pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/pkgsrc-2006Q1]: pkgsrc/graphics/freetype2 Pullup ticket 1686 - reques...
details: https://anonhg.NetBSD.org/pkgsrc/rev/858587ad87f6
branches: pkgsrc-2006Q1
changeset: 510317:858587ad87f6
user: snj <snj%pkgsrc.org@localhost>
date: Tue Jun 06 07:51:29 2006 +0000
description:
Pullup ticket 1686 - requested by salo
security fix for freetype2
Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747,
CVE-2006-1861, and CVE-2006-2661.
diffstat:
graphics/freetype2/Makefile | 4 +-
graphics/freetype2/distinfo | 13 +++++++-
graphics/freetype2/patches/patch-ab | 22 ++++++++++++++
graphics/freetype2/patches/patch-ac | 28 ++++++++++++++++++
graphics/freetype2/patches/patch-ad | 48 +++++++++++++++++++++++++++++++
graphics/freetype2/patches/patch-ae | 56 +++++++++++++++++++++++++++++++++++++
graphics/freetype2/patches/patch-af | 36 +++++++++++++++++++++++
graphics/freetype2/patches/patch-ag | 13 ++++++++
graphics/freetype2/patches/patch-ah | 32 +++++++++++++++++++++
graphics/freetype2/patches/patch-ai | 12 +++++++
graphics/freetype2/patches/patch-aj | 13 ++++++++
graphics/freetype2/patches/patch-ak | 15 +++++++++
graphics/freetype2/patches/patch-al | 14 +++++++++
13 files changed, 303 insertions(+), 3 deletions(-)
diffs (truncated from 369 to 300 lines):
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/Makefile
--- a/graphics/freetype2/Makefile Mon Jun 05 12:06:55 2006 +0000
+++ b/graphics/freetype2/Makefile Tue Jun 06 07:51:29 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.51 2006/02/25 00:35:41 reed Exp $
+# $NetBSD: Makefile,v 1.51.2.1 2006/06/06 07:51:29 snj Exp $
DISTNAME= freetype-2.1.10
PKGNAME= freetype2-2.1.10
-PKGREVISION= 2
+PKGREVISION= 3
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \
ftp://ftp.freetype.org/freetype/freetype2/ \
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/distinfo
--- a/graphics/freetype2/distinfo Mon Jun 05 12:06:55 2006 +0000
+++ b/graphics/freetype2/distinfo Tue Jun 06 07:51:29 2006 +0000
@@ -1,6 +1,17 @@
-$NetBSD: distinfo,v 1.16 2006/02/25 00:35:41 reed Exp $
+$NetBSD: distinfo,v 1.16.2.1 2006/06/06 07:51:29 snj Exp $
SHA1 (freetype-2.1.10.tar.bz2) = f9e5c52e466c3e41483d5d6d44b4f3135a9c4b16
RMD160 (freetype-2.1.10.tar.bz2) = 3d31d548632f14784283c97ece64c7425efc3975
Size (freetype-2.1.10.tar.bz2) = 1037107 bytes
SHA1 (patch-aa) = 0f05ebbb7c1264dd58f01916560278cd4c3dce08
+SHA1 (patch-ab) = 405ec4f5e95f3acae343d735732575040c193fd5
+SHA1 (patch-ac) = b825e918b1b6bd299db178faca615a9d72dbe934
+SHA1 (patch-ad) = 5e3492d24b4b2a12dea60c36d625fe5d4877ba18
+SHA1 (patch-ae) = 56da93184890ff7320e3fd8dc97738b43de53658
+SHA1 (patch-af) = 461408c2f48682c4a8c42630b55e08a901b7d408
+SHA1 (patch-ag) = 6af93a9a46c0d8003b360c984bc4162b44c1bd69
+SHA1 (patch-ah) = 82afa08b90cf832e07448e39e29db063dcf90d43
+SHA1 (patch-ai) = 3465ebf6434f5fa2a363275af1880f551961684e
+SHA1 (patch-aj) = 22bbcc7607b94aafd8be32c17a3d21c82126e879
+SHA1 (patch-ak) = 9b732b78e265bb314d6d71676ff0af309c51ba99
+SHA1 (patch-al) = 51b057984c4a011d173beca53f5b8654db800d3c
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ab
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ab Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,22 @@
+$NetBSD: patch-ab,v 1.7.14.1 2006/06/06 07:51:29 snj Exp $
+
+--- include/freetype/fterrdef.h.orig 2004-02-12 09:33:20.000000000 +0100
++++ include/freetype/fterrdef.h 2006-06-05 23:13:46.000000000 +0200
+@@ -52,6 +52,8 @@
+ "broken table" )
+ FT_ERRORDEF_( Invalid_Offset, 0x09, \
+ "broken offset within table" )
++ FT_ERRORDEF_( Array_Too_Large, 0x0A, \
++ "array allocation size too large" )
+
+ /* glyph/character errors */
+
+@@ -226,6 +228,8 @@
+ "`ENCODING' field missing" )
+ FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \
+ "`BBX' field missing" )
++ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \
++ "`BBX' too big" )
+
+
+ /* END */
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ac
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ac Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,28 @@
+$NetBSD: patch-ac,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/base/ftmac.c.orig 2004-08-28 10:02:46.000000000 +0200
++++ src/base/ftmac.c 2006-06-05 23:17:29.000000000 +0200
+@@ -430,6 +430,7 @@
+ short res_id;
+ unsigned char *buffer, *p, *size_p = NULL;
+ FT_ULong total_size = 0;
++ FT_ULong old_total_size = 0;
+ FT_ULong post_size, pfb_chunk_size;
+ Handle post_data;
+ char code, last_code;
+@@ -462,6 +463,15 @@
+ last_code = code;
+ }
+
++ /* detect integer overflows */
++ if ( total_size < old_total_size )
++ {
++ error = FT_Err_Array_Too_Large;
++ goto Error;
++ }
++
++ old_total_size = total_size;
++
+ if ( FT_ALLOC( buffer, (FT_Long)total_size ) )
+ goto Error;
+
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ad
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ad Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,48 @@
+$NetBSD: patch-ad,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/base/ftutil.c.orig 2005-03-03 23:59:06.000000000 +0100
++++ src/base/ftutil.c 2006-06-05 23:18:40.000000000 +0200
+@@ -52,6 +52,8 @@
+ FT_Long size,
+ void* *P )
+ {
++ FT_Error error = FT_Err_Ok;
++
+ FT_ASSERT( P != 0 );
+
+ if ( size > 0 )
+@@ -67,6 +69,11 @@
+ }
+ FT_MEM_ZERO( *P, size );
+ }
++ else if (size < 0)
++ {
++ /* may help catch/prevent nasty security issues */
++ error = FT_Err_Invalid_Argument;
++ }
+ else
+ *P = NULL;
+
+@@ -74,7 +81,7 @@
+ FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
+ size, *P, P ));
+
+- return FT_Err_Ok;
++ return error;
+ }
+
+
+@@ -127,8 +134,12 @@
+ if ( !*P )
+ return FT_Alloc( memory, size, P );
+
++ if (size < 0 || current < 0)
++ {
++ return FT_Err_Invalid_Argument;
++ }
++ else if ( size == 0 )
+ /* if the new block if zero-sized, clear the current one */
+- if ( size <= 0 )
+ {
+ FT_Free( memory, P );
+ return FT_Err_Ok;
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ae
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ae Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,56 @@
+$NetBSD: patch-ae,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/bdf/bdflib.c.orig 2005-05-21 19:19:52.000000000 +0200
++++ src/bdf/bdflib.c 2006-06-05 23:22:50.000000000 +0200
+@@ -1092,7 +1092,7 @@
+ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n"
+ #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n"
+ #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n"
+-
++#define ERRMSG4 "[line %ld] BBX too big.\n"
+
+ static FT_Error
+ _bdf_add_comment( bdf_font_t* font,
+@@ -1561,6 +1561,14 @@
+
+ p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+
++ /* Check that the encoding is in the range [0,65536] because */
++ /* otherwise p->have (a bitmap with static size) overflows. */
++ if ( p->glyph_enc >= sizeof(p->have)*8 )
++ {
++ error = BDF_Err_Invalid_File_Format;
++ goto Exit;
++ }
++
+ /* Check to see whether this encoding has already been encountered. */
+ /* If it has then change it to unencoded so it gets added if */
+ /* indicated. */
+@@ -1805,6 +1813,9 @@
+ /* And finally, gather up the bitmap. */
+ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+ {
++ unsigned long bitmap_size;
++
++
+ if ( !( p->flags & _BDF_BBX ) )
+ {
+ /* Missing BBX field. */
+@@ -1815,7 +1826,16 @@
+
+ /* Allocate enough space for the bitmap. */
+ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
++
++ bitmap_size = glyph->bpr * glyph->bbx.height;
++ if ( bitmap_size > 0xFFFFU )
++ {
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
++ error = BDF_Err_Bbx_Too_Big;
++ goto Exit;
++ }
++ else
++ glyph->bytes = (unsigned short)bitmap_size;
+
+ if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
+ goto Exit;
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-af
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-af Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,36 @@
+$NetBSD: patch-af,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffgload.c.orig 2005-04-18 06:53:05.000000000 +0200
++++ src/cff/cffgload.c 2006-06-05 23:23:48.000000000 +0200
+@@ -2284,7 +2284,7 @@
+ FT_LOCAL_DEF( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags )
+ {
+ FT_Error error;
+@@ -2330,7 +2330,7 @@
+
+ error = sfnt->load_sbit_image( face,
+ (FT_ULong)size->strike_index,
+- (FT_UInt)glyph_index,
++ glyph_index,
+ (FT_Int)load_flags,
+ stream,
+ &glyph->root.bitmap,
+@@ -2393,7 +2393,13 @@
+ /* subsetted font, glyph_indices and CIDs are identical, though */
+ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
+ cff->charset.cids )
++ {
++ if ( glyph_index < cff->charset.max_cid )
+ glyph_index = cff->charset.cids[glyph_index];
++ else
++ glyph_index = 0;
++ }
++
+
+ cff_decoder_init( &decoder, face, size, glyph, hinting,
+ FT_LOAD_TARGET_MODE( load_flags ) );
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ag
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ag Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ag,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffgload.h.orig 2004-05-13 23:59:17.000000000 +0200
++++ src/cff/cffgload.h 2006-06-05 23:25:58.000000000 +0200
+@@ -196,7 +196,7 @@
+ FT_LOCAL( FT_Error )
+ cff_slot_load( CFF_GlyphSlot glyph,
+ CFF_Size size,
+- FT_Int glyph_index,
++ FT_UInt glyph_index,
+ FT_Int32 load_flags );
+
+
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ah
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-ah Tue Jun 06 07:51:29 2006 +0000
@@ -0,0 +1,32 @@
+$NetBSD: patch-ah,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffload.c.orig 2005-05-06 07:49:46.000000000 +0200
++++ src/cff/cffload.c 2006-06-05 23:34:29.000000000 +0200
+@@ -1235,7 +1235,7 @@
+ }
+
+ /* access element */
+- if ( off1 )
++ if ( off1 && off2 > off1 )
+ {
+ *pbyte_len = off2 - off1;
+
+@@ -1688,6 +1688,8 @@
+
+ for ( i = 0; i < num_glyphs; i++ )
+ charset->cids[charset->sids[i]] = (FT_UShort)i;
++
++ charset->max_cid = max_cid;
+ }
+
+ Exit:
+@@ -2042,6 +2044,9 @@
+ goto Exit;
+ }
+
++ /* ensure that 'num_blue_values' is even */
++ priv->num_blue_values &= ~1;
++
+ /* read the local subrs, if any */
+ if ( priv->local_subrs_offset )
+ {
diff -r 28b39cfcf6a0 -r 858587ad87f6 graphics/freetype2/patches/patch-ai
Home |
Main Index |
Thread Index |
Old Index