[CVS] OpenPKG: openpkg-src/freetype/ freetype.patch freetype.spec

Thu, 08 Oct 2009 14:15:10 -0700 

  OpenPKG CVS Repository
  http://cvs.openpkg.org/
  ____________________________________________________________________________

  Server: cvs.openpkg.org                  Name:   Ralf S. Engelschall
  Root:   /v/openpkg/cvs                   Email:  r...@openpkg.org
  Module: openpkg-src                      Date:   08-Oct-2009 23:16:41
  Branch: HEAD                             Handle: 2009100822164100

  Modified files:
    openpkg-src/freetype    freetype.patch freetype.spec

  Log:
    upgrading package: freetype 2.3.9 -> 2.3.10

  Summary:
    Revision    Changes     Path
    1.14        +0  -153    openpkg-src/freetype/freetype.patch
    1.78        +2  -2      openpkg-src/freetype/freetype.spec
  ____________________________________________________________________________

  patch -p0 <<'@@ .'
  Index: openpkg-src/freetype/freetype.patch
  ============================================================================
  $ cvs diff -u -r1.13 -r1.14 freetype.patch
  --- openpkg-src/freetype/freetype.patch       18 Apr 2009 14:15:24 -0000      
1.13
  +++ openpkg-src/freetype/freetype.patch       8 Oct 2009 21:16:41 -0000       
1.14
  @@ -98,156 +98,3 @@
    #ifndef __FREETYPE_H__
    #define __FREETYPE_H__
    
  
-------------------------------------------------------------------------------
  -
  -Upstream security fixes
  -http://www.vuxml.org/freebsd/20b4f284-2bfc-11de-bdeb-0030843d3802.html
  -
  -An integer overflow error within the "cff_charset_compute_cids()"
  -function in cff/cffload.c can be exploited to potentially cause
  -a heap-based buffer overflow via a specially crafted font.
  -
  -Multiple integer overflow errors within validation functions in
  -sfnt/ttcmap.c can be exploited to bypass length validations and
  -potentially cause buffer overflows via specially crafted fonts.
  -
  -An integer overflow error within the "ft_smooth_render_generic()"
  -function in smooth/ftsmooth.c can be exploited to potentially cause
  -a heap-based buffer overflow via a specially crafted font.
  -
  -Index: src/cff/cffload.c
  ---- src/cff/cffload.c.orig   2009-03-12 09:04:17 +0100
  -+++ src/cff/cffload.c        2009-04-18 16:09:28 +0200
  -@@ -842,7 +842,20 @@
  -             goto Exit;
  - 
  -           for ( j = 1; j < num_glyphs; j++ )
  --            charset->sids[j] = FT_GET_USHORT();
  -+          {
  -+            FT_UShort sid = FT_GET_USHORT();
  -+
  -+
  -+            /* this constant is given in the CFF specification */
  -+            if ( sid < 65000 )
  -+              charset->sids[j] = sid;
  -+            else
  -+            {
  -+              FT_ERROR(( "cff_charset_load:"
  -+                         " invalid SID value %d set to zero\n", sid ));
  -+              charset->sids[j] = 0;
  -+            }
  -+          }
  - 
  -           FT_FRAME_EXIT();
  -         }
  -@@ -875,6 +888,20 @@
  -                 goto Exit;
  -             }
  - 
  -+            /* check whether the range contains at least one valid glyph; */
  -+            /* the constant is given in the CFF specification             */
  -+            if ( glyph_sid >= 65000 ) {
  -+              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
  -+              error = CFF_Err_Invalid_File_Format;
  -+              goto Exit;
  -+            }
  -+
  -+            /* try to rescue some of the SIDs if `nleft' is too large */
  -+            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
  -+              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
  -+              nleft = 65000 - 1 - glyph_sid;
  -+            }
  -+
  -             /* Fill in the range of sids -- `nleft + 1' glyphs. */
  -             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, 
glyph_sid++ )
  -               charset->sids[j] = glyph_sid;
  -Index: src/lzw/ftzopen.c
  ---- src/lzw/ftzopen.c.orig   2007-05-25 08:36:29 +0200
  -+++ src/lzw/ftzopen.c        2009-04-18 16:09:28 +0200
  -@@ -332,6 +332,9 @@
  - 
  -           while ( code >= 256U )
  -           {
  -+            if ( !state->prefix )
  -+              goto Eof;
  -+
  -             FTLZW_STACK_PUSH( state->suffix[code - 256] );
  -             code = state->prefix[code - 256];
  -           }
  -Index: src/sfnt/ttcmap.c
  ---- src/sfnt/ttcmap.c.orig   2009-03-09 08:29:09 +0100
  -+++ src/sfnt/ttcmap.c        2009-04-18 16:09:28 +0200
  -@@ -1635,7 +1635,7 @@
  -       FT_INVALID_TOO_SHORT;
  - 
  -     length = TT_NEXT_ULONG( p );
  --    if ( table + length > valid->limit || length < 8208 )
  -+    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 
)
  -       FT_INVALID_TOO_SHORT;
  - 
  -     is32       = table + 12;
  -@@ -1863,7 +1863,8 @@
  -     p      = table + 16;
  -     count  = TT_NEXT_ULONG( p );
  - 
  --    if ( table + length > valid->limit || length < 20 + count * 2 )
  -+    if ( length > (FT_ULong)( valid->limit - table ) ||
  -+         length < 20 + count * 2                     )
  -       FT_INVALID_TOO_SHORT;
  - 
  -     /* check glyph indices */
  -@@ -2048,7 +2049,8 @@
  -     p          = table + 12;
  -     num_groups = TT_NEXT_ULONG( p );
  - 
  --    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
  -+    if ( length > (FT_ULong)( valid->limit - table ) ||
  -+         length < 16 + 12 * num_groups               )
  -       FT_INVALID_TOO_SHORT;
  - 
  -     /* check groups, they must be in increasing order */
  -@@ -2429,7 +2431,8 @@
  -     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
  - 
  - 
  --    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
  -+    if ( length > (FT_ULong)( valid->limit - table ) ||
  -+         length < 10 + 11 * num_selectors            )
  -       FT_INVALID_TOO_SHORT;
  - 
  -     /* check selectors, they must be in increasing order */
  -@@ -2491,7 +2494,7 @@
  -           FT_ULong  i, lastUni = 0;
  - 
  - 
  --          if ( ndp + numMappings * 4 > valid->limit )
  -+          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
  -             FT_INVALID_TOO_SHORT;
  - 
  -           for ( i = 0; i < numMappings; ++i )
  -Index: src/smooth/ftsmooth.c
  ---- src/smooth/ftsmooth.c.orig       2009-01-12 20:12:35 +0100
  -+++ src/smooth/ftsmooth.c    2009-04-18 16:09:28 +0200
  -@@ -153,7 +153,7 @@
  -       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
  -     }
  - 
  --    /* allocate new one, depends on pixel format */
  -+    /* allocate new one */
  -     pitch = width;
  -     if ( hmul )
  -     {
  -@@ -194,6 +194,13 @@
  - 
  - #endif
  - 
  -+    if ( pitch > 0xFFFF || height > 0xFFFF )
  -+    {
  -+      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
  -+                 width, height ));
  -+      return Smooth_Err_Raster_Overflow;
  -+    }
  -+
  -     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
  -     bitmap->num_grays  = 256;
  -     bitmap->width      = width;
  @@ .
  patch -p0 <<'@@ .'
  Index: openpkg-src/freetype/freetype.spec
  ============================================================================
  $ cvs diff -u -r1.77 -r1.78 freetype.spec
  --- openpkg-src/freetype/freetype.spec        18 Apr 2009 14:15:24 -0000      
1.77
  +++ openpkg-src/freetype/freetype.spec        8 Oct 2009 21:16:41 -0000       
1.78
  @@ -31,8 +31,8 @@
   Class:        BASE
   Group:        Graphics
   License:      GPL
  -Version:      2.3.9
  -Release:      20090418
  +Version:      2.3.10
  +Release:      20091008
   
   #   list of sources
   Source0:      
http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.gz
  @@ .
______________________________________________________________________
OpenPKG                                             http://openpkg.org
CVS Repository Commit List                     openpkg-cvs@openpkg.org

Reply via email to