diff options
author | drochner <drochner@pkgsrc.org> | 2007-04-05 16:29:38 +0000 |
---|---|---|
committer | drochner <drochner@pkgsrc.org> | 2007-04-05 16:29:38 +0000 |
commit | 6268358eda017e59c2b7eab422ab9c9cc4508052 (patch) | |
tree | dca3e3c3a1a82695a11a4b9b164dae79369e54d9 | |
parent | c37ef2529ea499e32557df0d4c016981f95e2c56 (diff) | |
download | pkgsrc-6268358eda017e59c2b7eab422ab9c9cc4508052.tar.gz |
pull in a patch from freetype CVS:
* src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128
gracefully.
(_bdf_set_default_spacing): Increase `name' buffer size to 256 and
issue an error for longer names.
(_bdf_parse_glyphs): Limit allowed number of glyphs in font to the
number of code points in Unicode.
This fixes CVE-2007-1351.
-rw-r--r-- | graphics/freetype2/Makefile | 3 | ||||
-rw-r--r-- | graphics/freetype2/distinfo | 3 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ac | 55 |
3 files changed, 59 insertions, 2 deletions
diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile index 6fc3b0c762e..324aa05b86b 100644 --- a/graphics/freetype2/Makefile +++ b/graphics/freetype2/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.57 2007/03/24 12:49:08 drochner Exp $ +# $NetBSD: Makefile,v 1.58 2007/04/05 16:29:38 drochner Exp $ DISTNAME= freetype-2.3.2 +PKGREVISION= 1 PKGNAME= ${DISTNAME:S/-/2-/} CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo index daf542497dc..d462e45f845 100644 --- a/graphics/freetype2/distinfo +++ b/graphics/freetype2/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.21 2007/03/23 22:09:18 joerg Exp $ +$NetBSD: distinfo,v 1.22 2007/04/05 16:29:38 drochner Exp $ SHA1 (freetype-2.3.2.tar.bz2) = 4188a2ed344ddf89bdb1a054fb441019aa4b143d RMD160 (freetype-2.3.2.tar.bz2) = e4da77b6f8956d69e57269c5681560beda0ddb27 Size (freetype-2.3.2.tar.bz2) = 1252007 bytes SHA1 (patch-aa) = 0682e65e006c7b02535034c3e247be676af3b98f SHA1 (patch-ab) = 257118397011eb68197008842e98b8ef6c96e48d +SHA1 (patch-ac) = b00c86bf322e2ac6a71a24e27916ca1fa312009b diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac new file mode 100644 index 00000000000..74ee4b8532e --- /dev/null +++ b/graphics/freetype2/patches/patch-ac @@ -0,0 +1,55 @@ +$NetBSD: patch-ac,v 1.2 2007/04/05 16:29:38 drochner Exp $ + +--- src/bdf/bdflib.c.orig 2007-02-12 22:29:20.000000000 +0100 ++++ src/bdf/bdflib.c +@@ -385,8 +385,10 @@ + } _bdf_parse_t; + + +-#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) +-#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) ++#define setsbit( m, cc ) \ ++ ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) ++#define sbitset( m, cc ) \ ++ ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) + + + static void +@@ -1130,7 +1132,7 @@ + bdf_options_t* opts ) + { + unsigned long len; +- char name[128]; ++ char name[256]; + _bdf_list_t list; + FT_Memory memory; + FT_Error error = BDF_Err_Ok; +@@ -1149,6 +1151,13 @@ + font->spacing = opts->font_spacing; + + len = (unsigned long)( ft_strlen( font->name ) + 1 ); ++ /* Limit ourselves to 256 characters in the font name. */ ++ if ( len >= 256 ) ++ { ++ error = BDF_Err_Invalid_Argument; ++ goto Exit; ++ } ++ + FT_MEM_COPY( name, font->name, len ); + + error = _bdf_list_split( &list, (char *)"-", name, len ); +@@ -1467,6 +1476,14 @@ + if ( p->cnt == 0 ) + font->glyphs_size = 64; + ++ /* Limit ourselves to 1,114,112 glyphs in the font (this is the */ ++ /* number of code points available in Unicode). */ ++ if ( p->cnt >= 1114112UL ) ++ { ++ error = BDF_Err_Invalid_Argument; ++ goto Exit; ++ } ++ + if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) ) + goto Exit; + |