tables, i.e., tables that can be either in */ + /* TTF or OTF fonts (body). */ + /* */ +-/* Copyright 1996-2010, 2012, 2013 by */ ++/* Copyright 1996-2010, 2012-2014 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -207,7 +207,10 @@ + } + + /* we ignore invalid tables */ +- if ( table.Offset + table.Length > stream->size ) ++ ++ /* table.Offset + table.Length > stream->size ? */ ++ if ( table.Length > stream->size || ++ table.Offset > stream->size - table.Length ) + { + FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); + continue; +@@ -395,7 +398,10 @@ + entry->Length = FT_GET_ULONG(); + + /* ignore invalid tables */ +- if ( entry->Offset + entry->Length > stream->size ) ++ ++ /* entry->Offset + entry->Length > stream->size ? */ ++ if ( entry->Length > stream->size || ++ entry->Offset > stream->size - entry->Length ) + continue; + else + { +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch +++ freetype-2.5.2/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch @@ -0,0 +1,33 @@ +From eae341fbe8a57e4d30050b71f2956f1da053eb4b Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 12 Nov 2014 21:06:08 +0100 +Subject: [sfnt] Fix Savannah bug #43589. CVE-2014-9668 + +* src/sfnt/sfobjs.c (woff_open_font): Protect against addition +overflow. + +(cherry picked from commit f46add13895337ece929b18bb8f036431b3fb538) +--- + freetype-2.5.2/src/sfnt/sfobjs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/sfobjs.c freetype-2.5.2/src/sfnt/sfobjs.c +index a31c77c..d202ca0 100644 +--- freetype-2.5.2/src/sfnt/sfobjs.c ++++ freetype-2.5.2/src/sfnt/sfobjs.c +@@ -574,8 +574,10 @@ + + + if ( table->Offset != woff_offset || +- table->Offset + table->CompLength > woff.length || +- sfnt_offset + table->OrigLength > woff.totalSfntSize || ++ table->CompLength > woff.length || ++ table->Offset > woff.length - table->CompLength || ++ table->OrigLength > woff.totalSfntSize || ++ sfnt_offset > woff.totalSfntSize - table->OrigLength || + table->CompLength > table->OrigLength ) + { + error = FT_THROW( Invalid_Table ); +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch +++ freetype-2.5.2/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch @@ -0,0 +1,123 @@ +From 3cba76af29963f3fd1925ed6128cdf95bf8d4823 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 12 Nov 2014 20:51:20 +0100 +Subject: [sfnt] Fix Savannah bug #43588. CVE-2014-9669 + +* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, +tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect +against overflow in additions and multiplications. + +(cherry picked from commit 602040b1112c9f94d68e200be59ea7ac3d104565) +--- + freetype-2.5.2/src/sfnt/ttcmap.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c +index c6ed872..9050ebf 100644 +--- freetype-2.5.2/src/sfnt/ttcmap.c ++++ freetype-2.5.2/src/sfnt/ttcmap.c +@@ -1649,7 +1649,8 @@ + p = is32 + 8192; /* skip `is32' array */ + num_groups = TT_NEXT_ULONG( p ); + +- if ( p + num_groups * 12 > valid->limit ) ++ /* p + num_groups * 12 > valid->limit ? */ ++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -1674,7 +1675,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + + count = (FT_UInt32)( end - start + 1 ); +@@ -1872,7 +1878,9 @@ + count = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 20 + count * 2 ) ++ /* length < 20 + count * 2 ? */ ++ length < 20 || ++ ( length - 20 ) / 2 < count ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2059,7 +2067,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2081,7 +2091,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + } + +@@ -2383,7 +2398,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2764,7 +2781,9 @@ + + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 10 + 11 * num_selectors ) ++ /* length < 10 + 11 * num_selectors ? */ ++ length < 10 || ++ ( length - 10 ) / 11 < num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2800,7 +2819,8 @@ + FT_ULong lastBase = 0; + + +- if ( defp + numRanges * 4 > valid->limit ) ++ /* defp + numRanges * 4 > valid->limit ? */ ++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numRanges; ++i ) +@@ -2827,7 +2847,8 @@ + FT_ULong i, lastUni = 0; + + +- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) ++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ ++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch +++ freetype-2.5.2/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch @@ -0,0 +1,36 @@ +From e92ff3eeb7981a88a85f2c0a7f1f4be9a28c57d9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Thu, 6 Nov 2014 23:25:05 +0100 +Subject: Fix Savannah bug #43548. CVE-2014-9670 + +* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and +column values. + +(cherry picked from commit ef1eba75187adfac750f326b563fe543dd5ff4e6) +--- + freetype-2.5.2/src/pcf/pcfread.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c +index ee41c5d..c7d38e1 100644 +--- freetype-2.5.2/src/pcf/pcfread.c ++++ freetype-2.5.2/src/pcf/pcfread.c +@@ -812,6 +812,15 @@ THE SOFTWARE. + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) + return FT_THROW( Invalid_File_Format ); + ++ /* sanity checks */ ++ if ( firstCol < 0 || ++ firstCol > lastCol || ++ lastCol > 0xFF || ++ firstRow < 0 || ++ firstRow > lastRow || ++ lastRow > 0xFF ) ++ return FT_THROW( Invalid_Table ); ++ + FT_TRACE4(( "pdf_get_encodings:\n" )); + + FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch +++ freetype-2.5.2/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch @@ -0,0 +1,42 @@ +From 8d2acf52b8f956338f7b381817d3fdb06b64f756 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Thu, 6 Nov 2014 22:32:46 +0100 +Subject: Fix Savannah bug #43547. CVE-2014-9671 + +* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' +values. + +(cherry picked from commit 0e2f5d518c60e2978f26400d110eff178fa7e3c3) +--- + freetype-2.5.2/src/pcf/pcfread.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c +index c7d38e1..f487faa 100644 +--- freetype-2.5.2/src/pcf/pcfread.c ++++ freetype-2.5.2/src/pcf/pcfread.c +@@ -151,6 +151,21 @@ THE SOFTWARE. + break; + } + ++ /* we now check whether the `size' and `offset' values are reasonable: */ ++ /* `offset' + `size' must not exceed the stream size */ ++ tables = face->toc.tables; ++ for ( n = 0; n < toc->count; n++ ) ++ { ++ /* we need two checks to avoid overflow */ ++ if ( ( tables->size > stream->size ) || ++ ( tables->offset > stream->size - tables->size ) ) ++ { ++ error = FT_THROW( Invalid_Table ); ++ goto Exit; ++ } ++ tables++; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + + { +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch +++ freetype-2.5.2/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch @@ -0,0 +1,42 @@ +From fd240e4f474a3d1006b3467fb9a891d94770fdf4 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 16:11:38 +0900 +Subject: Fix Savannah bug #43540. CVE-2014-9672 + +* src/base/ftmac.c (parse_fond): Prevent a buffer overrun +caused by a font including too many (> 63) strings to store +names[] table. + +(cherry picked from commit 18a8f0d9943369449bc4de92d411c78fb08d616c) +--- + freetype-2.5.2/src/base/ftmac.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/base/ftmac.c freetype-2.5.2/src/base/ftmac.c +index 9b49da8..184a2e1 100644 +--- freetype-2.5.2/src/base/ftmac.c ++++ freetype-2.5.2/src/base/ftmac.c +@@ -440,9 +440,10 @@ + style = (StyleTable*)p; + p += sizeof ( StyleTable ); + string_count = EndianS16_BtoN( *(short*)(p) ); ++ string_count = FT_MIN( 64, string_count ); + p += sizeof ( short ); + +- for ( i = 0; i < string_count && i < 64; i++ ) ++ for ( i = 0; i < string_count; i++ ) + { + names[i] = p; + p += names[i][0]; +@@ -459,7 +460,7 @@ + ps_name[ps_name_len] = 0; + } + if ( style->indexes[face_index] > 1 && +- style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) ++ style->indexes[face_index] <= string_count ) + { + unsigned char* suffixes = names[style->indexes[face_index] - 1]; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch +++ freetype-2.5.2/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch @@ -0,0 +1,33 @@ +From 9c29f8a914862850a8e5c9fdf35d226ac7be30b8 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 14:36:12 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Avoid=20memory=20leak=20CVE-2014-9673-fixup=0Aby=20a=20broke?= + =?UTF-8?q?n=20POST=20table=20in=20resource-fork.=20=20Return=20after=20fr?= + =?UTF-8?q?eeing=0Athe=20buffered=20POST=20table=20when=20it=20is=20found?= + =?UTF-8?q?=20to=20be=20broken.?= + +(cherry picked from commit 5aff85301bdce7677766fa1367c82ff41a739637) +--- + freetype-2.5.2/src/base/ftobjs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index bd0c66e..6014a93 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1626,9 +1626,9 @@ + if ( error ) + goto Exit2; + if ( FT_READ_LONG( rlen ) ) +- goto Exit; ++ goto Exit2; + if ( FT_READ_USHORT( flags ) ) +- goto Exit; ++ goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch +++ freetype-2.5.2/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch @@ -0,0 +1,59 @@ +From 9dab65dee316318b89f3dd83515509b64bb3f17d Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 15:52:23 +0900 +Subject: Fix Savannah bug #43539. CVE-2014-9673 + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. + +(cherry picked from commit 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415) +--- + freetype-2.5.2/src/base/ftobjs.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 6014a93..e860413 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1627,6 +1627,11 @@ + goto Exit2; + if ( FT_READ_LONG( rlen ) ) + goto Exit2; ++ if ( rlen < 0 ) ++ { ++ error = FT_THROW( Invalid_Offset ); ++ goto Exit2; ++ } + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", +@@ -1644,7 +1649,14 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) ++ { ++ if ( 0x7FFFFFFFL - rlen < len ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + len += rlen; ++ } + else + { + if ( pfb_lenpos + 3 > pfb_len + 2 ) +@@ -1673,6 +1685,11 @@ + } + + error = FT_ERR( Cannot_Open_Resource ); ++ if ( rlen > 0x7FFFFFFFL - pfb_pos ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch +++ freetype-2.5.2/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch @@ -0,0 +1,45 @@ +From 6dc3fe8132e53773c2d48c7c07caf65bc020aa3d Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 15:43:29 +0900 +Subject: Fix Savannah bug #43538. CVE-2014-9674-part-1 + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. + +(cherry picked from commit 240c94a185cd8dae7d03059abec8a5662c35ecd3) +--- + freetype-2.5.2/src/base/ftobjs.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index e860413..6be07ca 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1603,10 +1603,23 @@ + goto Exit; + if ( FT_READ_LONG( temp ) ) + goto Exit; ++ if ( 0 > temp ) ++ error = FT_THROW( Invalid_Offset ); ++ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) ++ error = FT_THROW( Array_Too_Large ); ++ ++ if ( error ) ++ goto Exit; ++ + pfb_len += temp + 6; + } + +- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) ++ if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ error = FT_THROW( Array_Too_Large ); ++ else ++ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); ++ ++ if ( error ) + goto Exit; + + pfb_data[0] = 0x80; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch +++ freetype-2.5.2/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch @@ -0,0 +1,165 @@ +From f50779191264fd754d76fbf9b0703a930902ae50 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 16:02:17 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Use=20unsigned=20long=20CVE-2014-9674-fixup-1=0Avariables=20?= + =?UTF-8?q?to=20read=20the=20lengths=20in=20POST=20fragments.=20=20Suggest?= + =?UTF-8?q?ed=20by=0AMateusz=20Jurczyk=20<[email protected]>.?= + +(cherry picked from commit 453316792fee912cfced48e9e270e9eb19892e64) +--- + freetype-2.5.2/src/base/ftobjs.c | 63 ++++++++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 29 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 6be07ca..2ec2ed8 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1583,9 +1583,9 @@ + FT_Memory memory = library->memory; + FT_Byte* pfb_data = NULL; + int i, type, flags; +- FT_Long len; +- FT_Long pfb_len, pfb_pos, pfb_lenpos; +- FT_Long rlen, temp; ++ FT_ULong len; ++ FT_ULong pfb_len, pfb_pos, pfb_lenpos; ++ FT_ULong rlen, temp; + + + if ( face_index == -1 ) +@@ -1601,25 +1601,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit; +- if ( FT_READ_LONG( temp ) ) ++ if ( FT_READ_ULONG( temp ) ) + goto Exit; +- if ( 0 > temp ) ++#if 0 ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ if ( 0x7FFFFFFFUL < temp ) ++ { + error = FT_THROW( Invalid_Offset ); +- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) +- error = FT_THROW( Array_Too_Large ); +- +- if ( error ) + goto Exit; ++ } ++#endif + + pfb_len += temp + 6; + } + +- if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ resource_cnt, pfb_len + 2)); ++ if ( pfb_len + 2 < 6 ) { + error = FT_THROW( Array_Too_Large ); +- else +- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); +- +- if ( error ) ++ goto Exit; ++ } ++ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + goto Exit; + + pfb_data[0] = 0x80; +@@ -1638,21 +1640,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit2; +- if ( FT_READ_LONG( rlen ) ) ++ if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +- if ( rlen < 0 ) ++#if 0 ++ if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } ++#endif + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + ++ error = FT_ERR( Array_Too_Large ); + /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ ++ { ++ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); + continue; ++ } + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ +@@ -1662,16 +1670,10 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) +- { +- if ( 0x7FFFFFFFL - rlen < len ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + len += rlen; +- } + else + { ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1682,6 +1684,7 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1697,21 +1700,17 @@ + pfb_data[pfb_pos++] = 0; + } + +- error = FT_ERR( Cannot_Open_Resource ); +- if ( rlen > 0x7FFFFFFFL - pfb_pos ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; + pfb_pos += rlen; + } + ++ error = FT_ERR( Array_Too_Large ); + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1732,6 +1731,12 @@ + aface ); + + Exit2: ++ if ( error == FT_ERR( Array_Too_Large ) ) ++ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ else if ( error == FT_ERR( Invalid_Offset ) ) ++ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); ++ if ( error ) ++ error = FT_ERR( Cannot_Open_Resource ); + FT_FREE( pfb_data ); + + Exit: +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch +++ freetype-2.5.2/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch @@ -0,0 +1,111 @@ +From 02dd014303d7a151398321cfc7001426306b6e3b Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Wed, 26 Nov 2014 16:39:00 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Insert=20comments=20CVS-2014-9674-fixup-2=0Aand=20fold=20too?= + =?UTF-8?q?=20long=20tracing=20messages.?= + +(cherry picked from commit 1720e81e3ecc7c266e54fe40175cc39c47117bf5) +--- + freetype-2.5.2/src/base/ftobjs.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 2ec2ed8..4a9eb7f 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1603,21 +1603,28 @@ + goto Exit; + if ( FT_READ_ULONG( temp ) ) + goto Exit; +-#if 0 +- FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large value causing overflow should be checked ++ */ ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", ++ i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +-#endif + + pfb_len += temp + 6; + } + +- FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ FT_TRACE2(( " total buffer size to concatenate %d" ++ " POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: 0x%08x\n", ++ pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } +@@ -1642,13 +1649,16 @@ + goto Exit2; + if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +-#if 0 ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large fragment length causing overflow should be checked ++ */ + if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } +-#endif ++ + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", +@@ -1673,7 +1683,8 @@ + len += rlen; + else + { +- FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1684,7 +1695,8 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + +- FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1703,7 +1715,8 @@ + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + +- FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer" ++ " 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; +@@ -1732,7 +1745,8 @@ + + Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) +- FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ FT_TRACE2(( " Abort due to too-short buffer to store" ++ " all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch +++ freetype-2.5.2/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch @@ -0,0 +1,42 @@ +From 227701e7a216e77f97fc170702d70f9c1a84992a Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <[email protected]> +Date: Thu, 27 Nov 2014 00:20:48 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobj.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Additional=20CVE-2014-0674-part-2=0Aoverflow=20check=20in=20?= + =?UTF-8?q?the=20summation=20of=20POST=20fragment=20lengths,=0Asuggested?= + =?UTF-8?q?=20by=20Mateusz=20Jurczyk=20<[email protected]>.?= + +(cherry picked from commit cd4a5a26e591d01494567df9dec7f72d59551f6e) +--- + freetype-2.5.2/src/base/ftobjs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 4a9eb7f..038a0f8 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1609,8 +1609,10 @@ + */ + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", + i, temp)); +- if ( 0x7FFFFFFFUL < temp ) ++ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) + { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: temp=0x%08x\n", temp )); + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +@@ -1623,8 +1625,7 @@ + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { + FT_TRACE2(( " too long fragment length makes" +- " pfb_len confused: 0x%08x\n", +- pfb_len )); ++ " pfb_len confused: pfb_len=0x%08x\n", pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch +++ freetype-2.5.2/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch @@ -0,0 +1,235 @@ +From 37be20dfb7ceec9bb2c10ac19f339043a8e20229 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Wed, 26 Feb 2014 13:08:07 +0100 +Subject: [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1 + +bdflib puts data from the input stream into a buffer in chunks of +1024 bytes. The data itself gets then parsed line by line, simply +increasing the current pointer into the buffer; if the search for +the final newline character exceeds the buffer size, more data gets +read. + +However, in case the current line's end is very near to the buffer +end, and the keyword to compare with is longer than the current +line's length, an out-of-bounds read might happen since `memcmp' +doesn't stop properly at the string end. + +* src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons +stop at string ends. + +(cherry picked from commit 9a56764037dfc01a89fe61f5c67971bf50343d00) +--- + freetype-2.5.2/src/bdf/bdflib.c | 50 ++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index d613159..4192139 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -1409,7 +1409,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 ) ++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1427,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 ) ++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1491,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1508,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_memcmp( line, "CHARS", 5 ) != 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1542,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1564,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1580,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1614,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 ) ++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1800,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1816,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1844,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_memcmp( line, "BBX", 3 ) == 0 ) ++ if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1912,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) ++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1987,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2028,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2097,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2123,7 @@ + { + memory = p->memory; + +- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2171,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2200,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2231,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_memcmp( line, "FONT", 4 ) == 0 ) ++ if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2266,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_memcmp( line, "SIZE", 4 ) == 0 ) ++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2320,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_memcmp( line, "CHARS", 5 ) == 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch +++ freetype-2.5.2/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch @@ -0,0 +1,244 @@ +From d9ed3044b65fb901c6c3a36b815a40932b450c1c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <[email protected]> +Date: Fri, 7 Nov 2014 07:42:33 +0100 +Subject: Fix Savannah bug #43535. CVE-2014-9675 + +* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one +character more than `strncmp'. +s/ft_strncmp/_bdf_strncmp/ everywhere. + +(cherry picked from commit 2c4832d30939b45c05757f0a05128ce64c4cacc7) +--- + freetype-2.5.2/src/bdf/bdflib.c | 62 ++++++++++++++++++++++++----------------- + 1 file changed, 37 insertions(+), 25 deletions(-) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index 4192139..42de23d 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -169,6 +169,18 @@ + sizeof ( _bdf_properties[0] ); + + ++ /* An auxiliary macro to parse properties, to be used in conditionals. */ ++ /* It behaves like `strncmp' but also tests the following character */ ++ /* whether it is a whitespace or NULL. */ ++ /* `property' is a constant string of length `n' to compare with. */ ++#define _bdf_strncmp( name, property, n ) \ ++ ( ft_strncmp( name, property, n ) || \ ++ !( name[n] == ' ' || \ ++ name[n] == '\0' || \ ++ name[n] == '\n' || \ ++ name[n] == '\r' || \ ++ name[n] == '\t' ) ) ++ + /* Auto correction messages. */ + #define ACMSG1 "FONT_ASCENT property missing. " \ + "Added `FONT_ASCENT %hd'.\n" +@@ -1409,7 +1421,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) ++ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1439,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) ++ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1503,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1520,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1554,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1576,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1592,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1626,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1812,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1828,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1856,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_strncmp( line, "BBX", 3 ) == 0 ) ++ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1924,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1999,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2040,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2109,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2135,7 @@ + { + memory = p->memory; + +- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2183,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2212,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2243,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_strncmp( line, "FONT", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2278,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2332,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; + +-- +2.1.4 + -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected] Archive: https://lists.debian.org/[email protected]
