diff options
author | tnn <tnn@pkgsrc.org> | 2009-05-02 19:44:51 +0000 |
---|---|---|
committer | tnn <tnn@pkgsrc.org> | 2009-05-02 19:44:51 +0000 |
commit | fc35db78109d4b5f1c613e1ee69ff0ea2172e713 (patch) | |
tree | 24a132fea7137a8752143f482500e41a10157236 | |
parent | 45b58a8292c17db4b0a5a5d8e5972be02f805aaf (diff) | |
download | pkgsrc-fc35db78109d4b5f1c613e1ee69ff0ea2172e713.tar.gz |
patch-[a-d]: Upstream patches for CVE-2009-0946.
Bump PKGREVISION.
-rw-r--r-- | graphics/freetype2/Makefile | 3 | ||||
-rw-r--r-- | graphics/freetype2/distinfo | 6 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-aa | 33 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ab | 58 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ac | 20 | ||||
-rw-r--r-- | graphics/freetype2/patches/patch-ad | 53 |
6 files changed, 171 insertions, 2 deletions
diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile index cfee6e1ef81..d592a1a524d 100644 --- a/graphics/freetype2/Makefile +++ b/graphics/freetype2/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.68 2009/04/16 20:26:25 drochner Exp $ +# $NetBSD: Makefile,v 1.69 2009/05/02 19:44:51 tnn Exp $ DISTNAME= freetype-2.3.9 PKGNAME= ${DISTNAME:S/-/2-/} +PKGREVISION= 1 CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ ftp://ring.aist.go.jp/pub/graphics/freetype/freetype2/ diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo index 159c375a100..0164e99df18 100644 --- a/graphics/freetype2/distinfo +++ b/graphics/freetype2/distinfo @@ -1,5 +1,9 @@ -$NetBSD: distinfo,v 1.30 2009/04/16 20:26:25 drochner Exp $ +$NetBSD: distinfo,v 1.31 2009/05/02 19:44:51 tnn Exp $ SHA1 (freetype-2.3.9.tar.bz2) = db08969cb5053879ff9e973fe6dd2c52c7ea2d4e RMD160 (freetype-2.3.9.tar.bz2) = c0351c2a3f43e64d26d2a964b1131a3dbf2fa162 Size (freetype-2.3.9.tar.bz2) = 1363190 bytes +SHA1 (patch-aa) = a203699d1734eaa97aea6898bb527cf5ee6a09b1 +SHA1 (patch-ab) = da1c8894476fd6d7123e8718d2b36072c98e5e72 +SHA1 (patch-ac) = 9ec38f8b41652737a9474cc358d44ba1e2a4a54a +SHA1 (patch-ad) = 556c116b7e80fc0633cca50d8923d183ac1762c3 diff --git a/graphics/freetype2/patches/patch-aa b/graphics/freetype2/patches/patch-aa new file mode 100644 index 00000000000..b0c5d1b9986 --- /dev/null +++ b/graphics/freetype2/patches/patch-aa @@ -0,0 +1,33 @@ +$NetBSD: patch-aa,v 1.17 2009/05/02 19:44:51 tnn Exp $ + +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b + +diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c +index a6db504..cacc490 100644 +--- src/smooth/ftsmooth.c ++++ src/smooth/ftsmooth.c +@@ -153,7 +153,7 @@ + slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; + } + +- /* allocate new one, depends on pixel format */ ++ /* allocate new one */ + pitch = width; + if ( hmul ) + { +@@ -194,6 +194,13 @@ + + #endif + ++ if ( pitch > 0xFFFF || height > 0xFFFF ) ++ { ++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", ++ width, height )); ++ return Smooth_Err_Raster_Overflow; ++ } ++ + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; + bitmap->num_grays = 256; + bitmap->width = width; +-- +cgit v0.8.2.1 diff --git a/graphics/freetype2/patches/patch-ab b/graphics/freetype2/patches/patch-ab new file mode 100644 index 00000000000..9bcb1f5d124 --- /dev/null +++ b/graphics/freetype2/patches/patch-ab @@ -0,0 +1,58 @@ +$NetBSD: patch-ab,v 1.12 2009/05/02 19:44:51 tnn Exp $ + +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e + +diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c +index 6830391..1bd2ce7 100644 +--- src/sfnt/ttcmap.c ++++ src/sfnt/ttcmap.c +@@ -1635,7 +1635,7 @@ + FT_INVALID_TOO_SHORT; + + length = TT_NEXT_ULONG( p ); +- if ( table + length > valid->limit || length < 8208 ) ++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) + FT_INVALID_TOO_SHORT; + + is32 = table + 12; +@@ -1863,7 +1863,8 @@ + p = table + 16; + count = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 20 + count * 2 ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 20 + count * 2 ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2048,7 +2049,8 @@ + p = table + 12; + num_groups = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 16 + 12 * num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2429,7 +2431,8 @@ + FT_ULong num_selectors = TT_NEXT_ULONG( p ); + + +- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 10 + 11 * num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2491,7 +2494,7 @@ + FT_ULong i, lastUni = 0; + + +- if ( ndp + numMappings * 4 > valid->limit ) ++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) +-- +cgit v0.8.2.1 diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac new file mode 100644 index 00000000000..28c82decb81 --- /dev/null +++ b/graphics/freetype2/patches/patch-ac @@ -0,0 +1,20 @@ +$NetBSD: patch-ac,v 1.4 2009/05/02 19:44:51 tnn Exp $ + +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 + +diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c +index fc78315..c0483de 100644 +--- src/lzw/ftzopen.c ++++ src/lzw/ftzopen.c +@@ -332,6 +332,9 @@ + + while ( code >= 256U ) + { ++ if ( !state->prefix ) ++ goto Eof; ++ + FTLZW_STACK_PUSH( state->suffix[code - 256] ); + code = state->prefix[code - 256]; + } +-- +cgit v0.8.2.1 diff --git a/graphics/freetype2/patches/patch-ad b/graphics/freetype2/patches/patch-ad new file mode 100644 index 00000000000..21ef7b2f3d9 --- /dev/null +++ b/graphics/freetype2/patches/patch-ad @@ -0,0 +1,53 @@ +$NetBSD: patch-ad,v 1.2 2009/05/02 19:44:51 tnn Exp $ + +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 + +diff --git a/src/cff/cffload.c b/src/cff/cffload.c +index 22163fb..24b899d 100644 +--- src/cff/cffload.c ++++ src/cff/cffload.c +@@ -842,7 +842,20 @@ + goto Exit; + + for ( j = 1; j < num_glyphs; j++ ) +- charset->sids[j] = FT_GET_USHORT(); ++ { ++ FT_UShort sid = FT_GET_USHORT(); ++ ++ ++ /* this constant is given in the CFF specification */ ++ if ( sid < 65000 ) ++ charset->sids[j] = sid; ++ else ++ { ++ FT_ERROR(( "cff_charset_load:" ++ " invalid SID value %d set to zero\n", sid )); ++ charset->sids[j] = 0; ++ } ++ } + + FT_FRAME_EXIT(); + } +@@ -875,6 +888,20 @@ + goto Exit; + } + ++ /* check whether the range contains at least one valid glyph; */ ++ /* the constant is given in the CFF specification */ ++ if ( glyph_sid >= 65000 ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); ++ error = CFF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ ++ /* try to rescue some of the SIDs if `nleft' is too large */ ++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); ++ nleft = 65000 - 1 - glyph_sid; ++ } ++ + /* Fill in the range of sids -- `nleft + 1' glyphs. */ + for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) + charset->sids[j] = glyph_sid; +-- +cgit v0.8.2.1 |