Pullup ticket 1686 - requested by salo

security fix for freetype2

Apply patch from salo, mirroring the recent xsrc fixes for CVE-2006-0747,
CVE-2006-1861, and CVE-2006-2661.

13 files changed, 303 insertions, 3 deletions

diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile
index 12e861d7fdd..54606b9b3d3 100644
--- a/graphics/freetype2/Makefile
+++ b/graphics/freetype2/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.51 2006/02/25 00:35:41 reed Exp $
+# $NetBSD: Makefile,v 1.51.2.1 2006/06/06 07:51:29 snj Exp $
 
 DISTNAME=	freetype-2.1.10
 PKGNAME=	freetype2-2.1.10
-PKGREVISION=	2
+PKGREVISION=	3
 CATEGORIES=	graphics
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:=freetype/} \
 		ftp://ftp.freetype.org/freetype/freetype2/ \
diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo
index 7868bfcdc5c..8e85172dfe6 100644
--- a/graphics/freetype2/distinfo
+++ b/graphics/freetype2/distinfo
@@ -1,6 +1,17 @@
-$NetBSD: distinfo,v 1.16 2006/02/25 00:35:41 reed Exp $
+$NetBSD: distinfo,v 1.16.2.1 2006/06/06 07:51:29 snj Exp $
 
 SHA1 (freetype-2.1.10.tar.bz2) = f9e5c52e466c3e41483d5d6d44b4f3135a9c4b16
 RMD160 (freetype-2.1.10.tar.bz2) = 3d31d548632f14784283c97ece64c7425efc3975
 Size (freetype-2.1.10.tar.bz2) = 1037107 bytes
 SHA1 (patch-aa) = 0f05ebbb7c1264dd58f01916560278cd4c3dce08
+SHA1 (patch-ab) = 405ec4f5e95f3acae343d735732575040c193fd5
+SHA1 (patch-ac) = b825e918b1b6bd299db178faca615a9d72dbe934
+SHA1 (patch-ad) = 5e3492d24b4b2a12dea60c36d625fe5d4877ba18
+SHA1 (patch-ae) = 56da93184890ff7320e3fd8dc97738b43de53658
+SHA1 (patch-af) = 461408c2f48682c4a8c42630b55e08a901b7d408
+SHA1 (patch-ag) = 6af93a9a46c0d8003b360c984bc4162b44c1bd69
+SHA1 (patch-ah) = 82afa08b90cf832e07448e39e29db063dcf90d43
+SHA1 (patch-ai) = 3465ebf6434f5fa2a363275af1880f551961684e
+SHA1 (patch-aj) = 22bbcc7607b94aafd8be32c17a3d21c82126e879
+SHA1 (patch-ak) = 9b732b78e265bb314d6d71676ff0af309c51ba99
+SHA1 (patch-al) = 51b057984c4a011d173beca53f5b8654db800d3c
diff --git a/graphics/freetype2/patches/patch-ab b/graphics/freetype2/patches/patch-ab
new file mode 100644
index 00000000000..128676dc42e
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ab
@@ -0,0 +1,22 @@
+$NetBSD: patch-ab,v 1.7.14.1 2006/06/06 07:51:29 snj Exp $
+
+--- include/freetype/fterrdef.h.orig	2004-02-12 09:33:20.000000000 +0100
++++ include/freetype/fterrdef.h	2006-06-05 23:13:46.000000000 +0200
+@@ -52,6 +52,8 @@
+                 "broken table" )
+   FT_ERRORDEF_( Invalid_Offset,                              0x09, \
+                 "broken offset within table" )
++  FT_ERRORDEF_( Array_Too_Large,                             0x0A, \
++                "array allocation size too large" )
+ 
+   /* glyph/character errors */
+ 
+@@ -226,6 +228,8 @@
+                 "`ENCODING' field missing" )
+   FT_ERRORDEF_( Missing_Bbx_Field,                           0xB6, \
+                 "`BBX' field missing" )
++  FT_ERRORDEF_( Bbx_Too_Big,                                 0xB7, \
++                "`BBX' too big" )
+ 
+ 
+ /* END */
diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac
new file mode 100644
index 00000000000..95db80bb2a1
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ac
@@ -0,0 +1,28 @@
+$NetBSD: patch-ac,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/base/ftmac.c.orig	2004-08-28 10:02:46.000000000 +0200
++++ src/base/ftmac.c	2006-06-05 23:17:29.000000000 +0200
+@@ -430,6 +430,7 @@
+     short          res_id;
+     unsigned char  *buffer, *p, *size_p = NULL;
+     FT_ULong       total_size = 0;
++    FT_ULong	   old_total_size = 0;
+     FT_ULong       post_size, pfb_chunk_size;
+     Handle         post_data;
+     char           code, last_code;
+@@ -462,6 +463,15 @@
+       last_code = code;
+     }
+ 
++    /* detect integer overflows */
++    if ( total_size < old_total_size )
++    {
++       error = FT_Err_Array_Too_Large;
++       goto Error;
++     }
++  	 
++    old_total_size = total_size;
++
+     if ( FT_ALLOC( buffer, (FT_Long)total_size ) )
+       goto Error;
+ 
diff --git a/graphics/freetype2/patches/patch-ad b/graphics/freetype2/patches/patch-ad
new file mode 100644
index 00000000000..1aa48b83494
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ad
@@ -0,0 +1,48 @@
+$NetBSD: patch-ad,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/base/ftutil.c.orig	2005-03-03 23:59:06.000000000 +0100
++++ src/base/ftutil.c	2006-06-05 23:18:40.000000000 +0200
+@@ -52,6 +52,8 @@
+             FT_Long    size,
+             void*     *P )
+   {
++    FT_Error	error = FT_Err_Ok;
++
+     FT_ASSERT( P != 0 );
+ 
+     if ( size > 0 )
+@@ -67,6 +69,11 @@
+       }
+       FT_MEM_ZERO( *P, size );
+     }
++    else if (size < 0)
++    {
++      /* may help catch/prevent nasty security issues */
++      error = FT_Err_Invalid_Argument;
++    }
+     else
+       *P = NULL;
+ 
+@@ -74,7 +81,7 @@
+     FT_TRACE7(( " size = %ld, block = 0x%08p, ref = 0x%08p\n",
+                 size, *P, P ));
+ 
+-    return FT_Err_Ok;
++    return error;
+   }
+ 
+ 
+@@ -127,8 +134,12 @@
+     if ( !*P )
+       return FT_Alloc( memory, size, P );
+ 
++    if (size < 0 || current < 0)
++    {
++      return FT_Err_Invalid_Argument;
++    }
++    else if ( size == 0 )
+     /* if the new block if zero-sized, clear the current one */
+-    if ( size <= 0 )
+     {
+       FT_Free( memory, P );
+       return FT_Err_Ok;
diff --git a/graphics/freetype2/patches/patch-ae b/graphics/freetype2/patches/patch-ae
new file mode 100644
index 00000000000..401df649f4f
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ae
@@ -0,0 +1,56 @@
+$NetBSD: patch-ae,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/bdf/bdflib.c.orig	2005-05-21 19:19:52.000000000 +0200
++++ src/bdf/bdflib.c	2006-06-05 23:22:50.000000000 +0200
+@@ -1092,7 +1092,7 @@
+ #define ERRMSG1  "[line %ld] Missing \"%s\" line.\n"
+ #define ERRMSG2  "[line %ld] Font header corrupted or missing fields.\n"
+ #define ERRMSG3  "[line %ld] Font glyphs corrupted or missing fields.\n"
+-
++#define ERRMSG4  "[line %ld] BBX too big.\n"
+ 
+   static FT_Error
+   _bdf_add_comment( bdf_font_t*    font,
+@@ -1561,6 +1561,14 @@
+ 
+       p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ 
++      /* Check that the encoding is in the range [0,65536] because        */
++      /* otherwise p->have (a bitmap with static size) overflows.         */
++      if ( p->glyph_enc >= sizeof(p->have)*8 )
++      {
++        error = BDF_Err_Invalid_File_Format;
++        goto Exit;
++      }
++
+       /* Check to see whether this encoding has already been encountered. */
+       /* If it has then change it to unencoded so it gets added if        */
+       /* indicated.                                                       */
+@@ -1805,6 +1813,9 @@
+     /* And finally, gather up the bitmap. */
+     if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
+     {
++      unsigned long bitmap_size;
++
++
+       if ( !( p->flags & _BDF_BBX ) )
+       {
+         /* Missing BBX field. */
+@@ -1815,7 +1826,16 @@
+ 
+       /* Allocate enough space for the bitmap. */
+       glyph->bpr   = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3;
+-      glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height );
++
++      bitmap_size = glyph->bpr * glyph->bbx.height;
++      if ( bitmap_size > 0xFFFFU )
++      {
++        FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno ));
++        error = BDF_Err_Bbx_Too_Big;
++        goto Exit;
++      }
++      else
++        glyph->bytes = (unsigned short)bitmap_size;
+ 
+       if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) )
+         goto Exit;
diff --git a/graphics/freetype2/patches/patch-af b/graphics/freetype2/patches/patch-af
new file mode 100644
index 00000000000..a3aacdf82f2
--- /dev/null
+++ b/graphics/freetype2/patches/patch-af
@@ -0,0 +1,36 @@
+$NetBSD: patch-af,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffgload.c.orig	2005-04-18 06:53:05.000000000 +0200
++++ src/cff/cffgload.c	2006-06-05 23:23:48.000000000 +0200
+@@ -2284,7 +2284,7 @@
+   FT_LOCAL_DEF( FT_Error )
+   cff_slot_load( CFF_GlyphSlot  glyph,
+                  CFF_Size       size,
+-                 FT_Int         glyph_index,
++                 FT_UInt         glyph_index,
+                  FT_Int32       load_flags )
+   {
+     FT_Error      error;
+@@ -2330,7 +2330,7 @@
+ 
+         error = sfnt->load_sbit_image( face,
+                                        (FT_ULong)size->strike_index,
+-                                       (FT_UInt)glyph_index,
++                                       glyph_index,
+                                        (FT_Int)load_flags,
+                                        stream,
+                                        &glyph->root.bitmap,
+@@ -2393,7 +2393,13 @@
+       /* subsetted font, glyph_indices and CIDs are identical, though */
+       if ( cff->top_font.font_dict.cid_registry != 0xFFFFU &&
+            cff->charset.cids )
++      {
++        if ( glyph_index < cff->charset.max_cid )
+         glyph_index = cff->charset.cids[glyph_index];
++        else
++          glyph_index = 0;
++      }
++
+ 
+       cff_decoder_init( &decoder, face, size, glyph, hinting,
+                         FT_LOAD_TARGET_MODE( load_flags ) );
diff --git a/graphics/freetype2/patches/patch-ag b/graphics/freetype2/patches/patch-ag
new file mode 100644
index 00000000000..16e9a4ba8b5
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ag
@@ -0,0 +1,13 @@
+$NetBSD: patch-ag,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffgload.h.orig	2004-05-13 23:59:17.000000000 +0200
++++ src/cff/cffgload.h	2006-06-05 23:25:58.000000000 +0200
+@@ -196,7 +196,7 @@
+   FT_LOCAL( FT_Error )
+   cff_slot_load( CFF_GlyphSlot  glyph,
+                  CFF_Size       size,
+-                 FT_Int         glyph_index,
++                 FT_UInt         glyph_index,
+                  FT_Int32       load_flags );
+ 
+ 
diff --git a/graphics/freetype2/patches/patch-ah b/graphics/freetype2/patches/patch-ah
new file mode 100644
index 00000000000..3422ce8e90a
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ah
@@ -0,0 +1,32 @@
+$NetBSD: patch-ah,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cffload.c.orig	2005-05-06 07:49:46.000000000 +0200
++++ src/cff/cffload.c	2006-06-05 23:34:29.000000000 +0200
+@@ -1235,7 +1235,7 @@
+       }
+ 
+       /* access element */
+-      if ( off1 )
++      if ( off1 && off2 > off1 )
+       {
+         *pbyte_len = off2 - off1;
+ 
+@@ -1688,6 +1688,8 @@
+ 
+       for ( i = 0; i < num_glyphs; i++ )
+         charset->cids[charset->sids[i]] = (FT_UShort)i;
++
++      charset->max_cid = max_cid;
+     }
+ 
+   Exit:
+@@ -2042,6 +2044,9 @@
+         goto Exit;
+     }
+ 
++    /* ensure that 'num_blue_values' is even */
++    priv->num_blue_values &= ~1;
++
+     /* read the local subrs, if any */
+     if ( priv->local_subrs_offset )
+     {
diff --git a/graphics/freetype2/patches/patch-ai b/graphics/freetype2/patches/patch-ai
new file mode 100644
index 00000000000..4347ff60282
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ai
@@ -0,0 +1,12 @@
+$NetBSD: patch-ai,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/cff/cfftypes.h.orig	2003-12-20 08:30:05.000000000 +0100
++++ src/cff/cfftypes.h	2006-06-05 23:35:33.000000000 +0200
+@@ -84,6 +84,7 @@
+     FT_UShort*  sids;
+     FT_UShort*  cids;       /* the inverse mapping of `sids'; only needed */
+                             /* for CID-keyed fonts                        */
++    FT_UInt	max_cid;
+   } CFF_CharsetRec, *CFF_Charset;
+ 
+ 
diff --git a/graphics/freetype2/patches/patch-aj b/graphics/freetype2/patches/patch-aj
new file mode 100644
index 00000000000..4874103a2c1
--- /dev/null
+++ b/graphics/freetype2/patches/patch-aj
@@ -0,0 +1,13 @@
+$NetBSD: patch-aj,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/pshinter/pshglob.c.orig	2004-04-02 09:13:53.000000000 +0200
++++ src/pshinter/pshglob.c	2006-06-05 23:36:04.000000000 +0200
+@@ -150,7 +150,7 @@
+     FT_UNUSED( target );
+ 
+ 
+-    for ( ; read_count > 0; read_count -= 2 )
++    for ( ; read_count > 1; read_count -= 2 )
+     {
+       FT_Int         reference, delta;
+       FT_UInt        count;
diff --git a/graphics/freetype2/patches/patch-ak b/graphics/freetype2/patches/patch-ak
new file mode 100644
index 00000000000..3f19396ceec
--- /dev/null
+++ b/graphics/freetype2/patches/patch-ak
@@ -0,0 +1,15 @@
+$NetBSD: patch-ak,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/sfnt/ttcmap.c.orig	2005-05-11 16:37:40.000000000 +0200
++++ src/sfnt/ttcmap.c	2006-06-05 23:39:06.000000000 +0200
+@@ -2144,9 +2144,7 @@
+       charmap.encoding    = FT_ENCODING_NONE;  /* will be filled later */
+       offset              = TT_NEXT_ULONG( p );
+ 
+-      if ( offset                     &&
+-           table + offset + 2 < limit &&
+-           table + offset >= table    )
++      if ( offset && offset <= face->cmap_size - 2 )
+       {
+         FT_Byte*                       cmap   = table + offset;
+         volatile FT_UInt               format = TT_PEEK_USHORT( cmap );
diff --git a/graphics/freetype2/patches/patch-al b/graphics/freetype2/patches/patch-al
new file mode 100644
index 00000000000..4a51a109cbd
--- /dev/null
+++ b/graphics/freetype2/patches/patch-al
@@ -0,0 +1,14 @@
+$NetBSD: patch-al,v 1.1.2.1 2006/06/06 07:51:29 snj Exp $
+
+--- src/type1/t1load.c.orig	2005-04-14 13:39:28.000000000 +0200
++++ src/type1/t1load.c	2006-06-05 23:40:02.000000000 +0200
+@@ -1990,6 +1990,9 @@
+     if ( error )
+       goto Exit;
+ 
++   /* ensure even-ness of 'num_blue_values' */
++   priv->num_blue_values &= ~1;
++
+ #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT
+ 
+     /* the following can happen for MM instances; we then treat the */