add patch from Redhat bug #692909 to fix Invalid pointer dereference

(CVE-2011-0764; CVE-2011-1552..1554 are possibly related - no
information available yet)
bump PKGREV

4 files changed, 102 insertions, 3 deletions

diff --git a/fonts/t1lib/Makefile b/fonts/t1lib/Makefile
index b2364793c7c..283aee40ef5 100644
--- a/fonts/t1lib/Makefile
+++ b/fonts/t1lib/Makefile
@@ -1,7 +1,7 @@
-# $NetBSD: Makefile,v 1.44 2011/04/22 13:43:32 obache Exp $
+# $NetBSD: Makefile,v 1.45 2012/01/04 16:59:15 drochner Exp $
 
 DISTNAME=	t1lib-5.1.2
-PKGREVISION=	3
+PKGREVISION=	4
 CATEGORIES=	fonts devel graphics
 MASTER_SITES=	${MASTER_SITE_SUNSITE:=libs/graphics/}
 
diff --git a/fonts/t1lib/distinfo b/fonts/t1lib/distinfo
index 7b85fb38eed..2b74fc7d778 100644
--- a/fonts/t1lib/distinfo
+++ b/fonts/t1lib/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.20 2011/03/08 17:13:33 drochner Exp $
+$NetBSD: distinfo,v 1.21 2012/01/04 16:59:15 drochner Exp $
 
 SHA1 (t1lib-5.1.2.tar.gz) = 4b4fc22c8688eefaaa8cfc990f0039f95f4287de
 RMD160 (t1lib-5.1.2.tar.gz) = ab22aea390356750d743c0f4b08762aa76ca2a82
@@ -9,3 +9,5 @@ SHA1 (patch-ad) = 29c530f6d363de31777ad45823b55e72208c4ccb
 SHA1 (patch-af) = e89df0d94e0748e468c7c3d40ce2fc0ccdb0116c
 SHA1 (patch-ah) = 60ead43eeb6327cd3fd94755364633b6bf5d5d0d
 SHA1 (patch-ai) = 176ed28f114f64c5e97e7c00c684a74895de2df3
+SHA1 (patch-aj) = f5fc3b192b21df64150288bad4f1f0cff58d4d84
+SHA1 (patch-ak) = e66b8b8f987d15d07264f268acc7e3a02ba76d36
diff --git a/fonts/t1lib/patches/patch-aj b/fonts/t1lib/patches/patch-aj
new file mode 100644
index 00000000000..b38550be980
--- /dev/null
+++ b/fonts/t1lib/patches/patch-aj
@@ -0,0 +1,82 @@
+$NetBSD: patch-aj,v 1.1 2012/01/04 16:59:16 drochner Exp $
+
+CVE-2011-0764
+
+--- lib/type1/type1.c.orig	2007-12-23 15:49:42.000000000 +0000
++++ lib/type1/type1.c
+@@ -1012,6 +1012,7 @@ static void FindStems( double x, double 
+   double nextdtana = 0.0;   /* tangent of post-delta against horizontal line */ 
+   double nextdtanb = 0.0;   /* tangent of post-delta against vertical line */ 
+   
++  if (numppoints < 1) Error0v("FindStems: No previous point!\n");
+  
+   /* setup default hinted position */
+   ppoints[numppoints-1].ax     = ppoints[numppoints-1].x;
+@@ -1289,7 +1290,7 @@ unsigned char cipher;
+ static int DoRead(CodeP)
+   int *CodeP;
+ {
+-  if (strindex >= CharStringP->len) return(FALSE); /* end of string */
++  if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
+   /* We handle the non-documented Adobe convention to use lenIV=-1 to
+      suppress charstring encryption. */
+   if (blues->lenIV==-1) {
+@@ -1700,6 +1701,7 @@ static int RLineTo(dx, dy)
+   long pindex = 0;
+   
+   /* compute hinting for previous segment! */
++  if (ppoints == NULL || numppoints < 2 ) Error0i("RLineTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
+ 
+   /* Allocate a new path point and pre-setup data */
+@@ -1728,6 +1730,7 @@ static int RRCurveTo(dx1, dy1, dx2, dy2,
+   long pindex = 0;
+   
+   /* compute hinting for previous point! */
++  if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
+   FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
+ 
+   /* Allocate three new path points and pre-setup data */
+@@ -1786,7 +1789,9 @@ static int DoClosePath()
+   long tmpind;
+   double deltax = 0.0;
+   double deltay = 0.0;
+-  
++ 
++  if (numppoints < 1) Error0i("DoClosePath: No previous point!");
++ 
+   /* If this ClosePath command together with the starting point of this
+      path completes to a segment aligned to a stem, we would miss
+      hinting for this point. --> Check and explicitly care for this! */
+@@ -1801,6 +1806,7 @@ static int DoClosePath()
+     deltax = ppoints[i].x - ppoints[numppoints-1].x;
+     deltay = ppoints[i].y - ppoints[numppoints-1].y;
+ 
++    if (numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
+     /* save nummppoints and reset to move point */
+     tmpind = numppoints;
+     numppoints = i + 1;
+@@ -1903,6 +1909,7 @@ static int RMoveTo(dx,dy)
+     FindStems( currx, curry, 0, 0, dx, dy);
+   }
+   else {
++    if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
+     FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
+   }
+   
+@@ -2152,6 +2159,7 @@ static void FlxProc(c1x2, c1y2, c3x0, c3
+   DOUBLE cx, cy;
+   DOUBLE ex, ey;
+ 
++  if (numppoints < 8) Error0v("FlxProc: No previous point!");
+ 
+   /* Our PPOINT list now contains 7 moveto commands which
+      are about to be consumed by the Flex mechanism. --> Remove these
+@@ -2321,6 +2329,7 @@ static void FlxProc1()
+ /*   Returns currentpoint on stack          */
+ static void FlxProc2()
+ {
++  if (numppoints < 1) Error0v("FlxProc2: No previous point!");
+   /* Push CurrentPoint on fake PostScript stack */
+   PSFakePush( ppoints[numppoints-1].x);
+   PSFakePush( ppoints[numppoints-1].y);
diff --git a/fonts/t1lib/patches/patch-ak b/fonts/t1lib/patches/patch-ak
new file mode 100644
index 00000000000..4bfbe48e2f6
--- /dev/null
+++ b/fonts/t1lib/patches/patch-ak
@@ -0,0 +1,15 @@
+$NetBSD: patch-ak,v 1.1 2012/01/04 16:59:16 drochner Exp $
+
+CVE-2011-0764
+
+--- lib/type1/lines.c.orig	2007-12-23 15:49:42.000000000 +0000
++++ lib/type1/lines.c
+@@ -150,7 +150,7 @@ Find the starting x and y integer pel co
+  y = RoundFP(y1,PREC);
+ 
+  edgeP += y;
+- count = RoundFP(y2,PREC) - y;
++ count = (RoundFP(y2,PREC) - y) - 2;
+ /*------------------------------------------------------------------*/
+ /* Force dx to be positive so that dfy will be negative             */
+ /*       this means that vertical moves will decrease d             */