Bug#856971: freetype: diff for NMU version 2.6.3-3.1

Thu, 30 Mar 2017 10:30:54 -0700 

Control: tags 856971 + pending

Dear maintainer,

I've prepared an NMU for freetype (versioned as 2.6.3-3.1) and
uploaded it to DELAYED/5. Please feel free to tell me if I should
delay it longer or if I can reschedule it to upload earlier.

Regards,
Salvatore

diff -u freetype-2.6.3/debian/changelog freetype-2.6.3/debian/changelog
--- freetype-2.6.3/debian/changelog
+++ freetype-2.6.3/debian/changelog
@@ -1,3 +1,12 @@
+freetype (2.6.3-3.1) unstable; urgency=medium
+
+  * Non-maintainer upload.
+  * CVE-2016-10244: Heap-buffer-overflow
+    src/type1/t1load.c (parse_charstrings): Reject fonts that don't contain
+    glyph names. (Closes: #856971)
+
+ -- Salvatore Bonaccorso <car...@debian.org>  Thu, 30 Mar 2017 19:16:33 +0200
+
 freetype (2.6.3-3) unstable; urgency=medium
 
   * Install the now-available-upstream manpages for freetype-demos.
diff -u freetype-2.6.3/debian/patches-freetype/series freetype-2.6.3/debian/patches-freetype/series
--- freetype-2.6.3/debian/patches-freetype/series
+++ freetype-2.6.3/debian/patches-freetype/series
@@ -5,0 +6 @@
+CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
only in patch2:
unchanged:
--- freetype-2.6.3.orig/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
+++ freetype-2.6.3/debian/patches-freetype/CVE-2016-10244-type1-Fix-heap-buffer-overflow.patch
@@ -0,0 +1,33 @@
+From a660e3de422731b94d4a134d27555430cbb6fb39 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <w...@gnu.org>
+Date: Fri, 26 Aug 2016 00:23:27 +0200
+Subject: [PATCH] [type1] Fix heap buffer overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=36
+
+* src/type1/t1load.c (parse_charstrings): Reject fonts that don't
+contain glyph names.
+---
+
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index c981adcf..f8bf3132 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1776,6 +1776,12 @@
+       }
+     }
+ 
++    if ( !n )
++    {
++      error = FT_THROW( Invalid_File_Format );
++      goto Fail;
++    }
++
+     loader->num_glyphs = n;
+ 
+     /* if /.notdef is found but does not occupy index 0, do our magic. */
+-- 
+2.11.0
+

Reply via email to