Hello community, here is the log from the commit of package freetype2 for openSUSE:Factory checked in at 2018-03-12 12:01:48 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/freetype2 (Old) and /work/SRC/openSUSE:Factory/.freetype2.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freetype2" Mon Mar 12 12:01:48 2018 rev:81 rq:584619 version:2.9 Changes: -------- --- /work/SRC/openSUSE:Factory/freetype2/freetype2.changes 2018-03-08 10:55:29.489674235 +0100 +++ /work/SRC/openSUSE:Factory/.freetype2.new/freetype2.changes 2018-03-12 12:02:21.047605644 +0100 @@ -1,0 +2,6 @@ +Thu Mar 8 16:47:21 UTC 2018 - [email protected] + +- Add bnc1079600.patch: Fix several integer overflow issues in + truetype/ttinterp.c (bsc#1079600) + +------------------------------------------------------------------- New: ---- bnc1079600.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freetype2.spec ++++++ --- /var/tmp/diff_new_pack.07A8NC/_old 2018-03-12 12:02:24.363486815 +0100 +++ /var/tmp/diff_new_pack.07A8NC/_new 2018-03-12 12:02:24.367486672 +0100 @@ -36,6 +36,7 @@ Patch3: 0001-src-truetype-ttinterp.c-Ins_GETVARIATION-Avoid-NULL-.patch Patch4: 0001-truetype-Better-protection-against-invalid-VF-data.patch Patch5: enable-long-family-names-by-default.patch +Patch6: bnc1079600.patch BuildRequires: gawk BuildRequires: libbz2-devel BuildRequires: libpng-devel @@ -104,6 +105,7 @@ %patch3 -p1 %patch4 -p1 %patch5 -p1 +%patch6 -p1 %build export CFLAGS="%{optflags} -std=gnu99 -D_GNU_SOURCE $(getconf LFS_CFLAGS)" ++++++ bnc1079600.patch ++++++ References: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=4a03f17449ae45f0dacf4de4694ccd6e5e1b24d1 Upstream: merged From: Karol Babioch <[email protected]> Date: Thu Mar 8 17:52:43 CET 2018 Avoid integer overflow issues diff --git a/src/truetype/ttinterp.c b/src/truetype/ttinterp.c index 551f14a2e..5c8ff4f3d 100644 --- a/src/truetype/ttinterp.c +++ b/src/truetype/ttinterp.c @@ -5782,6 +5782,7 @@ FT_F26Dot6 distance; #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY FT_F26Dot6 control_value_cutin = 0; + FT_F26Dot6 delta; if ( SUBPIXEL_HINTING_INFINALITY ) @@ -5817,11 +5818,15 @@ distance = PROJECT( exc->zp1.cur + point, exc->zp0.cur + exc->GS.rp0 ); #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY + delta = SUB_LONG( distance, args[1] ); + if ( delta < 0 ) + delta = NEG_LONG( delta ); + /* subpixel hinting - make MSIRP respect CVT cut-in; */ - if ( SUBPIXEL_HINTING_INFINALITY && - exc->ignore_x_mode && - exc->GS.freeVector.x != 0 && - FT_ABS( SUB_LONG( distance, args[1] ) ) >= control_value_cutin ) + if ( SUBPIXEL_HINTING_INFINALITY && + exc->ignore_x_mode && + exc->GS.freeVector.x != 0 && + delta >= control_value_cutin ) distance = args[1]; #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ @@ -5978,7 +5983,14 @@ if ( ( exc->opcode & 1 ) != 0 ) /* rounding and control cut-in flag */ { - if ( FT_ABS( distance - org_dist ) > control_value_cutin ) + FT_F26Dot6 delta; + + + delta = SUB_LONG( distance, org_dist ); + if ( delta < 0 ) + delta = NEG_LONG( delta ); + + if ( delta > control_value_cutin ) distance = org_dist; #ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY @@ -6259,6 +6271,9 @@ if ( exc->GS.gep0 == exc->GS.gep1 ) { + FT_F26Dot6 delta; + + /* XXX: According to Greg Hitchcock, the following wording is */ /* the right one: */ /* */ @@ -6271,7 +6286,11 @@ /* `ttinst2.doc', version 1.66, is thus incorrect since */ /* it implies `>=' instead of `>'. */ - if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin ) + delta = SUB_LONG( cvt_dist, org_dist ); + if ( delta < 0 ) + delta = NEG_LONG( delta ); + + if ( delta > control_value_cutin ) cvt_dist = org_dist; } @@ -6289,7 +6308,14 @@ exc->ignore_x_mode && exc->GS.gep0 == exc->GS.gep1 ) { - if ( FT_ABS( cvt_dist - org_dist ) > control_value_cutin ) + FT_F26Dot6 delta; + + + delta = SUB_LONG( cvt_dist, org_dist ); + if ( delta < 0 ) + delta = NEG_LONG( delta ); + + if ( delta > control_value_cutin ) cvt_dist = org_dist; } #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
