diff options
author | snj <snj> | 2006-06-06 07:51:29 +0000 |
---|---|---|
committer | snj <snj> | 2006-06-06 07:51:29 +0000 |
commit | d364d6c27bac764a5f51cb21266fd6ad3be73af7 (patch) | |
tree | b2c4e242b98b5223d598d84a8cc4137976b80fe0 | |
parent | 4f22d4aa10caf3b3d4d6f1c4be2e7749ba118841 (diff) | |
download | pkgsrc-d364d6c27bac764a5f51cb21266fd6ad3be73af7.tar.gz |
Pullup ticket 1686 - requested by salo
security fix for freetype2
Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747,
CVE-2006-1861, and CVE-2006-2661.
-rw-r--r-- | graphics/freetype2/Makefile | 4 | ||||
-rw-r--r-- | graphics/freetype2/distinfo | 13 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ab | 22 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ac | 28 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ad | 48 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ae | 56 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-af | 36 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ag | 13 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ah | 32 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ai | 12 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-aj | 13 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ak | 15 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-al | 14 |
13 files changed, 303 insertions, 3 deletions
diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile index 12e861d7fdd..54606b9b3d3 100644 --- a/graphics/freetype2/Makefile +++ b/graphics/freetype2/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.51 2006/02/25 00:35:41 reed Exp $ +# $NetBSD: Makefile,v 1.51.2.1 2006/06/06 07:51:29 snj Exp $ DISTNAME= freetype-2.1.10 PKGNAME= freetype2-2.1.10 -PKGREVISION= 2 +PKGREVISION= 3 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ ftp://ftp.freetype.org/freetype/freetype2/ \ diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo index 7868bfcdc5c..8e85172dfe6 100644 --- a/graphics/freetype2/distinfo +++ b/graphics/freetype2/distinfo @@ -1,6 +1,17 @@ -$NetBSD: distinfo,v 1.16 2006/02/25 00:35:41 reed Exp $ +$NetBSD: distinfo,v 1.16.2.1 2006/06/06 07:51:29 snj Exp $ SHA1 (freetype-2.1.10.tar.bz2) = f9e5c52e466c3e41483d5d6d44b4f3135a9c4b16 RMD160 (freetype-2.1.10.tar.bz2) = 3d31d548632f14784283c97ece64c7425efc3975 Size (freetype-2.1.10.tar.bz2) = 1037107 bytes SHA1 (patch-aa) = 0f05ebbb7c1264dd58f01916560278cd4c3dce08 +SHA1 (patch-ab) = 405ec4f5e95f3acae343d735732575040c193fd5 +SHA1 (patch-ac) = b825e918b1b6bd299db178faca615a9d72dbe934 +SHA1 (patch-ad) = 5e3492d24b4b2a12dea60c36d625fe5d4877ba18 +SHA1 (patch-ae) = 56da93184890ff7320e3fd8dc97738b43de53658 +SHA1 (patch-af) = 461408c2f48682c4a8c42630b55e08a901b7d408 +SHA1 (patch-ag) = 6af93a9a46c0d8003b360c984bc4162b44c1bd69 +SHA1 (patch-ah) = 82afa08b90cf832e07448e39e29db063dcf90d43 +SHA1 (patch-ai) = 3465ebf6434f5fa2a363275af1880f551961684e +SHA1 (patch-aj) = 22bbcc7607b94aafd8be32c17a3d21c82126e879 +SHA1 (patch-ak) = 9b732b78e265bb314d6d71676ff0af309c51ba99 +SHA1 (patch-al) = 51b057984c4a011d173beca53f5b8654db800d3c diff --git a/graphics/freetype2/patches/patch-ab b/graphics/freetype2/patches/patch-ab new file mode 100644 index 00000000000..128676dc42e --- /dev/null +++ b/graphics/freetype2/patches/patch-ab @@ -0,0 +1,22 @@ +$NetBSD: patch-ab,v 1.7.14.1 2006/06/06 07:51:29 snj Exp $ + +--- include/freetype/fterrdef.h.orig 2004-02-12 09:33:20.000000000 +0100 ++++ include/freetype/fterrdef.h 2006-06-05 23:13:46.000000000 +0200 +@@ -52,6 +52,8 @@ + "broken table" ) + FT_ERRORDEF_( Invalid_Offset, 0x09, \ + "broken offset within table" ) ++ FT_ERRORDEF_( Array_Too_Large, 0x0A, \ ++ "array allocation size too large" ) + + /* glyph/character errors */ + +@@ -226,6 +228,8 @@ + "`ENCODING' field missing" ) + FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ + "`BBX' field missing" ) ++ FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ ++ "`BBX' too big" ) + + + /* END */ diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac new file mode 100644 index 00000000000..95db80bb2a1 --- /dev/null +++ b/graphics/freetype2/patches/patch-ac @@ -0,0 +1,28 @@ +$NetBSD: patch-ac,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/base/ftmac.c.orig 2004-08-28 10:02:46.000000000 +0200 ++++ src/base/ftmac.c 2006-06-05 23:17:29.000000000 +0200 +@@ -430,6 +430,7 @@ + short res_id; + unsigned char *buffer, *p, *size_p = NULL; + FT_ULong total_size = 0; ++ FT_ULong old_total_size = 0; + FT_ULong post_size, pfb_chunk_size; + Handle post_data; + char code, last_code; +@@ -462,6 +463,15 @@ + last_code = code; + } + ++ /* detect integer overflows */ ++ if ( total_size < old_total_size ) ++ { ++ error = FT_Err_Array_Too_Large; ++ goto Error; ++ } ++ ++ old_total_size = total_size; ++ + if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) + goto Error; + diff --git a/graphics/freetype2/patches/patch-ad b/graphics/freetype2/patches/patch-ad new file mode 100644 index 00000000000..1aa48b83494 --- /dev/null +++ b/graphics/freetype2/patches/patch-ad @@ -0,0 +1,48 @@ +$NetBSD: patch-ad,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/base/ftutil.c.orig 2005-03-03 23:59:06.000000000 +0100 ++++ src/base/ftutil.c 2006-06-05 23:18:40.000000000 +0200 +@@ -52,6 +52,8 @@ + FT_Long size, + void* *P ) + { ++ FT_Error error = FT_Err_Ok; ++ + FT_ASSERT( P != 0 ); + + if ( size > 0 ) +@@ -67,6 +69,11 @@ + } + FT_MEM_ZERO( *P, size ); + } ++ else if (size < 0) ++ { ++ /* may help catch/prevent nasty security issues */ ++ error = FT_Err_Invalid_Argument; ++ } + else + *P = NULL; + +@@ -74,7 +81,7 @@ + FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n", + size, *P, P )); + +- return FT_Err_Ok; ++ return error; + } + + +@@ -127,8 +134,12 @@ + if ( !*P ) + return FT_Alloc( memory, size, P ); + ++ if (size < 0 || current < 0) ++ { ++ return FT_Err_Invalid_Argument; ++ } ++ else if ( size == 0 ) + /* if the new block if zero-sized, clear the current one */ +- if ( size <= 0 ) + { + FT_Free( memory, P ); + return FT_Err_Ok; diff --git a/graphics/freetype2/patches/patch-ae b/graphics/freetype2/patches/patch-ae new file mode 100644 index 00000000000..401df649f4f --- /dev/null +++ b/graphics/freetype2/patches/patch-ae @@ -0,0 +1,56 @@ +$NetBSD: patch-ae,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/bdf/bdflib.c.orig 2005-05-21 19:19:52.000000000 +0200 ++++ src/bdf/bdflib.c 2006-06-05 23:22:50.000000000 +0200 +@@ -1092,7 +1092,7 @@ + #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" + #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" + #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +- ++#define ERRMSG4 "[line %ld] BBX too big.\n" + + static FT_Error + _bdf_add_comment( bdf_font_t* font, +@@ -1561,6 +1561,14 @@ + + p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 ); + ++ /* Check that the encoding is in the range [0,65536] because */ ++ /* otherwise p->have (a bitmap with static size) overflows. */ ++ if ( p->glyph_enc >= sizeof(p->have)*8 ) ++ { ++ error = BDF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ + /* Check to see whether this encoding has already been encountered. */ + /* If it has then change it to unencoded so it gets added if */ + /* indicated. */ +@@ -1805,6 +1813,9 @@ + /* And finally, gather up the bitmap. */ + if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) + { ++ unsigned long bitmap_size; ++ ++ + if ( !( p->flags & _BDF_BBX ) ) + { + /* Missing BBX field. */ +@@ -1815,7 +1826,16 @@ + + /* Allocate enough space for the bitmap. */ + glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; +- glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); ++ ++ bitmap_size = glyph->bpr * glyph->bbx.height; ++ if ( bitmap_size > 0xFFFFU ) ++ { ++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); ++ error = BDF_Err_Bbx_Too_Big; ++ goto Exit; ++ } ++ else ++ glyph->bytes = (unsigned short)bitmap_size; + + if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) + goto Exit; diff --git a/graphics/freetype2/patches/patch-af b/graphics/freetype2/patches/patch-af new file mode 100644 index 00000000000..a3aacdf82f2 --- /dev/null +++ b/graphics/freetype2/patches/patch-af @@ -0,0 +1,36 @@ +$NetBSD: patch-af,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/cff/cffgload.c.orig 2005-04-18 06:53:05.000000000 +0200 ++++ src/cff/cffgload.c 2006-06-05 23:23:48.000000000 +0200 +@@ -2284,7 +2284,7 @@ + FT_LOCAL_DEF( FT_Error ) + cff_slot_load( CFF_GlyphSlot glyph, + CFF_Size size, +- FT_Int glyph_index, ++ FT_UInt glyph_index, + FT_Int32 load_flags ) + { + FT_Error error; +@@ -2330,7 +2330,7 @@ + + error = sfnt->load_sbit_image( face, + (FT_ULong)size->strike_index, +- (FT_UInt)glyph_index, ++ glyph_index, + (FT_Int)load_flags, + stream, + &glyph->root.bitmap, +@@ -2393,7 +2393,13 @@ + /* subsetted font, glyph_indices and CIDs are identical, though */ + if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && + cff->charset.cids ) ++ { ++ if ( glyph_index < cff->charset.max_cid ) + glyph_index = cff->charset.cids[glyph_index]; ++ else ++ glyph_index = 0; ++ } ++ + + cff_decoder_init( &decoder, face, size, glyph, hinting, + FT_LOAD_TARGET_MODE( load_flags ) ); diff --git a/graphics/freetype2/patches/patch-ag b/graphics/freetype2/patches/patch-ag new file mode 100644 index 00000000000..16e9a4ba8b5 --- /dev/null +++ b/graphics/freetype2/patches/patch-ag @@ -0,0 +1,13 @@ +$NetBSD: patch-ag,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/cff/cffgload.h.orig 2004-05-13 23:59:17.000000000 +0200 ++++ src/cff/cffgload.h 2006-06-05 23:25:58.000000000 +0200 +@@ -196,7 +196,7 @@ + FT_LOCAL( FT_Error ) + cff_slot_load( CFF_GlyphSlot glyph, + CFF_Size size, +- FT_Int glyph_index, ++ FT_UInt glyph_index, + FT_Int32 load_flags ); + + diff --git a/graphics/freetype2/patches/patch-ah b/graphics/freetype2/patches/patch-ah new file mode 100644 index 00000000000..3422ce8e90a --- /dev/null +++ b/graphics/freetype2/patches/patch-ah @@ -0,0 +1,32 @@ +$NetBSD: patch-ah,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/cff/cffload.c.orig 2005-05-06 07:49:46.000000000 +0200 ++++ src/cff/cffload.c 2006-06-05 23:34:29.000000000 +0200 +@@ -1235,7 +1235,7 @@ + } + + /* access element */ +- if ( off1 ) ++ if ( off1 && off2 > off1 ) + { + *pbyte_len = off2 - off1; + +@@ -1688,6 +1688,8 @@ + + for ( i = 0; i < num_glyphs; i++ ) + charset->cids[charset->sids[i]] = (FT_UShort)i; ++ ++ charset->max_cid = max_cid; + } + + Exit: +@@ -2042,6 +2044,9 @@ + goto Exit; + } + ++ /* ensure that 'num_blue_values' is even */ ++ priv->num_blue_values &= ~1; ++ + /* read the local subrs, if any */ + if ( priv->local_subrs_offset ) + { diff --git a/graphics/freetype2/patches/patch-ai b/graphics/freetype2/patches/patch-ai new file mode 100644 index 00000000000..4347ff60282 --- /dev/null +++ b/graphics/freetype2/patches/patch-ai @@ -0,0 +1,12 @@ +$NetBSD: patch-ai,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/cff/cfftypes.h.orig 2003-12-20 08:30:05.000000000 +0100 ++++ src/cff/cfftypes.h 2006-06-05 23:35:33.000000000 +0200 +@@ -84,6 +84,7 @@ + FT_UShort* sids; + FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ + /* for CID-keyed fonts */ ++ FT_UInt max_cid; + } CFF_CharsetRec, *CFF_Charset; + + diff --git a/graphics/freetype2/patches/patch-aj b/graphics/freetype2/patches/patch-aj new file mode 100644 index 00000000000..4874103a2c1 --- /dev/null +++ b/graphics/freetype2/patches/patch-aj @@ -0,0 +1,13 @@ +$NetBSD: patch-aj,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/pshinter/pshglob.c.orig 2004-04-02 09:13:53.000000000 +0200 ++++ src/pshinter/pshglob.c 2006-06-05 23:36:04.000000000 +0200 +@@ -150,7 +150,7 @@ + FT_UNUSED( target ); + + +- for ( ; read_count > 0; read_count -= 2 ) ++ for ( ; read_count > 1; read_count -= 2 ) + { + FT_Int reference, delta; + FT_UInt count; diff --git a/graphics/freetype2/patches/patch-ak b/graphics/freetype2/patches/patch-ak new file mode 100644 index 00000000000..3f19396ceec --- /dev/null +++ b/graphics/freetype2/patches/patch-ak @@ -0,0 +1,15 @@ +$NetBSD: patch-ak,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/sfnt/ttcmap.c.orig 2005-05-11 16:37:40.000000000 +0200 ++++ src/sfnt/ttcmap.c 2006-06-05 23:39:06.000000000 +0200 +@@ -2144,9 +2144,7 @@ + charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ + offset = TT_NEXT_ULONG( p ); + +- if ( offset && +- table + offset + 2 < limit && +- table + offset >= table ) ++ if ( offset && offset <= face->cmap_size - 2 ) + { + FT_Byte* cmap = table + offset; + volatile FT_UInt format = TT_PEEK_USHORT( cmap ); diff --git a/graphics/freetype2/patches/patch-al b/graphics/freetype2/patches/patch-al new file mode 100644 index 00000000000..4a51a109cbd --- /dev/null +++ b/graphics/freetype2/patches/patch-al @@ -0,0 +1,14 @@ +$NetBSD: patch-al,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $ + +--- src/type1/t1load.c.orig 2005-04-14 13:39:28.000000000 +0200 ++++ src/type1/t1load.c 2006-06-05 23:40:02.000000000 +0200 +@@ -1990,6 +1990,9 @@ + if ( error ) + goto Exit; + ++ /* ensure even-ness of 'num_blue_values' */ ++ priv->num_blue_values &= ~1; ++ + #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT + + /* the following can happen for MM instances; we then treat the */ |