pkgsrc-Changes-HG archive
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
[pkgsrc/trunk]: pkgsrc/graphics/freetype2 Add two patches to work around issu...
details: https://anonhg.NetBSD.org/pkgsrc/rev/83e08e8b466c
branches: trunk
changeset: 517776:83e08e8b466c
user: joerg <joerg%pkgsrc.org@localhost>
date: Tue Aug 22 18:43:50 2006 +0000
description:
Add two patches to work around issues from CVE-2006-3467. Patches are
directly from FreeType CVS. Bump revision.
diffstat:
graphics/freetype2/Makefile | 4 +-
graphics/freetype2/distinfo | 4 +-
graphics/freetype2/patches/patch-aa | 457 ++++++++++++++++++++++++++++++++++++
graphics/freetype2/patches/patch-ab | 52 ++++
4 files changed, 514 insertions(+), 3 deletions(-)
diffs (truncated from 542 to 300 lines):
diff -r 9f1511d6c526 -r 83e08e8b466c graphics/freetype2/Makefile
--- a/graphics/freetype2/Makefile Tue Aug 22 18:25:55 2006 +0000
+++ b/graphics/freetype2/Makefile Tue Aug 22 18:43:50 2006 +0000
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.53 2006/07/23 14:37:08 minskim Exp $
+# $NetBSD: Makefile,v 1.54 2006/08/22 18:43:50 joerg Exp $
DISTNAME= freetype-2.2.1
-PKGREVISION= 1
+PKGREVISION= 2
PKGNAME= ${DISTNAME:S/-/2-/}
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \
diff -r 9f1511d6c526 -r 83e08e8b466c graphics/freetype2/distinfo
--- a/graphics/freetype2/distinfo Tue Aug 22 18:25:55 2006 +0000
+++ b/graphics/freetype2/distinfo Tue Aug 22 18:43:50 2006 +0000
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.18 2006/05/31 10:24:54 tron Exp $
+$NetBSD: distinfo,v 1.19 2006/08/22 18:43:50 joerg Exp $
SHA1 (freetype-2.2.1.tar.bz2) = 4aa7d5ce2198fad586cf09ef7c9d3a6277320167
RMD160 (freetype-2.2.1.tar.bz2) = 1c7eb4a43501c8fd5e89d0399e184847351ee160
Size (freetype-2.2.1.tar.bz2) = 1212258 bytes
+SHA1 (patch-aa) = 58c8295d1b67be20a37b75d4786b25ca38779bf9
+SHA1 (patch-ab) = 4f96f0b6dc90d90e9db38e9eb0e363f183b43e99
diff -r 9f1511d6c526 -r 83e08e8b466c graphics/freetype2/patches/patch-aa
--- /dev/null Thu Jan 01 00:00:00 1970 +0000
+++ b/graphics/freetype2/patches/patch-aa Tue Aug 22 18:43:50 2006 +0000
@@ -0,0 +1,457 @@
+$NetBSD: patch-aa,v 1.7 2006/08/22 18:43:50 joerg Exp $
+
+--- src/pcf/pcfread.c.orig 2006-01-23 17:35:18.000000000 +0100
++++ src/pcf/pcfread.c
+@@ -102,7 +102,8 @@ THE SOFTWARE.
+ return PCF_Err_Cannot_Open_Resource;
+
+ if ( toc->version != PCF_FILE_VERSION ||
+- toc->count > FT_ARRAY_MAX( face->toc.tables ) )
++ toc->count > FT_ARRAY_MAX( face->toc.tables ) ||
++ toc->count == 0 )
+ return PCF_Err_Invalid_File_Format;
+
+ if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) )
+@@ -116,6 +117,41 @@ THE SOFTWARE.
+ tables++;
+ }
+
++ /* Sort tables and check for overlaps. Because they are almost */
++ /* always ordered already, an in-place bubble sort with simultaneous */
++ /* boundary checking seems appropriate. */
++ tables = face->toc.tables;
++
++ for ( n = 0; n < toc->count - 1; n++ )
++ {
++ FT_UInt i, have_change;
++
++
++ have_change = 0;
++
++ for ( i = 0; i < toc->count - 1 - n; i++ )
++ {
++ PCF_TableRec tmp;
++
++
++ if ( tables[i].offset > tables[i + 1].offset )
++ {
++ tmp = tables[i];
++ tables[i] = tables[i + 1];
++ tables[i + 1] = tmp;
++
++ have_change = 1;
++ }
++
++ if ( ( tables[i].size > tables[i + 1].offset ) ||
++ ( tables[i].offset > tables[i + 1].offset - tables[i].size ) )
++ return PCF_Err_Invalid_Offset;
++ }
++
++ if ( !have_change )
++ break;
++ }
++
+ #if defined( FT_DEBUG_LEVEL_TRACE )
+
+ {
+@@ -130,7 +166,8 @@ THE SOFTWARE.
+ tables = face->toc.tables;
+ for ( i = 0; i < toc->count; i++ )
+ {
+- for( j = 0; j < sizeof ( tableNames ) / sizeof ( tableNames[0] ); j++ )
++ for ( j = 0; j < sizeof ( tableNames ) / sizeof ( tableNames[0] );
++ j++ )
+ if ( tables[i].type == (FT_UInt)( 1 << j ) )
+ name = tableNames[j];
+
+@@ -153,13 +190,15 @@ THE SOFTWARE.
+ }
+
+
++#define PCF_METRIC_SIZE 12
++
+ static
+ const FT_Frame_Field pcf_metric_header[] =
+ {
+ #undef FT_STRUCTURE
+ #define FT_STRUCTURE PCF_MetricRec
+
+- FT_FRAME_START( 12 ),
++ FT_FRAME_START( PCF_METRIC_SIZE ),
+ FT_FRAME_SHORT_LE( leftSideBearing ),
+ FT_FRAME_SHORT_LE( rightSideBearing ),
+ FT_FRAME_SHORT_LE( characterWidth ),
+@@ -176,7 +215,7 @@ THE SOFTWARE.
+ #undef FT_STRUCTURE
+ #define FT_STRUCTURE PCF_MetricRec
+
+- FT_FRAME_START( 12 ),
++ FT_FRAME_START( PCF_METRIC_SIZE ),
+ FT_FRAME_SHORT( leftSideBearing ),
+ FT_FRAME_SHORT( rightSideBearing ),
+ FT_FRAME_SHORT( characterWidth ),
+@@ -187,13 +226,15 @@ THE SOFTWARE.
+ };
+
+
++#define PCF_COMPRESSED_METRIC_SIZE 5
++
+ static
+ const FT_Frame_Field pcf_compressed_metric_header[] =
+ {
+ #undef FT_STRUCTURE
+ #define FT_STRUCTURE PCF_Compressed_MetricRec
+
+- FT_FRAME_START( 5 ),
++ FT_FRAME_START( PCF_COMPRESSED_METRIC_SIZE ),
+ FT_FRAME_BYTE( leftSideBearing ),
+ FT_FRAME_BYTE( rightSideBearing ),
+ FT_FRAME_BYTE( characterWidth ),
+@@ -221,7 +262,7 @@ THE SOFTWARE.
+ ? pcf_metric_msb_header
+ : pcf_metric_header;
+
+- /* the following sets 'error' but doesn't return in case of failure */
++ /* the following sets `error' but doesn't return in case of failure */
+ (void)FT_STREAM_READ_FIELDS( fields, metric );
+ }
+ else
+@@ -261,17 +302,19 @@ THE SOFTWARE.
+ for ( i = 0; i < ntables; i++ )
+ if ( tables[i].type == type )
+ {
+- if ( stream->pos > tables[i].offset ) {
++ if ( stream->pos > tables[i].offset )
++ {
+ error = PCF_Err_Invalid_Stream_Skip;
+ goto Fail;
+ }
+
+- if ( FT_STREAM_SKIP( tables[i].offset - stream->pos ) ) {
++ if ( FT_STREAM_SKIP( tables[i].offset - stream->pos ) )
++ {
+ error = PCF_Err_Invalid_Stream_Skip;
+ goto Fail;
+ }
+
+- *asize = tables[i].size; /* unused - to be removed */
++ *asize = tables[i].size;
+ *aformat = tables[i].format;
+
+ return PCF_Err_Ok;
+@@ -298,13 +341,15 @@ THE SOFTWARE.
+ }
+
+
++#define PCF_PROPERTY_SIZE 9
++
+ static
+ const FT_Frame_Field pcf_property_header[] =
+ {
+ #undef FT_STRUCTURE
+ #define FT_STRUCTURE PCF_ParsePropertyRec
+
+- FT_FRAME_START( 9 ),
++ FT_FRAME_START( PCF_PROPERTY_SIZE ),
+ FT_FRAME_LONG_LE( name ),
+ FT_FRAME_BYTE ( isString ),
+ FT_FRAME_LONG_LE( value ),
+@@ -318,7 +363,7 @@ THE SOFTWARE.
+ #undef FT_STRUCTURE
+ #define FT_STRUCTURE PCF_ParsePropertyRec
+
+- FT_FRAME_START( 9 ),
++ FT_FRAME_START( PCF_PROPERTY_SIZE ),
+ FT_FRAME_LONG( name ),
+ FT_FRAME_BYTE( isString ),
+ FT_FRAME_LONG( value ),
+@@ -353,8 +398,8 @@ THE SOFTWARE.
+ PCF_Face face )
+ {
+ PCF_ParseProperty props = 0;
+- PCF_Property properties = 0;
+- FT_Int nprops, i;
++ PCF_Property properties;
++ FT_UInt nprops, i;
+ FT_ULong format, size;
+ FT_Error error;
+ FT_Memory memory = FT_FACE(face)->memory;
+@@ -390,6 +435,15 @@ THE SOFTWARE.
+
+ FT_TRACE4(( " nprop = %d\n", nprops ));
+
++ /* rough estimate */
++ if ( nprops > size / PCF_PROPERTY_SIZE )
++ {
++ error = PCF_Err_Invalid_Table;
++ goto Bail;
++ }
++
++ face->nprops = nprops;
++
+ if ( FT_NEW_ARRAY( props, nprops ) )
+ goto Bail;
+
+@@ -427,6 +481,13 @@ THE SOFTWARE.
+
+ FT_TRACE4(( " string_size = %ld\n", string_size ));
+
++ /* rough estimate */
++ if ( string_size > size - nprops * PCF_PROPERTY_SIZE )
++ {
++ error = PCF_Err_Invalid_Table;
++ goto Bail;
++ }
++
+ if ( FT_NEW_ARRAY( strings, string_size ) )
+ goto Bail;
+
+@@ -437,13 +498,24 @@ THE SOFTWARE.
+ if ( FT_NEW_ARRAY( properties, nprops ) )
+ goto Bail;
+
++ face->properties = properties;
++
+ for ( i = 0; i < nprops; i++ )
+ {
+- /* XXX: make atom */
++ FT_Long name_offset = props[i].name;
++
++
++ if ( ( name_offset < 0 ) ||
++ ( (FT_ULong)name_offset > string_size ) )
++ {
++ error = PCF_Err_Invalid_Offset;
++ goto Bail;
++ }
++
+ if ( FT_NEW_ARRAY( properties[i].name,
+- ft_strlen( strings + props[i].name ) + 1 ) )
++ ft_strlen( strings + name_offset ) + 1 ) )
+ goto Bail;
+- ft_strcpy( properties[i].name, strings + props[i].name );
++ ft_strcpy( properties[i].name, strings + name_offset );
+
+ FT_TRACE4(( " %s:", properties[i].name ));
+
+@@ -451,8 +523,18 @@ THE SOFTWARE.
+
+ if ( props[i].isString )
+ {
++ FT_Long value_offset = props[i].value;
++
++
++ if ( ( value_offset < 0 ) ||
++ ( (FT_ULong)value_offset > string_size ) )
++ {
++ error = PCF_Err_Invalid_Offset;
++ goto Bail;
++ }
++
+ if ( FT_NEW_ARRAY( properties[i].value.atom,
+- ft_strlen( strings + props[i].value ) + 1 ) )
++ ft_strlen( strings + value_offset ) + 1 ) )
+ goto Bail;
+ ft_strcpy( properties[i].value.atom, strings + props[i].value );
+
+@@ -466,14 +548,8 @@ THE SOFTWARE.
+ }
+ }
+
+- face->properties = properties;
+- face->nprops = nprops;
+-
+- FT_FREE( props );
+- FT_FREE( strings );
+-
+- return PCF_Err_Ok;
+-
++ error = PCF_Err_Ok;
++
+ Bail:
Home |
Main Index |
Thread Index |
Old Index