Hello community, here is the log from the commit of package fontforge for openSUSE:Leap:15.2 checked in at 2020-01-23 09:20:32 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/fontforge (Old) and /work/SRC/openSUSE:Leap:15.2/.fontforge.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "fontforge" Thu Jan 23 09:20:32 2020 rev:18 rq:765138 version:20170731 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/fontforge/fontforge.changes 2020-01-15 14:55:28.109589935 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.fontforge.new.26092/fontforge.changes 2020-01-23 09:20:37.726691708 +0100 @@ -1,0 +2,8 @@ +Tue Jan 14 09:54:40 UTC 2020 - Cliff Zhao <[email protected]> + +- Add fontforge-CVE-2020-5395-5496.patch: Use-after-free (heap) in +the SFD_GetFontMetaData() function and fix NULL pointer dereference +in the SFDGetSpiros() and SFD_AssignLookups() function(bnc#1160220, +bnc#1160236, CVE-2020-5395, CVE-2020-5496). + +------------------------------------------------------------------- New: ---- fontforge-CVE-2020-5395-5496.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ fontforge.spec ++++++ --- /var/tmp/diff_new_pack.1xPjG8/_old 2020-01-23 09:20:39.182692438 +0100 +++ /var/tmp/diff_new_pack.1xPjG8/_new 2020-01-23 09:20:39.182692438 +0100 @@ -30,6 +30,8 @@ # workardound for bug 930076, imho upstream should fix this # https://github.com/fontforge/fontforge/issues/2270 Patch0: fontforge-version.patch +# PATCH-FIX-UPSTREAM fontforge-CVE-2020-5395-5496.patch bnc#1160220 bnc#1160236 CVE-2020-5395 CVE-2020-5496 [email protected] -- Fix for NULL pointer dereference in the SFDGetSpiros() and SFD_AssignLookups(). +Patch1: fontforge-CVE-2020-5395-5496.patch BuildRequires: autoconf BuildRequires: automake BuildRequires: cairo-devel @@ -96,6 +98,7 @@ %prep %setup -q %patch0 +%patch1 -p1 sed -i 's/\r$//' doc/html/{Big5.txt,corpchar.txt} # workaround for bug 930076; we just need the _version_of_the_release_! (see also fontforge-version.patch) --- grep 'doversion(FONTFORGE_MODTIME_STR)' fontforgeexe/startnoui.c && \ @@ -125,8 +128,7 @@ %postun -p /sbin/ldconfig %files -f FontForge.lang -%defattr(-,root,root) -%doc LICENSE COPYING.gplv3 +%license LICENSE COPYING.gplv3 %exclude %{_docdir}/%{name}/html %{_mandir}/man1/*.1* %{_bindir}/* @@ -137,14 +139,14 @@ %{_datadir}/icons/hicolor/*/apps/%{name}.png %{_datadir}/icons/hicolor/scalable/apps/%{name}.svg %{_datadir}/mime/packages/%{name}.xml +%dir %{_docdir}/fontforge %files doc -%defattr(-,root,root) -%doc AUTHORS LICENSE README.md +%license LICENSE +%doc AUTHORS README.md %doc %{_docdir}/%{name}/html %files devel -%defattr(-, root, root) %doc CONTRIBUTING.md %{_includedir}/fontforge/ %{_libdir}/pkgconfig/*.pc ++++++ fontforge-CVE-2020-5395-5496.patch ++++++ diff --git a/fontforge/sfd.c b/fontforge/sfd.c index d76a86c94..91d064c68 100644 --- a/fontforge/sfd.c +++ b/fontforge/sfd.c @@ -3885,13 +3885,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) { while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { if ( cur!=NULL ) { if ( cur->spiro_cnt>=cur->spiro_max ) - cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp)); + cur->spiros = realloc(cur->spiros, + (cur->spiro_max+=10)*sizeof(spiro_cp)); cur->spiros[cur->spiro_cnt++] = cp; } } - if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { + if ( cur!=NULL && cur->spiro_cnt>0 + && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { if ( cur->spiro_cnt>=cur->spiro_max ) - cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp)); + cur->spiros = realloc(cur->spiros, + (cur->spiro_max+=1)*sizeof(spiro_cp)); memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; } @@ -7810,10 +7813,12 @@ bool SFD_GetFontMetaData( FILE *sfd, else if ( strmatch(tok,"LayerCount:")==0 ) { d->had_layer_cnt = true; - getint(sfd,&sf->layer_cnt); - if ( sf->layer_cnt>2 ) { + int layer_cnt_tmp; + getint(sfd,&layer_cnt_tmp); + if ( layer_cnt_tmp>2 ) { sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); + sf->layer_cnt = layer_cnt_tmp; } } else if ( strmatch(tok,"Layer:")==0 ) @@ -8766,6 +8771,10 @@ exit( 1 ); } } + // Many downstream functions assume this isn't NULL (use strlen, etc.) + if ( sf->fontname==NULL) + sf->fontname = copy(""); + if ( fromdir ) sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); else if ( sf->subfontcnt!=0 ) { diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c index 34497d317..e45b6950a 100644 --- a/fontforge/sfd1.c +++ b/fontforge/sfd1.c @@ -671,7 +671,7 @@ void SFD_AssignLookups(SplineFont1 *sf) { /* Fix up some gunk from really old versions of the sfd format */ SFDCleanupAnchorClasses(&sf->sf); - if ( sf->sf.uni_interp==ui_unset ) + if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL ) sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); /* Fixup for an old bug */ -- 2.24.1
