Hello community, here is the log from the commit of package freetype2.3653 for openSUSE:13.2:Update checked in at 2015-03-30 16:18:41 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:13.2:Update/freetype2.3653 (Old) and /work/SRC/openSUSE:13.2:Update/.freetype2.3653.new (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "freetype2.3653" Changes: -------- New Changes file: --- /dev/null 2015-03-12 01:14:30.992027505 +0100 +++ /work/SRC/openSUSE:13.2:Update/.freetype2.3653.new/freetype2.changes 2015-03-30 16:18:43.000000000 +0200 @@ -0,0 +1,1246 @@ +------------------------------------------------------------------- +Fri Feb 20 10:13:37 UTC 2015 - [email protected] + +- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857, + bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862, + bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868, + bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874, + bnc#916879, bnc#916881) + - CVE-2014-9656.patch + - CVE-2014-9657.patch + - CVE-2014-9658.patch + - CVE-2014-9659.patch + - CVE-2014-9660.patch + - CVE-2014-9661.patch + - CVE-2014-9662.patch + - CVE-2014-9663.patch + - CVE-2014-9664.patch + - CVE-2014-9665.patch + - CVE-2014-9666.patch + - CVE-2014-9667.patch + - CVE-2014-9668.patch + - CVE-2014-9669.patch + - CVE-2014-9670.patch + - CVE-2014-9671.patch + - CVE-2014-9672.patch + - CVE-2014-9673.patch + - CVE-2014-9674.patch + - CVE-2014-9675.patch + +------------------------------------------------------------------- +Thu Mar 13 03:14:26 UTC 2014 - [email protected] + +- Improve don-t-mark-libpng-as-required-library.patch: also handle + Requires.private case (freetype does not include png headers) + +------------------------------------------------------------------- +Sun Mar 9 18:39:56 UTC 2014 - [email protected] + +- Update to version 2.5.3 + * IMPORTANT BUG FIXES + - A vulnerability was identified and fixed in the new CFF + driver (cf. http://savannah.nongnu.org/bugs/?41697; it + doesn't have a CVE number yet). All users should upgrade. + - More bug fixes related to correct positioning of + composite glyphs. + - Many fixes to better protect against malformed input. + * IMPORTANT CHANGES + - FreeType can now use the HarfBuzz library to greatly improve + the auto-hinting of fonts that use OpenType features: + Many glyphs that are part of such features but don't have + cmap entries are now handled properly, for example small + caps or superscripts. Define the configuration macro + FT_CONFIG_OPTION_USE_HARFBUZZ to activate HarfBuzz support. + You need HarfBuzz version 0.9.19 or newer. Note that HarfBuzz + depends on FreeType; this currently causes a chicken-and-egg + problem that can be solved as follows in case HarfBuzz + is not yet installed on your system. + 1. Compile and install FreeType without the configuration + macro FT_CONFIG_OPTION_USE_HARFBUZZ. + 2. Compile and install HarfBuzz. + 3. Define macro FT_CONFIG_OPTION_USE_HARFBUZZ, then + compile and install FreeType again. + With FreeType's `configure' script the procedure boils + down to configure, build, and install Freetype, then + configure, compile, and install HarfBuzz, then configure, + compile, and install FreeType again (after executing + `make distclean'). + - All libraries FreeType depends on are now checked + using the `pkg-config' configuration files first, + followed by alternative methods. + - The new value `auto' for the various `--with-XXX' + library options (for example `--with-harfbuzz=auto') + makes the `configure' script automatically link to the + libraries it finds. This is now the default. + - In case FreeType's `configure' script can't find a + library, you can pass environment variables to circumvent + pkg-config, and those variables have been harmonized as + a consequence of the changes mentioned above: + LIBZ -> removed; use LIBZ_CFLAGS and LIBZ_LIBS + LIBBZ2 -> removed; use BZIP2_CFLAGS and BZIP2_LIBS + LIBPNG_LDFLAGS -> LIBPNG_LIBS + `./configure --help' shows all available environment variables. + - The `freetype-config' script now understands + option `--static' to emit static linking information. +- Due to buildsystem changes, rename and rebase + don-t-mark-libpng-as-required-library-in-freetype-co.patch to + don-t-mark-libpng-as-required-library.patch + +------------------------------------------------------------------- +Thu Dec 12 16:45:13 UTC 2013 - [email protected] + +- Added patches: + * don-t-mark-libpng-as-required-library-in-freetype-co.patch: it's + private in pkgconfig file, and causes issues in downstream + packages +- As per patch, remove libpng-devel Requires from devel package + +------------------------------------------------------------------- +Wed Dec 11 07:13:14 UTC 2013 - [email protected] + +- freetype2 pkgconfig now includes -lpng16; make sure freetype2-devel + Requires libpng-devel + +------------------------------------------------------------------- +Tue Dec 10 03:04:59 UTC 2013 - [email protected] + +- Update to version 2.5.2 + * Fixed bug that made FreeType crash on some popular (but not + fully conformant) fonts like `ahronbd.ttf' + * Another round of improvements to correct positioning and hinting + of composite glyphs in TrueType fonts + * Fixed bug introduced in version 2.5.1: handling embedded + bitmap strikes of TrueType fonts, caused garbage display + under some circumstances + * Fixed `ftgrid' demo program compilation in non-development + builds +- Droped fix-compile-in-non-debug.patch, included in this release + +------------------------------------------------------------------- +Wed Nov 27 19:31:42 UTC 2013 - [email protected] + +- Update to version 2.5.1 + * For some WinFNT files, the last glyph wasn't displayed but + incorrectly marked as invalid. + * The vertical size of glyphs was incorrectly set after a call to + `FT_GlyphSlot_Embolden', resulting in clipped glyphs. + * Many fields of the `PCLT' table in SFNT based fonts (if accessed + with `FT_Get_Sfnt_Table') were computed incorrectly. + * In TrueType fonts, hinting of composite glyphs could sometimes + deliver incorrect positions of components or even distorted + shapes. + * WOFF font format support has been added. + * The auto-hinter now supports Hebrew. Greek and Cyrillic support + has been improved. + * Support for the forthcoming `OS/2' SFNT table version 5, as can + be found e.g. in the `Sitka' font family for Windows 8.1. + * The header file layout has been changed. After installation, + all files are now located in `<prefix>/include/freetype2'. + Applications that use (a) `freetype-config' or FreeType's + `pkg-config' file to get the include directory for the compiler, + and (b) the documented way for header inclusion like + #include <ft2build.h> or #include FT_FREETYPE_H + don't need any change to the source code. + * The stem darkening feature of the new CFF engine can now be + fine-tuned with the new `darkening-parameters' property. + * `ftgrid' has been updated to toggle various engines with the `H' + key, similar to `ftview' and `ftdiff'. + * The functionality of `ttdebug' has been greatly enhanced. + . It now displays twilight, storage, and control value data; key + * Better support of ARMv7 and x86_64 processors. + * Apple's `sbix' color bitmap format is now supported. + * Improved auto-hinter rendering for many TrueType fonts, + especially in the range 20-40ppem. + * A new face flag `FT_FACE_FLAG_COLOR' has been added (to be + accessed with the macro `FT_HAS_COLOR'). + * `FT_Gzip_Uncompress' (modeled after zlib's `uncompress' + function) has been added; this is a by-product of the newly + added WOFF support. + * Support for a build with `cmake' has been contributed by John + Cary <[email protected]>. + * Support for x64 builds with Visual C++ has been contributed by + Kenneth Miller <[email protected]> + * Manual pages for most demo programs have been added. + * The GETINFO bytecode instruction for TrueType fonts was buggy if + used to retrieve subpixel hinting information. It was necessary + to set selector bit 6 to get results for selector bits 7-10, + which is wrong. + * Improved computation of emulated vertical metrics for TrueType + fonts. + * Fixed horizontal start-up position of vertical phantom points in + TrueType bytecode. +- Rebase freetype2-subpixel.patch to current release +- Added fix-compile-in-non-debug.patch, fixes release build of ftdemos +- Added overflow.patch for resolving post-build-check detected error: + I: Statement is overflowing a buffer + +------------------------------------------------------------------- +Wed Jul 3 08:31:13 UTC 2013 - [email protected] + +- Update to version 2.5.0.1 + * The cache manager function `FTC_Manager_Reset' didn't flush the + cache. + * Behdad Esfahbod (on behalf of Google) contributed support for + color embedded bitmaps (eg. color emoji). + * The old FreeType CFF engine is now disabled by default. + * All code related to macro FT_CONFIG_OPTION_OLD_INTERNALS + has been removed. + * The property API (`FT_Property_Get' and `FT_Property_Set') is + now declared as stable. + * Another round of TrueType subpixel hinting fixes. + * 64bit compilation of the new CFF engine was buggy. + * Some fixes to improve robustness in memory-tight situations. +- Add dependency on libpng-devel for color emoji support. +- Drop freetype-new-cff-engine.patch, upstream now. + +------------------------------------------------------------------- +Sun Jun 9 03:58:33 UTC 2013 - [email protected] ++++ 1049 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.freetype2.3653.new/freetype2.changes New Changes file: --- /dev/null 2015-03-12 01:14:30.992027505 +0100 +++ /work/SRC/openSUSE:13.2:Update/.freetype2.3653.new/ft2demos.changes 2015-03-30 16:18:43.000000000 +0200 @@ -0,0 +1,916 @@ +------------------------------------------------------------------- +Fri Feb 20 10:13:37 UTC 2015 - [email protected] + +- fixed vulnerabilities (bnc#916847, bnc#916856, bnc#916857, + bnc#916858, bnc#916859, bnc#916860, bnc#916861, bnc#916862, + bnc#916863, bnc#916864, bnc#916865, bnc#916867, bnc#916868, + bnc#916870, bnc#916871, bnc#916872, bnc#916873, bnc#916874, + bnc#916879, bnc#916881) + - CVE-2014-9656.patch + - CVE-2014-9657.patch + - CVE-2014-9658.patch + - CVE-2014-9659.patch + - CVE-2014-9660.patch + - CVE-2014-9661.patch + - CVE-2014-9662.patch + - CVE-2014-9663.patch + - CVE-2014-9664.patch + - CVE-2014-9665.patch + - CVE-2014-9666.patch + - CVE-2014-9667.patch + - CVE-2014-9668.patch + - CVE-2014-9669.patch + - CVE-2014-9670.patch + - CVE-2014-9671.patch + - CVE-2014-9672.patch + - CVE-2014-9673.patch + - CVE-2014-9674.patch + - CVE-2014-9675.patch + +------------------------------------------------------------------- +Thu Mar 13 03:14:26 UTC 2014 - [email protected] + +- Improve don-t-mark-libpng-as-required-library.patch: also handle + Requires.private case (freetype does not include png headers) + +------------------------------------------------------------------- +Sun Mar 9 18:39:56 UTC 2014 - [email protected] + +- Update to version 2.5.3 + * IMPORTANT BUG FIXES + - A vulnerability was identified and fixed in the new CFF + driver (cf. http://savannah.nongnu.org/bugs/?41697; it + doesn't have a CVE number yet). All users should upgrade. + - More bug fixes related to correct positioning of + composite glyphs. + - Many fixes to better protect against malformed input. + * IMPORTANT CHANGES + - FreeType can now use the HarfBuzz library to greatly improve + the auto-hinting of fonts that use OpenType features: + Many glyphs that are part of such features but don't have + cmap entries are now handled properly, for example small + caps or superscripts. Define the configuration macro + FT_CONFIG_OPTION_USE_HARFBUZZ to activate HarfBuzz support. + You need HarfBuzz version 0.9.19 or newer. Note that HarfBuzz + depends on FreeType; this currently causes a chicken-and-egg + problem that can be solved as follows in case HarfBuzz + is not yet installed on your system. + 1. Compile and install FreeType without the configuration + macro FT_CONFIG_OPTION_USE_HARFBUZZ. + 2. Compile and install HarfBuzz. + 3. Define macro FT_CONFIG_OPTION_USE_HARFBUZZ, then + compile and install FreeType again. + With FreeType's `configure' script the procedure boils + down to configure, build, and install Freetype, then + configure, compile, and install HarfBuzz, then configure, + compile, and install FreeType again (after executing + `make distclean'). + - All libraries FreeType depends on are now checked + using the `pkg-config' configuration files first, + followed by alternative methods. + - The new value `auto' for the various `--with-XXX' + library options (for example `--with-harfbuzz=auto') + makes the `configure' script automatically link to the + libraries it finds. This is now the default. + - In case FreeType's `configure' script can't find a + library, you can pass environment variables to circumvent + pkg-config, and those variables have been harmonized as + a consequence of the changes mentioned above: + LIBZ -> removed; use LIBZ_CFLAGS and LIBZ_LIBS + LIBBZ2 -> removed; use BZIP2_CFLAGS and BZIP2_LIBS + LIBPNG_LDFLAGS -> LIBPNG_LIBS + `./configure --help' shows all available environment variables. + - The `freetype-config' script now understands + option `--static' to emit static linking information. +- Due to buildsystem changes, rename and rebase + don-t-mark-libpng-as-required-library-in-freetype-co.patch to + don-t-mark-libpng-as-required-library.patch + +------------------------------------------------------------------- +Thu Dec 12 16:45:13 UTC 2013 - [email protected] + +- Added patches: + * don-t-mark-libpng-as-required-library-in-freetype-co.patch: it's + private in pkgconfig file, and causes issues in downstream + packages +- As per patch, remove libpng-devel Requires from devel package + +------------------------------------------------------------------- +Wed Dec 11 07:13:14 UTC 2013 - [email protected] + +- freetype2 pkgconfig now includes -lpng16; make sure freetype2-devel + Requires libpng-devel + +------------------------------------------------------------------- +Tue Dec 10 03:04:59 UTC 2013 - [email protected] + +- Update to version 2.5.2 + * Fixed bug that made FreeType crash on some popular (but not + fully conformant) fonts like `ahronbd.ttf' + * Another round of improvements to correct positioning and hinting + of composite glyphs in TrueType fonts + * Fixed bug introduced in version 2.5.1: handling embedded + bitmap strikes of TrueType fonts, caused garbage display + under some circumstances + * Fixed `ftgrid' demo program compilation in non-development + builds +- Droped fix-compile-in-non-debug.patch, included in this release + +------------------------------------------------------------------- +Wed Nov 27 19:31:42 UTC 2013 - [email protected] + +- Update to version 2.5.1 + * For some WinFNT files, the last glyph wasn't displayed but + incorrectly marked as invalid. + * The vertical size of glyphs was incorrectly set after a call to + `FT_GlyphSlot_Embolden', resulting in clipped glyphs. + * Many fields of the `PCLT' table in SFNT based fonts (if accessed + with `FT_Get_Sfnt_Table') were computed incorrectly. + * In TrueType fonts, hinting of composite glyphs could sometimes + deliver incorrect positions of components or even distorted + shapes. + * WOFF font format support has been added. + * The auto-hinter now supports Hebrew. Greek and Cyrillic support + has been improved. + * Support for the forthcoming `OS/2' SFNT table version 5, as can + be found e.g. in the `Sitka' font family for Windows 8.1. + * The header file layout has been changed. After installation, + all files are now located in `<prefix>/include/freetype2'. + Applications that use (a) `freetype-config' or FreeType's + `pkg-config' file to get the include directory for the compiler, + and (b) the documented way for header inclusion like + #include <ft2build.h> or #include FT_FREETYPE_H + don't need any change to the source code. + * The stem darkening feature of the new CFF engine can now be + fine-tuned with the new `darkening-parameters' property. + * `ftgrid' has been updated to toggle various engines with the `H' + key, similar to `ftview' and `ftdiff'. + * The functionality of `ttdebug' has been greatly enhanced. + . It now displays twilight, storage, and control value data; key + * Better support of ARMv7 and x86_64 processors. + * Apple's `sbix' color bitmap format is now supported. + * Improved auto-hinter rendering for many TrueType fonts, + especially in the range 20-40ppem. + * A new face flag `FT_FACE_FLAG_COLOR' has been added (to be + accessed with the macro `FT_HAS_COLOR'). + * `FT_Gzip_Uncompress' (modeled after zlib's `uncompress' + function) has been added; this is a by-product of the newly + added WOFF support. + * Support for a build with `cmake' has been contributed by John + Cary <[email protected]>. + * Support for x64 builds with Visual C++ has been contributed by + Kenneth Miller <[email protected]> + * Manual pages for most demo programs have been added. + * The GETINFO bytecode instruction for TrueType fonts was buggy if + used to retrieve subpixel hinting information. It was necessary + to set selector bit 6 to get results for selector bits 7-10, + which is wrong. + * Improved computation of emulated vertical metrics for TrueType + fonts. + * Fixed horizontal start-up position of vertical phantom points in + TrueType bytecode. +- Rebase freetype2-subpixel.patch to current release +- Added fix-compile-in-non-debug.patch, fixes release build of ftdemos +- Added overflow.patch for resolving post-build-check detected error: + I: Statement is overflowing a buffer + +------------------------------------------------------------------- +Wed Jul 3 08:33:20 UTC 2013 - [email protected] + +- Update to version 2.5.0 + * ftview has been updated to support color embedded bitmaps. + * The 'ttdebug' program has been further improved. In particular, + it accepts a new command line option `-H' to select the hinting + engine. + +------------------------------------------------------------------- +Wed Jun 12 08:46:35 UTC 2013 - [email protected] + +- Add conflict to package dtc for /usr/bin/ftdump as the two tools + are different, + dtc: ftdump -- Flat Tree dumping utility + ft2demos: ftdump -- Simple font dumper + +------------------------------------------------------------------- +Fri May 10 18:09:21 UTC 2013 - [email protected] + +- Update to version 2.4.12 ++++ 719 more lines (skipped) ++++ between /dev/null ++++ and /work/SRC/openSUSE:13.2:Update/.freetype2.3653.new/ft2demos.changes New: ---- CVE-2014-9656.patch CVE-2014-9657.patch CVE-2014-9658.patch CVE-2014-9659.patch CVE-2014-9660.patch CVE-2014-9661.patch CVE-2014-9662.patch CVE-2014-9663.patch CVE-2014-9664.patch CVE-2014-9665.patch CVE-2014-9666.patch CVE-2014-9667.patch CVE-2014-9668.patch CVE-2014-9669.patch CVE-2014-9670.patch CVE-2014-9671.patch CVE-2014-9672.patch CVE-2014-9673.patch CVE-2014-9674.patch CVE-2014-9675.patch baselibs.conf bnc628213_test.otf bnc629447_sigsegv31.ttf bnc633938_badbdf.0 bug-641580_CVE-2010-3311.cff bug-647375_tt2.ttf bugzilla-308961-cmex-workaround.patch don-t-mark-libpng-as-required-library.patch freetype-2.5.3.tar.bz2 freetype-doc-2.5.3.tar.bz2 freetype2-bitmap-foundry.patch freetype2-subpixel.patch freetype2.changes freetype2.spec ft2demos-2.5.3.tar.bz2 ft2demos.changes ft2demos.spec overflow.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freetype2.spec ++++++ # # spec file for package freetype2 # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: freetype2 BuildRequires: gawk BuildRequires: libpng-devel BuildRequires: pkg-config BuildRequires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: freetype2-64bit %endif # %define doc_version 2.5.3 Version: 2.5.3 Release: 0 Summary: A TrueType Font Library License: SUSE-Freetype or GPL-2.0+ Group: System/Libraries Url: http://www.freetype.org Source0: http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.bz2 Source1: http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{doc_version}.tar.bz2 Source3: baselibs.conf Patch1: freetype2-bitmap-foundry.patch Patch308961: bugzilla-308961-cmex-workaround.patch Patch200: freetype2-subpixel.patch # PATCH-FIX-UPSTREAM overflow.patch -- I: Statement is overflowing a buffer Patch201: overflow.patch # PATCH-FIX-OPENSUSE don-t-mark-libpng-as-required-library.patch -- it is private in .pc Patch202: don-t-mark-libpng-as-required-library.patch Patch300: CVE-2014-9656.patch Patch301: CVE-2014-9657.patch Patch302: CVE-2014-9658.patch Patch303: CVE-2014-9659.patch Patch304: CVE-2014-9660.patch Patch305: CVE-2014-9661.patch Patch306: CVE-2014-9662.patch Patch307: CVE-2014-9663.patch Patch308: CVE-2014-9664.patch Patch309: CVE-2014-9665.patch Patch310: CVE-2014-9666.patch Patch311: CVE-2014-9667.patch Patch312: CVE-2014-9668.patch Patch313: CVE-2014-9669.patch Patch314: CVE-2014-9670.patch Patch315: CVE-2014-9671.patch Patch316: CVE-2014-9672.patch Patch317: CVE-2014-9673.patch Patch318: CVE-2014-9674.patch Patch319: CVE-2014-9675.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build %description This library features TrueType fonts for open source projects. This version also contains an autohinter for producing improved output. %package -n libfreetype6 Summary: A TrueType Font Library Group: System/Libraries Obsoletes: freetype2 < %{version} Provides: freetype2 = %{version} %description -n libfreetype6 This library features TrueType fonts for open source projects. This version also contains an autohinter for producing improved output. %package devel Summary: Development environment for the freetype2 TrueType font library Group: Development/Libraries/C and C++ Requires: libfreetype6 = %{version} Requires: zlib-devel # bug437293 %ifarch ppc64 Obsoletes: freetype2-devel-64bit %endif # there is no freetype-devel on suse: Provides: freetype-devel # Static library provides: Provides: libfreetype6-devel-static %description devel This package contains all necessary include files, libraries and documentation needed to develop applications that require the freetype2 TrueType font library. It also contains a small tutorial for using that library. %prep %define enable_subpixel_rendering 0 %setup -q -n freetype-%{version} -a 1 %patch1 -p1 %patch308961 -p 1 %if %{enable_subpixel_rendering} %patch200 -p1 %endif %patch202 -p1 %patch300 -p1 %patch301 -p1 %patch302 -p1 %patch303 -p1 %patch304 -p1 %patch305 -p1 %patch306 -p1 %patch307 -p1 %patch308 -p1 %patch309 -p1 %patch310 -p1 %patch311 -p1 %patch312 -p1 %patch313 -p1 %patch314 -p1 %patch315 -p1 %patch316 -p1 %patch317 -p1 %patch318 -p1 %patch319 -p1 %build export CFLAGS="%optflags -std=gnu99 -D_GNU_SOURCE $(getconf LFS_CFLAGS)" %configure --without-bzip2 \ --disable-static make %{?_smp_mflags} %install %makeinstall # remove documentation that does not belong in an rpm rm docs/INSTALL* %post -n libfreetype6 -p /sbin/ldconfig %postun -n libfreetype6 -p /sbin/ldconfig %files -n libfreetype6 %defattr(-,root,root) %{_libdir}/libfreetype.so.* %doc ChangeLog README %doc docs/{CHANGES,CUSTOMIZE,DEBUG,MAKEPP,PROBLEMS,TODO,*.txt} %files devel %defattr(-,root,root) %doc docs/reference/* %{_includedir}/* %if 0%{?suse_version} >= 1140 %exclude %{_libdir}/libfreetype.*a %else %{_libdir}/libfreetype.*a %endif %{_libdir}/libfreetype.so %{_libdir}/pkgconfig/freetype2.pc %{_bindir}/* %{_datadir}/aclocal %{_mandir}/man1/freetype-config* %changelog ++++++ ft2demos.spec ++++++ # # spec file for package ft2demos # # Copyright (c) 2015 SUSE LINUX Products GmbH, Nuernberg, Germany. # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed # upon. The license for this file, and modifications and additions to the # file, is the same license as for the pristine package itself (unless the # license for the pristine package is not an Open Source License, in which # case the license is the MIT License). An "Open Source License" is a # license that conforms to the Open Source Definition (Version 1.9) # published by the Open Source Initiative. # Please submit bugfixes or comments via http://bugs.opensuse.org/ # Name: ft2demos Version: 2.5.3 Release: 0 Summary: Freetype2 Utilities and Demo Programs License: GPL-2.0+ Group: Productivity/Publishing/Other %define freetype_version 2.5.3 Url: http://www.freetype.org Source0: http://savannah.nongnu.org/download/freetype/freetype-%{freetype_version}.tar.bz2 Source1: http://savannah.nongnu.org/download/freetype/ft2demos-%{version}.tar.bz2 Patch308961: bugzilla-308961-cmex-workaround.patch Patch200: freetype2-subpixel.patch # PATCH-FIX-UPSTREAM overflow.patch -- I: Statement is overflowing a buffer Patch201: overflow.patch # PATCH-FIX-OPENSUSE don-t-mark-libpng-as-required-library.patch -- it is private in .pc Patch202: don-t-mark-libpng-as-required-library.patch Patch300: CVE-2014-9656.patch Patch301: CVE-2014-9657.patch Patch302: CVE-2014-9658.patch Patch303: CVE-2014-9659.patch Patch304: CVE-2014-9660.patch Patch305: CVE-2014-9661.patch Patch306: CVE-2014-9662.patch Patch307: CVE-2014-9663.patch Patch308: CVE-2014-9664.patch Patch309: CVE-2014-9665.patch Patch310: CVE-2014-9666.patch Patch311: CVE-2014-9667.patch Patch312: CVE-2014-9668.patch Patch313: CVE-2014-9669.patch Patch314: CVE-2014-9670.patch Patch315: CVE-2014-9671.patch Patch316: CVE-2014-9672.patch Patch317: CVE-2014-9673.patch Patch318: CVE-2014-9674.patch Patch319: CVE-2014-9675.patch BuildRequires: libpng-devel BuildRequires: xorg-x11-devel Conflicts: dtc Supplements: fonts-config Source1000: bnc628213_test.otf Source1004: bnc629447_sigsegv31.ttf Source1013: bnc633938_badbdf.0 Source1015: bug-641580_CVE-2010-3311.cff Source1016: bug-647375_tt2.ttf BuildRoot: %{_tmppath}/%{name}-%{version}-build %description Freetype2 utilities and demo programs. %prep %define enable_subpixel_rendering 0%{?opensuse_bs} %setup -q -n freetype-%{freetype_version} -b 1 %patch308961 -p 1 %if %{enable_subpixel_rendering} %patch200 -p 1 -b .subpixel %endif pushd ../ft2demos-%{version} %patch201 -p1 popd %patch202 -p1 %patch300 -p1 %patch301 -p1 %patch302 -p1 %patch303 -p1 %patch304 -p1 %patch305 -p1 %patch306 -p1 %patch307 -p1 %patch308 -p1 %patch309 -p1 %patch310 -p1 %patch311 -p1 %patch312 -p1 %patch313 -p1 %patch314 -p1 %patch315 -p1 %patch316 -p1 %patch317 -p1 %patch318 -p1 %patch319 -p1 %build export CFLAGS="%optflags -std=gnu99 -D_GNU_SOURCE $(getconf LFS_CFLAGS)" %configure --without-bzip2 make %{?_smp_mflags} pushd .. ln -s freetype-%{freetype_version} freetype2 cd ft2demos-%{version} make %{?_smp_mflags} popd %install mkdir -p %{buildroot}%{_bindir} pushd ../ft2demos-%{version}/bin/.libs install -m 755 ft* %{buildroot}%{_bindir} popd %check %{buildroot}%{_bindir}/ftbench -c 1 %{S:1000} %{buildroot}%{_bindir}/ftbench -c 1 %{S:1004} |& grep -v "couldn't load font resource" && echo "should fail" %{buildroot}%{_bindir}/ftbench -c 1 %{S:1013} |& grep -v "couldn't load font resource" && echo "should fail" %{buildroot}%{_bindir}/ftbench -c 1 %{S:1015} |& grep -v "couldn't load font resource" && echo "should fail" %{buildroot}%{_bindir}/ftbench -c 1 %{S:1016} %files %defattr(-,root,root) %{_bindir}/ft* %changelog ++++++ CVE-2014-9656.patch ++++++ >From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Mon, 24 Nov 2014 09:51:21 +0000 Subject: [sfnt] Fix Savannah bug #43680. This adds an additional constraint to make the fix from 2013-01-25 really work. * src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: Check `p' before `num_glyphs'. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index b37bd7d..c2db96c 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -1170,7 +1170,8 @@ num_glyphs = FT_NEXT_ULONG( p ); /* overflow check for p + ( num_glyphs + 1 ) * 4 */ - if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + if ( p + 4 > p_limit || + num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) goto NoBitmap; for ( mm = 0; mm < num_glyphs; mm++ ) -- cgit v0.9.0.2 ++++++ CVE-2014-9657.patch ++++++ >From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Mon, 24 Nov 2014 09:22:08 +0000 Subject: [truetype] Fix Savannah bug #43679. * src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of `record_size'. --- diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c index 9723a51..9991925 100644 --- a/src/truetype/ttpload.c +++ b/src/truetype/ttpload.c @@ -508,9 +508,9 @@ record_size = FT_NEXT_ULONG( p ); /* The maximum number of bytes in an hdmx device record is the */ - /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ - /* the reason why `record_size' is a long (which we read as */ - /* unsigned long for convenience). In practice, two bytes */ + /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ + /* explaining why `record_size' is a long (which we read as */ + /* unsigned long for convenience). In practice, two bytes are */ /* sufficient to hold the size value. */ /* */ /* There are at least two fonts, HANNOM-A and HANNOM-B version */ @@ -522,8 +522,10 @@ record_size &= 0xFFFFU; /* The limit for `num_records' is a heuristic value. */ - - if ( version != 0 || num_records > 255 || record_size > 0x10001L ) + if ( version != 0 || + num_records > 255 || + record_size > 0x10001L || + record_size < 4 ) { error = FT_THROW( Invalid_File_Format ); goto Fail; -- cgit v0.9.0.2 ++++++ CVE-2014-9658.patch ++++++ >From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Mon, 24 Nov 2014 08:31:32 +0000 Subject: [sfnt] Fix Savannah bug #43672. * src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for minimum table length test. --- diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c index 32c4008..455e7b5 100644 --- a/src/sfnt/ttkern.c +++ b/src/sfnt/ttkern.c @@ -99,7 +99,7 @@ length = FT_NEXT_USHORT( p ); coverage = FT_NEXT_USHORT( p ); - if ( length <= 6 ) + if ( length <= 6 + 8 ) break; p_next += length; -- cgit v0.9.0.2 ++++++ CVE-2014-9659.patch ++++++ >From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001 From: Dave Arnold <[email protected]> Date: Thu, 04 Dec 2014 05:10:16 +0000 Subject: [cff] Fix Savannah bug #43661. * src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM, cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after hintmask is constructed. * src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to avoid reading past end of hintmask. --- diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c index 81049f4..28a892b 100644 --- a/src/cff/cf2hints.c +++ b/src/cff/cf2hints.c @@ -794,9 +794,12 @@ maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask ); /* use the hStem hints only, which are first in the mask */ - /* TODO: compare this to cffhintmaskGetBitCount */ bitCount = cf2_arrstack_size( hStemHintArray ); + /* Defense-in-depth. Should never return here. */ + if ( bitCount > hintMask->bitCount ) + return; + /* synthetic embox hints get highest priority */ if ( font->blues.doEmBoxHints ) { diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c index 5610917..a269606 100644 --- a/src/cff/cf2intrp.c +++ b/src/cff/cf2intrp.c @@ -4,7 +4,7 @@ /* */ /* Adobe's CFF Interpreter (body). */ /* */ -/* Copyright 2007-2013 Adobe Systems Incorporated. */ +/* Copyright 2007-2014 Adobe Systems Incorporated. */ /* */ /* This software, and all works of authorship, whether in source or */ /* object code form as indicated by the copyright notice(s) included */ @@ -593,8 +593,11 @@ /* never add hints after the mask is computed */ if ( cf2_hintmask_isValid( &hintMask ) ) + { FT_TRACE4(( "cf2_interpT2CharString:" " invalid horizontal hint mask\n" )); + break; + } cf2_doStems( font, opStack, @@ -614,8 +617,11 @@ /* never add hints after the mask is computed */ if ( cf2_hintmask_isValid( &hintMask ) ) + { FT_TRACE4(( "cf2_interpT2CharString:" " invalid vertical hint mask\n" )); + break; + } cf2_doStems( font, opStack, @@ -1141,15 +1147,16 @@ /* `cf2_hintmask_read' (which also traces the mask bytes) */ FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" )); - /* if there are arguments on the stack, there this is an */ - /* implied cf2_cmdVSTEMHM */ - if ( cf2_stack_count( opStack ) != 0 ) + /* never add hints after the mask is computed */ + if ( cf2_stack_count( opStack ) > 1 && + cf2_hintmask_isValid( &hintMask ) ) { - /* never add hints after the mask is computed */ - if ( cf2_hintmask_isValid( &hintMask ) ) - FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); + FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); + break; } + /* if there are arguments on the stack, there this is an */ + /* implied cf2_cmdVSTEMHM */ cf2_doStems( font, opStack, &vStemHintArray, -- cgit v0.9.0.2 ++++++ CVE-2014-9660.patch ++++++ >From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Sat, 22 Nov 2014 12:29:10 +0000 Subject: [bdf] Fix Savannah bug #43660. * src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check `_BDF_GLYPH_BITS'. --- Index: freetype-2.5.3/src/bdf/bdflib.c =================================================================== --- freetype-2.5.3.orig/src/bdf/bdflib.c +++ freetype-2.5.3/src/bdf/bdflib.c @@ -1543,6 +1543,14 @@ /* Check for the ENDFONT field. */ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) { + if ( p->flags & _BDF_GLYPH_BITS ) + { + /* Missing ENDCHAR field. */ + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); + error = FT_THROW( Corrupted_Font_Glyphs ); + goto Exit; + } + /* Sort the glyphs by encoding. */ ft_qsort( (char *)font->glyphs, font->glyphs_used, ++++++ CVE-2014-9661.patch ++++++ From: Werner Lemberg <[email protected]> Date: Sat, 22 Nov 2014 09:46:47 +0000 Subject: [type42] Fix Savannah bug #43659. * src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. * src/type42/t42parse.c (t42_parse_sfnts): Always set `face->ttf_size' directly. This ensures a correct stream size in the call to `FT_Open_Face', which follows after parsing, even for buggy input data. Fix error messages. From: Werner Lemberg <[email protected]> Date: Sat, 22 Nov 2014 11:44:33 +0000 Subject: [type42] Allow only embedded TrueType fonts. This is a follow-up to Savannah bug #43659. * src/type42/t42objs.c (T42_Face_Init): Exclusively use the `truetype' font driver for loading the font contained in the `sfnts' array. --- diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c --- a/src/type42/t42objs.c +++ b/src/type42/t42objs.c @@ -47,6 +47,12 @@ if ( FT_ALLOC( face->ttf_data, 12 ) ) goto Exit; + /* while parsing the font we always update `face->ttf_size' so that */ + /* even in case of buggy data (which might lead to premature end of */ + /* scanning without causing an error) the call to `FT_Open_Face' in */ + /* `T42_Face_Init' passes the correct size */ + face->ttf_size = 12; + error = t42_parser_init( parser, face->root.stream, memory, @@ -292,7 +292,9 @@ FT_Open_Args args; - args.flags = FT_OPEN_MEMORY; + args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; + args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), + "truetype" ); args.memory_base = face->ttf_data; args.memory_size = face->ttf_size; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c index a60e216..daf304d 100644 --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -524,7 +524,7 @@ FT_Byte* limit = parser->root.limit; FT_Error error; FT_Int num_tables = 0; - FT_ULong count, ttf_size = 0; + FT_ULong count; FT_Long n, string_size, old_string_size, real_size; FT_Byte* string_buf = NULL; @@ -617,7 +617,7 @@ if ( limit - parser->root.cursor < string_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } @@ -657,18 +657,18 @@ } else { - num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; - status = BEFORE_TABLE_DIR; - ttf_size = 12 + 16 * num_tables; + num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; + status = BEFORE_TABLE_DIR; + face->ttf_size = 12 + 16 * num_tables; - if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) + if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) goto Fail; } /* fall through */ case BEFORE_TABLE_DIR: /* the offset table is read; read the table directory */ - if ( count < ttf_size ) + if ( count < face->ttf_size ) { face->ttf_data[count++] = string_buf[n]; continue; @@ -687,24 +687,23 @@ len = FT_PEEK_ULONG( p ); /* Pad to a 4-byte boundary length */ - ttf_size += ( len + 3 ) & ~3; + face->ttf_size += ( len + 3 ) & ~3; } - status = OTHER_TABLES; - face->ttf_size = ttf_size; + status = OTHER_TABLES; /* there are no more than 256 tables, so no size check here */ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, - ttf_size + 1 ) ) + face->ttf_size + 1 ) ) goto Fail; } /* fall through */ case OTHER_TABLES: /* all other tables are just copied */ - if ( count >= ttf_size ) + if ( count >= face->ttf_size ) { - FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); + FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); error = FT_THROW( Invalid_File_Format ); goto Fail; } -- cgit v0.9.0.2 ++++++ CVE-2014-9662.patch ++++++ >From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Sat, 22 Nov 2014 08:16:39 +0000 Subject: [cff] Fix Savannah bug #43658. * src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle return values of point allocation routines. --- diff --git a/src/cff/cf2ft.c b/src/cff/cf2ft.c index cb8d31c..ebba469 100644 --- a/src/cff/cf2ft.c +++ b/src/cff/cf2ft.c @@ -142,6 +142,8 @@ cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -156,15 +158,27 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* `cff_builder_add_point1' includes a check_points call for one point */ - cff_builder_add_point1( builder, - params->pt1.x, - params->pt1.y ); + error = cff_builder_add_point1( builder, + params->pt1.x, + params->pt1.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } @@ -172,6 +186,8 @@ cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, const CF2_CallbackParams params ) { + FT_Error error; + /* downcast the object pointer */ CF2_Outline outline = (CF2_Outline)callbacks; CFF_Builder* builder; @@ -186,13 +202,25 @@ { /* record the move before the line; also check points and set */ /* `path_begun' */ - cff_builder_start_point( builder, - params->pt0.x, - params->pt0.y ); + error = cff_builder_start_point( builder, + params->pt0.x, + params->pt0.y ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } } /* prepare room for 3 points: 2 off-curve, 1 on-curve */ - cff_check_points( builder, 3 ); + error = cff_check_points( builder, 3 ); + if ( error ) + { + if ( !*callbacks->error ) + *callbacks->error = error; + return; + } cff_builder_add_point( builder, params->pt1.x, -- cgit v0.9.0.2 ++++++ CVE-2014-9663.patch ++++++ >From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Sat, 22 Nov 2014 05:24:45 +0000 Subject: [sfnt] Fix Savannah bug #43656. * src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity tests. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index 712bd4f..fb863c3 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -845,9 +845,6 @@ p = table + 2; /* skip format */ length = TT_NEXT_USHORT( p ); - if ( length < 16 ) - FT_INVALID_TOO_SHORT; - /* in certain fonts, the `length' field is invalid and goes */ /* out of bound. We try to correct this here... */ if ( table + length > valid->limit ) @@ -858,6 +855,9 @@ length = (FT_UInt)( valid->limit - table ); } + if ( length < 16 ) + FT_INVALID_TOO_SHORT; + p = table + 6; num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ -- cgit v0.9.0.2 ++++++ CVE-2014-9664.patch ++++++ >From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Fri, 21 Nov 2014 21:19:28 +0000 Subject: [type1, type42] Fix Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Fix boundary testing. >From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Mon, 24 Nov 2014 06:30:05 +0000 Subject: [type1, type42] Another fix for Savannah bug #43655. * src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c (t42_parse_charstrings): Add another boundary testing. --- diff --git a/src/type1/t1load.c b/src/type1/t1load.c --- a/src/type1/t1load.c +++ b/src/type1/t1load.c @@ -1596,6 +1596,11 @@ } T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; @@ -1604,7 +1604,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { error = FT_THROW( Invalid_File_Format ); goto Fail; diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c --- a/src/type42/t42parse.c +++ b/src/type42/t42parse.c @@ -849,6 +849,12 @@ break; T1_Skip_PS_Token( parser ); + if ( parser->root.cursor >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } if ( parser->root.error ) return; @@ -858,7 +858,7 @@ FT_PtrDist len; - if ( cur + 1 >= limit ) + if ( cur + 2 >= limit ) { FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); error = FT_THROW( Invalid_File_Format ); -- cgit v0.9.0.2 ++++++ CVE-2014-9665.patch ++++++ >From 54abd22891bd51ef8b533b24df53b3019b5cee81 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Sat, 15 Nov 2014 08:05:22 +0000 Subject: [sfnt] Fix Savannah bug #43597. * src/sfnt/pngshim.c (Load_SBit_Png): Protect against too large bitmaps. >From b3500af717010137046ec4076d1e1c0641e33727 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Wed, 19 Nov 2014 20:28:21 +0000 Subject: Change some fields in `FT_Bitmap' to unsigned type. This doesn't break ABI. * include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays', `pixel_mode', and `palette_mode' unsigned types. * src/base/ftbitmap.c: Updated. (FT_Bitmap_Copy): Fix casts. * src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c: Updated. --- Index: freetype-2.5.3/src/sfnt/pngshim.c =================================================================== --- freetype-2.5.3.orig/src/sfnt/pngshim.c +++ freetype-2.5.3/src/sfnt/pngshim.c @@ -205,11 +205,11 @@ goto Exit; } - if ( !populate_map_and_metrics && - ( x_offset + metrics->width > map->width || - y_offset + metrics->height > map->rows || - pix_bits != 32 || - map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) + if ( !populate_map_and_metrics && + ( (FT_UInt)x_offset + metrics->width > map->width || + (FT_UInt)y_offset + metrics->height > map->rows || + pix_bits != 32 || + map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) { error = FT_THROW( Invalid_Argument ); goto Exit; @@ -269,6 +269,13 @@ map->pitch = map->width * 4; map->num_grays = 256; + /* reject too large bitmaps similarly to the rasterizer */ + if ( map->rows > 0x7FFF || map->width > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + size = map->rows * map->pitch; error = ft_glyphslot_alloc_bitmap( slot, size ); Index: freetype-2.5.3/include/ftimage.h =================================================================== --- freetype-2.5.3.orig/include/ftimage.h +++ freetype-2.5.3/include/ftimage.h @@ -318,13 +318,13 @@ FT_BEGIN_HEADER /* */ typedef struct FT_Bitmap_ { - int rows; - int width; + unsigned int rows; + unsigned int width; int pitch; unsigned char* buffer; - short num_grays; - char pixel_mode; - char palette_mode; + unsigned short num_grays; + unsigned char pixel_mode; + unsigned char palette_mode; void* palette; } FT_Bitmap; Index: freetype-2.5.3/src/base/ftbitmap.c =================================================================== --- freetype-2.5.3.orig/src/base/ftbitmap.c +++ freetype-2.5.3/src/base/ftbitmap.c @@ -62,7 +62,7 @@ if ( pitch < 0 ) pitch = -pitch; - size = (FT_ULong)( pitch * source->rows ); + size = (FT_ULong)pitch * source->rows; if ( target->buffer ) { @@ -72,7 +72,7 @@ if ( target_pitch < 0 ) target_pitch = -target_pitch; - target_size = (FT_ULong)( target_pitch * target->rows ); + target_size = (FT_ULong)target_pitch * target->rows; if ( target_size != size ) (void)FT_QREALLOC( target->buffer, target_size, size ); @@ -106,7 +106,7 @@ int pitch; int new_pitch; FT_UInt bpp; - FT_Int i, width, height; + FT_UInt i, width, height; unsigned char* buffer = NULL; @@ -144,17 +144,17 @@ if ( ypixels == 0 && new_pitch <= pitch ) { /* zero the padding */ - FT_Int bit_width = pitch * 8; - FT_Int bit_last = ( width + xpixels ) * bpp; + FT_UInt bit_width = pitch * 8; + FT_UInt bit_last = ( width + xpixels ) * bpp; if ( bit_last < bit_width ) { FT_Byte* line = bitmap->buffer + ( bit_last >> 3 ); FT_Byte* end = bitmap->buffer + pitch; - FT_Int shift = bit_last & 7; + FT_UInt shift = bit_last & 7; FT_UInt mask = 0xFF00U >> shift; - FT_Int count = height; + FT_UInt count = height; for ( ; count > 0; count--, line += pitch, end += pitch ) @@ -180,7 +180,7 @@ if ( bitmap->pitch > 0 ) { - FT_Int len = ( width * bpp + 7 ) >> 3; + FT_UInt len = ( width * bpp + 7 ) >> 3; for ( i = 0; i < bitmap->rows; i++ ) @@ -189,7 +189,7 @@ } else { - FT_Int len = ( width * bpp + 7 ) >> 3; + FT_UInt len = ( width * bpp + 7 ) >> 3; for ( i = 0; i < bitmap->rows; i++ ) @@ -220,7 +220,8 @@ { FT_Error error; unsigned char* p; - FT_Int i, x, y, pitch; + FT_Int i, x, pitch; + FT_UInt y; FT_Int xstr, ystr; @@ -459,8 +460,8 @@ case FT_PIXEL_MODE_LCD_V: case FT_PIXEL_MODE_BGRA: { - FT_Int pad; - FT_Long old_size; + FT_Int pad; + FT_ULong old_size; old_size = target->rows * target->pitch; Index: freetype-2.5.3/src/cache/ftcsbits.c =================================================================== --- freetype-2.5.3.orig/src/cache/ftcsbits.c +++ freetype-2.5.3/src/cache/ftcsbits.c @@ -142,12 +142,12 @@ goto BadGlyph; } - /* Check that our values fit into 8-bit containers! */ + /* Check whether our values fit into 8-bit containers! */ /* If this is not the case, our bitmap is too large */ /* and we will leave it as `missing' with sbit.buffer = 0 */ -#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d ) -#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d ) +#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d ) +#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d ) /* horizontal advance in pixels */ xadvance = ( slot->advance.x + 32 ) >> 6; Index: freetype-2.5.3/src/raster/ftraster.c =================================================================== --- freetype-2.5.3.orig/src/raster/ftraster.c +++ freetype-2.5.3/src/raster/ftraster.c @@ -2550,7 +2550,7 @@ e1 = TRUNC( e1 ); - if ( e1 >= 0 && e1 < ras.target.rows ) + if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) { PByte p; @@ -2644,7 +2644,7 @@ /* bounding box instead */ if ( pxl < 0 ) pxl = e1; - else if ( TRUNC( pxl ) >= ras.target.rows ) + else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows ) pxl = e2; /* check that the other pixel isn't set */ @@ -2659,9 +2659,9 @@ if ( ras.target.pitch > 0 ) bits += ( ras.target.rows - 1 ) * ras.target.pitch; - if ( e1 >= 0 && - e1 < ras.target.rows && - *bits & f1 ) + if ( e1 >= 0 && + (ULong)e1 < ras.target.rows && + *bits & f1 ) return; } else @@ -2673,7 +2673,7 @@ e1 = TRUNC( pxl ); - if ( e1 >= 0 && e1 < ras.target.rows ) + if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) { bits -= e1 * ras.target.pitch; if ( ras.target.pitch > 0 ) ++++++ CVE-2014-9666.patch ++++++ >From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Wed, 12 Nov 2014 20:42:13 +0000 Subject: [sfnt] Fix Savannah bug #43591. * src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition and multiplication overflow. --- diff --git a/src/sfnt/ttsbit.c b/src/sfnt/ttsbit.c index da6b01b..b37bd7d 100644 --- a/src/sfnt/ttsbit.c +++ b/src/sfnt/ttsbit.c @@ -394,9 +394,11 @@ p += 34; decoder->bit_depth = *p; - if ( decoder->strike_index_array > face->sbit_table_size || - decoder->strike_index_array + 8 * decoder->strike_index_count > - face->sbit_table_size ) + /* decoder->strike_index_array + */ + /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ + if ( decoder->strike_index_array > face->sbit_table_size || + decoder->strike_index_count > + ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) error = FT_THROW( Invalid_File_Format ); } -- cgit v0.9.0.2 ++++++ CVE-2014-9667.patch ++++++ >From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Wed, 12 Nov 2014 20:26:44 +0000 Subject: [sfnt] Fix Savannah bug #43590. * src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): Protect against addition overflow. --- diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c index 0a3cd29..8338150 100644 --- a/src/sfnt/ttload.c +++ b/src/sfnt/ttload.c @@ -207,7 +207,10 @@ } /* we ignore invalid tables */ - if ( table.Offset + table.Length > stream->size ) + + /* table.Offset + table.Length > stream->size ? */ + if ( table.Length > stream->size || + table.Offset > stream->size - table.Length ) { FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); continue; @@ -395,7 +398,10 @@ entry->Length = FT_GET_ULONG(); /* ignore invalid tables */ - if ( entry->Offset + entry->Length > stream->size ) + + /* entry->Offset + entry->Length > stream->size ? */ + if ( entry->Length > stream->size || + entry->Offset > stream->size - entry->Length ) continue; else { -- cgit v0.9.0.2 ++++++ CVE-2014-9668.patch ++++++ >From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Wed, 12 Nov 2014 20:06:08 +0000 Subject: [sfnt] Fix Savannah bug #43589. * src/sfnt/sfobjs.c (woff_open_font): Protect against addition overflow. --- diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c index cfea9cd..70b988d 100644 --- a/src/sfnt/sfobjs.c +++ b/src/sfnt/sfobjs.c @@ -567,8 +567,10 @@ if ( table->Offset != woff_offset || - table->Offset + table->CompLength > woff.length || - sfnt_offset + table->OrigLength > woff.totalSfntSize || + table->CompLength > woff.length || + table->Offset > woff.length - table->CompLength || + table->OrigLength > woff.totalSfntSize || + sfnt_offset > woff.totalSfntSize - table->OrigLength || table->CompLength > table->OrigLength ) { error = FT_THROW( Invalid_Table ); -- cgit v0.9.0.2 ++++++ CVE-2014-9669.patch ++++++ >From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Wed, 12 Nov 2014 19:51:20 +0000 Subject: [sfnt] Fix Savannah bug #43588. * src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect against overflow in additions and multiplications. --- diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c index f9acf5d..712bd4f 100644 --- a/src/sfnt/ttcmap.c +++ b/src/sfnt/ttcmap.c @@ -1669,7 +1669,8 @@ p = is32 + 8192; /* skip `is32' array */ num_groups = TT_NEXT_ULONG( p ); - if ( p + num_groups * 12 > valid->limit ) + /* p + num_groups * 12 > valid->limit ? */ + if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -1694,7 +1695,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; count = (FT_UInt32)( end - start + 1 ); @@ -1892,7 +1898,9 @@ count = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 20 + count * 2 ) + /* length < 20 + count * 2 ? */ + length < 20 || + ( length - 20 ) / 2 < count ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -2079,7 +2087,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2101,7 +2111,12 @@ if ( valid->level >= FT_VALIDATE_TIGHT ) { - if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) + FT_UInt32 d = end - start; + + + /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ + if ( d > TT_VALID_GLYPH_COUNT( valid ) || + start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) FT_INVALID_GLYPH_ID; } @@ -2401,7 +2416,9 @@ num_groups = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 16 + 12 * num_groups ) + /* length < 16 + 12 * num_groups ? */ + length < 16 || + ( length - 16 ) / 12 < num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@ -2787,7 +2804,9 @@ num_selectors = TT_NEXT_ULONG( p ); if ( length > (FT_ULong)( valid->limit - table ) || - length < 10 + 11 * num_selectors ) + /* length < 10 + 11 * num_selectors ? */ + length < 10 || + ( length - 10 ) / 11 < num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@ -2823,7 +2842,8 @@ FT_ULong lastBase = 0; - if ( defp + numRanges * 4 > valid->limit ) + /* defp + numRanges * 4 > valid->limit ? */ + if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numRanges; ++i ) @@ -2850,7 +2870,8 @@ FT_ULong i, lastUni = 0; - if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ + if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) -- cgit v0.9.0.2 ++++++ CVE-2014-9670.patch ++++++ >From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Thu, 06 Nov 2014 22:25:05 +0000 Subject: Fix Savannah bug #43548. * src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and column values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index 8db31bd..668c962 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -830,6 +830,15 @@ THE SOFTWARE. if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) return FT_THROW( Invalid_File_Format ); + /* sanity checks */ + if ( firstCol < 0 || + firstCol > lastCol || + lastCol > 0xFF || + firstRow < 0 || + firstRow > lastRow || + lastRow > 0xFF ) + return FT_THROW( Invalid_Table ); + FT_TRACE4(( "pdf_get_encodings:\n" )); FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", -- cgit v0.9.0.2 ++++++ CVE-2014-9671.patch ++++++ >From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Thu, 06 Nov 2014 21:32:46 +0000 Subject: Fix Savannah bug #43547. * src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' values. --- diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c index f63377b..8db31bd 100644 --- a/src/pcf/pcfread.c +++ b/src/pcf/pcfread.c @@ -154,6 +154,21 @@ THE SOFTWARE. break; } + /* we now check whether the `size' and `offset' values are reasonable: */ + /* `offset' + `size' must not exceed the stream size */ + tables = face->toc.tables; + for ( n = 0; n < toc->count; n++ ) + { + /* we need two checks to avoid overflow */ + if ( ( tables->size > stream->size ) || + ( tables->offset > stream->size - tables->size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } + tables++; + } + #ifdef FT_DEBUG_LEVEL_TRACE { -- cgit v0.9.0.2 ++++++ CVE-2014-9672.patch ++++++ >From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001 From: suzuki toshiya <[email protected]> Date: Wed, 26 Nov 2014 07:11:38 +0000 Subject: Fix Savannah bug #43540. * src/base/ftmac.c (parse_fond): Prevent a buffer overrun caused by a font including too many (> 63) strings to store names[] table. --- diff --git a/src/base/ftmac.c b/src/base/ftmac.c index 9b49da8..184a2e1 100644 --- a/src/base/ftmac.c +++ b/src/base/ftmac.c @@ -440,9 +440,10 @@ style = (StyleTable*)p; p += sizeof ( StyleTable ); string_count = EndianS16_BtoN( *(short*)(p) ); + string_count = FT_MIN( 64, string_count ); p += sizeof ( short ); - for ( i = 0; i < string_count && i < 64; i++ ) + for ( i = 0; i < string_count; i++ ) { names[i] = p; p += names[i][0]; @@ -459,7 +460,7 @@ ps_name[ps_name_len] = 0; } if ( style->indexes[face_index] > 1 && - style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) + style->indexes[face_index] <= string_count ) { unsigned char* suffixes = names[style->indexes[face_index] - 1]; -- cgit v0.9.0.2 ++++++ CVE-2014-9673.patch ++++++ >From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <[email protected]> Date: Wed, 26 Nov 2014 06:52:23 +0000 Subject: Fix Savannah bug #43539. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- Index: freetype-2.5.3/src/base/ftobjs.c =================================================================== --- freetype-2.5.3.orig/src/base/ftobjs.c +++ freetype-2.5.3/src/base/ftobjs.c @@ -1627,6 +1627,11 @@ goto Exit2; if ( FT_READ_LONG( rlen ) ) goto Exit; + if ( rlen < 0 ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", @@ -1644,7 +1649,14 @@ rlen = 0; if ( ( flags >> 8 ) == type ) + { + if ( 0x7FFFFFFFL - rlen < len ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } len += rlen; + } else { if ( pfb_lenpos + 3 > pfb_len + 2 ) @@ -1673,6 +1685,11 @@ } error = FT_ERR( Cannot_Open_Resource ); + if ( rlen > 0x7FFFFFFFL - pfb_pos ) + { + error = FT_THROW( Array_Too_Large ); + goto Exit2; + } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; ++++++ CVE-2014-9674.patch ++++++ >From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001 From: suzuki toshiya <[email protected]> Date: Wed, 26 Nov 2014 06:43:29 +0000 Subject: Fix Savannah bug #43538. * src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow by a broken POST table in resource-fork. --- Index: freetype-2.5.3/src/base/ftobjs.c =================================================================== --- freetype-2.5.3.orig/src/base/ftobjs.c +++ freetype-2.5.3/src/base/ftobjs.c @@ -1583,9 +1583,9 @@ FT_Memory memory = library->memory; FT_Byte* pfb_data = NULL; int i, type, flags; - FT_Long len; - FT_Long pfb_len, pfb_pos, pfb_lenpos; - FT_Long rlen, temp; + FT_ULong len; + FT_ULong pfb_len, pfb_pos, pfb_lenpos; + FT_ULong rlen, temp; if ( face_index == -1 ) @@ -1601,11 +1601,34 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit; - if ( FT_READ_LONG( temp ) ) + if ( FT_READ_ULONG( temp ) ) goto Exit; + + /* FT2 allocator takes signed long buffer length, + * too large value causing overflow should be checked + */ + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", + i, temp)); + if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) + { + FT_TRACE2(( " too long fragment length makes" + " pfb_len confused: temp=0x%08x\n", temp )); + error = FT_THROW( Invalid_Offset ); + goto Exit; + } + pfb_len += temp + 6; } + FT_TRACE2(( " total buffer size to concatenate %d" + " POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { + FT_TRACE2(( " too long fragment length makes" + " pfb_len confused: pfb_len=0x%08x\n", pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) goto Exit; @@ -1625,21 +1648,30 @@ error = FT_Stream_Seek( stream, offsets[i] ); if ( error ) goto Exit2; - if ( FT_READ_LONG( rlen ) ) + if ( FT_READ_ULONG( rlen ) ) goto Exit; - if ( rlen < 0 ) + + /* FT2 allocator takes signed long buffer length, + * too large fragment length causing overflow should be checked + */ + if ( 0x7FFFFFFFUL < rlen ) { error = FT_THROW( Invalid_Offset ); goto Exit2; } + if ( FT_READ_USHORT( flags ) ) goto Exit; FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", i, offsets[i], rlen, flags )); + error = FT_ERR( Array_Too_Large ); /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ + { + FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); continue; + } /* the flags are part of the resource, so rlen >= 2. */ /* but some fonts declare rlen = 0 for empty fragment */ @@ -1649,16 +1681,11 @@ rlen = 0; if ( ( flags >> 8 ) == type ) - { - if ( 0x7FFFFFFFL - rlen < len ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } len += rlen; - } else { + FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer" + " 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); if ( pfb_lenpos + 3 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_lenpos ] = (FT_Byte)( len ); @@ -1669,6 +1696,8 @@ if ( ( flags >> 8 ) == 5 ) /* End of font mark */ break; + FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer" + " 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); if ( pfb_pos + 6 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1684,21 +1713,18 @@ pfb_data[pfb_pos++] = 0; } - error = FT_ERR( Cannot_Open_Resource ); - if ( rlen > 0x7FFFFFFFL - pfb_pos ) - { - error = FT_THROW( Array_Too_Large ); - goto Exit2; - } if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) goto Exit2; + FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer" + " 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); if ( error ) goto Exit2; pfb_pos += rlen; } + error = FT_ERR( Array_Too_Large ); if ( pfb_pos + 2 > pfb_len + 2 ) goto Exit2; pfb_data[pfb_pos++] = 0x80; @@ -1719,6 +1745,13 @@ aface ); Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) + FT_TRACE2(( " Abort due to too-short buffer to store" + " all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) + error = FT_ERR( Cannot_Open_Resource ); FT_FREE( pfb_data ); Exit: ++++++ CVE-2014-9675.patch ++++++ >From 2c4832d30939b45c05757f0a05128ce64c4cacc7 Mon Sep 17 00:00:00 2001 From: Werner Lemberg <[email protected]> Date: Fri, 07 Nov 2014 06:42:33 +0000 Subject: Fix Savannah bug #43535. * src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one character more than `strncmp'. s/ft_strncmp/_bdf_strncmp/ everywhere. --- Index: freetype-2.5.3/src/bdf/bdflib.c =================================================================== --- freetype-2.5.3.orig/src/bdf/bdflib.c +++ freetype-2.5.3/src/bdf/bdflib.c @@ -169,6 +169,18 @@ sizeof ( _bdf_properties[0] ); + /* An auxiliary macro to parse properties, to be used in conditionals. */ + /* It behaves like `strncmp' but also tests the following character */ + /* whether it is a whitespace or NULL. */ + /* `property' is a constant string of length `n' to compare with. */ +#define _bdf_strncmp( name, property, n ) \ + ( ft_strncmp( name, property, n ) || \ + !( name[n] == ' ' || \ + name[n] == '\0' || \ + name[n] == '\n' || \ + name[n] == '\r' || \ + name[n] == '\t' ) ) + /* Auto correction messages. */ #define ACMSG1 "FONT_ASCENT property missing. " \ "Added `FONT_ASCENT %hd'.\n" @@ -1408,7 +1420,7 @@ /* If the property happens to be a comment, then it doesn't need */ /* to be added to the internal hash table. */ - if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) { /* Add the property to the font property table. */ error = hash_insert( fp->name, @@ -1426,13 +1438,13 @@ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ /* present, and the SPACING property should override the default */ /* spacing. */ - if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) font->default_char = fp->value.l; - else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) font->font_ascent = fp->value.l; - else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) font->font_descent = fp->value.l; - else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) { if ( !fp->value.atom ) { @@ -1490,7 +1502,7 @@ memory = font->memory; /* Check for a comment. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { linelen -= 7; @@ -1507,7 +1519,7 @@ /* The very first thing expected is the number of glyphs. */ if ( !( p->flags & _BDF_GLYPHS ) ) { - if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) { FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); error = FT_THROW( Missing_Chars_Field ); @@ -1541,7 +1553,7 @@ } /* Check for the ENDFONT field. */ - if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) { if ( p->flags & _BDF_GLYPH_BITS ) { @@ -1563,7 +1575,7 @@ } /* Check for the ENDCHAR field. */ - if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) { p->glyph_enc = 0; p->flags &= ~_BDF_GLYPH_BITS; @@ -1579,7 +1591,7 @@ goto Exit; /* Check for the STARTCHAR field. */ - if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) { /* Set the character name in the parse info first until the */ /* encoding can be checked for an unencoded character. */ @@ -1613,7 +1625,7 @@ } /* Check for the ENCODING field. */ - if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) { if ( !( p->flags & _BDF_GLYPH ) ) { @@ -1799,7 +1811,7 @@ } /* Expect the SWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1815,7 +1827,7 @@ } /* Expect the DWIDTH (scalable width) field next. */ - if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1843,7 +1855,7 @@ } /* Expect the BBX field next. */ - if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) { if ( !( p->flags & _BDF_ENCODING ) ) goto Missing_Encoding; @@ -1911,7 +1923,7 @@ } /* And finally, gather up the bitmap. */ - if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) { unsigned long bitmap_size; @@ -1986,7 +1998,7 @@ p = (_bdf_parse_t *) client_data; /* Check for the end of the properties. */ - if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) { /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ /* encountered yet, then make sure they are added as properties and */ @@ -2027,12 +2039,12 @@ } /* Ignore the _XFREE86_GLYPH_RANGES properties. */ - if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) goto Exit; /* Handle COMMENT fields and properties in a special way to preserve */ /* the spacing. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { name = value = line; value += 7; @@ -2096,7 +2108,7 @@ /* Check for a comment. This is done to handle those fonts that have */ /* comments before the STARTFONT line for some reason. */ - if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) { if ( p->opts->keep_comments != 0 && p->font != 0 ) { @@ -2122,7 +2134,7 @@ { memory = p->memory; - if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) { /* we don't emit an error message since this code gets */ /* explicitly caught one level higher */ @@ -2170,7 +2182,7 @@ } /* Check for the start of the properties. */ - if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) { if ( !( p->flags & _BDF_FONT_BBX ) ) { @@ -2199,7 +2211,7 @@ } /* Check for the FONTBOUNDINGBOX field. */ - if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) { if ( !( p->flags & _BDF_SIZE ) ) { @@ -2230,7 +2242,7 @@ } /* The next thing to check for is the FONT field. */ - if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) { error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); if ( error ) @@ -2265,7 +2277,7 @@ } /* Check for the SIZE field. */ - if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) { if ( !( p->flags & _BDF_FONT_NAME ) ) { @@ -2319,7 +2331,7 @@ } /* Check for the CHARS field -- font properties are optional */ - if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) { char nbuf[128]; ++++++ baselibs.conf ++++++ libfreetype6 obsoletes "freetype2-<targettype> < <version>" provides "freetype2-<targettype> = <version>" freetype2-devel requires -freetype2-<targettype> requires "libfreetype6-<targettype>" requires "zlib-devel-<targettype>" ++++++ bugzilla-308961-cmex-workaround.patch ++++++ --- src/base/ftobjs.c | 5 +++++ 1 file changed, 5 insertions(+) Index: freetype-2.4.11/src/base/ftobjs.c =================================================================== --- freetype-2.4.11.orig/src/base/ftobjs.c +++ freetype-2.4.11/src/base/ftobjs.c @@ -2187,10 +2187,15 @@ /* some checks */ if ( FT_IS_SCALABLE( face ) ) { + if ( face->family_name && strncmp(face->family_name, "CMEX", 4 ) == 0){ + face->underline_position = (FT_Short)( -face->units_per_EM / 10 ); + face->underline_thickness = (FT_Short)( face->units_per_EM / 30 ); + } + if ( face->height < 0 ) face->height = (FT_Short)-face->height; if ( !FT_HAS_VERTICAL( face ) ) face->max_advance_height = (FT_Short)face->height; ++++++ don-t-mark-libpng-as-required-library.patch ++++++ >From cef195062aa7f509a60b8765661ba4babd85b79c Mon Sep 17 00:00:00 2001 From: Hrvoje Senjan <[email protected]> Date: Sun, 9 Mar 2014 20:09:12 +0100 Subject: [PATCH 1/1] Don't mark libpng as required library It is private in .pc anyway --- diff --git a/builds/unix/configure b/builds/unix/configure index 4ae00dd..c3101e2 100755 --- a/builds/unix/configure +++ b/builds/unix/configure @@ -13692,7 +13692,6 @@ esac # entries in Requires.private are separated by commas; REQUIRES_PRIVATE="$zlib_reqpriv, \ $bzip2_reqpriv, \ - $libpng_reqpriv, \ $harfbuzz_reqpriv" # beautify REQUIRES_PRIVATE=`echo "$REQUIRES_PRIVATE" \ @@ -13718,7 +13717,6 @@ LIBS_PRIVATE=`echo "$LIBS_PRIVATE" \ LIBS_CONFIG="-lfreetype \ $ZLIB_LIBS \ $BZIP2_LIBS \ - $LIBPNG_LIBS \ $HARFBUZZ_LIBS \ $ft2_extra_libs" # remove -L/usr/lib and -L/usr/lib64 since `freetype-config' adds them later diff --git a/builds/unix/configure.raw b/builds/unix/configure.raw index dd7e576..bac2645 100644 --- a/builds/unix/configure.raw +++ b/builds/unix/configure.raw @@ -914,7 +914,6 @@ esac # entries in Requires.private are separated by commas; REQUIRES_PRIVATE="$zlib_reqpriv, \ $bzip2_reqpriv, \ - $libpng_reqpriv, \ $harfbuzz_reqpriv" # beautify REQUIRES_PRIVATE=`echo "$REQUIRES_PRIVATE" \ @@ -940,7 +939,6 @@ LIBS_PRIVATE=`echo "$LIBS_PRIVATE" \ LIBS_CONFIG="-lfreetype \ $ZLIB_LIBS \ $BZIP2_LIBS \ - $LIBPNG_LIBS \ $HARFBUZZ_LIBS \ $ft2_extra_libs" # remove -L/usr/lib and -L/usr/lib64 since `freetype-config' adds them later ++++++ freetype2-bitmap-foundry.patch ++++++ --- src/pcf/pcfread.c | 30 ++++++++++++++++++++++++++++-- 1 file changed, 28 insertions(+), 2 deletions(-) Index: freetype-2.4.11/src/pcf/pcfread.c =================================================================== --- freetype-2.4.11.orig/src/pcf/pcfread.c +++ freetype-2.4.11/src/pcf/pcfread.c @@ -1173,12 +1173,38 @@ THE SOFTWARE. goto Exit; prop = pcf_find_property( face, "FAMILY_NAME" ); if ( prop && prop->isString ) { - if ( FT_STRDUP( root->family_name, prop->value.atom ) ) - goto Exit; + int l = ft_strlen( prop->value.atom ) + 1; + int wide = 0; + PCF_Property foundry_prop = pcf_find_property( face, "FOUNDRY" ); + PCF_Property point_size_prop = pcf_find_property( face, "POINT_SIZE" ); + PCF_Property average_width_prop = pcf_find_property( face, "AVERAGE_WIDTH" ); + if ( point_size_prop != NULL && average_width_prop != NULL) { + if ( average_width_prop->value.l >= point_size_prop->value.l ) { + /* This font is at least square shaped or even wider */ + wide = 1; + l += ft_strlen( " Wide"); + } + } + if ( foundry_prop != NULL && foundry_prop->isString) { + l += ft_strlen( foundry_prop->value.atom ) + 1; + if ( FT_NEW_ARRAY( root->family_name, l ) ) + goto Exit; + ft_strcpy( root->family_name, foundry_prop->value.atom ); + strcat( root->family_name, " "); + strcat( root->family_name, prop->value.atom ); + } + else { + if ( FT_NEW_ARRAY( root->family_name, l ) ) + goto Exit; + ft_strcpy( root->family_name, prop->value.atom ); + } + if ( wide != 0) { + strcat( root->family_name, " Wide"); + } } else root->family_name = NULL; /* ++++++ freetype2-subpixel.patch ++++++ Index: freetype-2.4.11/include/config/ftoption.h =================================================================== --- freetype-2.4.11.orig/include/config/ftoption.h +++ freetype-2.4.11/include/config/ftoption.h @@ -92,7 +92,7 @@ FT_BEGIN_HEADER /* This is done to allow FreeType clients to run unmodified, forcing */ /* them to display normal gray-level anti-aliased glyphs. */ /* */ -/* #define FT_CONFIG_OPTION_SUBPIXEL_RENDERING */ +#define FT_CONFIG_OPTION_SUBPIXEL_RENDERING /*************************************************************************/ @@ -577,7 +577,7 @@ FT_BEGIN_HEADER /* This option requires TT_CONFIG_OPTION_BYTECODE_INTERPRETER to be */ /* defined. */ /* */ -/* #define TT_CONFIG_OPTION_SUBPIXEL_HINTING */ +#define TT_CONFIG_OPTION_SUBPIXEL_HINTING /*************************************************************************/ ++++++ overflow.patch ++++++ diff -Naur ft2demos-2.5.1/src/ttdebug.c ft2demos-2.5.1.new/src/ttdebug.c --- ft2demos-2.5.1/src/ttdebug.c 2013-11-05 12:31:57.452397772 +0100 +++ ft2demos-2.5.1.new/src/ttdebug.c 2013-12-08 23:40:31.756506259 +0100 @@ -1905,11 +1905,11 @@ FT_Library_Version( library, &major, &minor, &patch ); - offset = snprintf( version_string, 64 + 1, + offset = snprintf( version_string, sizeof(version_string), "ttdebug (FreeType) %d.%d", major, minor ); if ( patch ) - offset = snprintf( version_string + offset, 64 + 1 - offset, + offset = snprintf( version_string + offset, sizeof(version_string) - offset, ".%d", patch ); } -- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
