From d818455cfbe1b6b525fe45ecb08e1d4470cd837b Mon Sep 17 00:00:00 2001 From: salo Date: Tue, 22 Aug 2006 23:44:07 +0000 Subject: Pullup ticket 1803 - requested by joerg security fix for freetype2 Revisions pulled up: - pkgsrc/graphics/freetype2/Makefile 1.53, 1.54 - pkgsrc/graphics/freetype2/distinfo 1.19 - pkgsrc/graphics/freetype2/patches/patch-aa 1.7 - pkgsrc/graphics/freetype2/patches/patch-ab 1.8 Module Name: pkgsrc Committed By: minskim Date: Sun Jul 23 14:37:08 UTC 2006 Modified Files: pkgsrc/graphics/freetype2: Makefile Log Message: Link against the Carbon library if the framework is available. This fixes PR 33858. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: joerg Date: Tue Aug 22 18:43:51 UTC 2006 Modified Files: pkgsrc/graphics/freetype2: Makefile distinfo Added Files: pkgsrc/graphics/freetype2/patches: patch-aa patch-ab Log Message: Add two patches to work around issues from CVE-2006-3467. Patches are directly from FreeType CVS. Bump revision. --- graphics/freetype2/Makefile | 7 +- graphics/freetype2/distinfo | 4 +- graphics/freetype2/patches/patch-aa | 457 ++++++++++++++++++++++++++++++++++++ graphics/freetype2/patches/patch-ab | 52 ++++ 4 files changed, 518 insertions(+), 2 deletions(-) create mode 100644 graphics/freetype2/patches/patch-aa create mode 100644 graphics/freetype2/patches/patch-ab diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile index a6315cbef1c..61808dfd761 100644 --- a/graphics/freetype2/Makefile +++ b/graphics/freetype2/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.52 2006/05/29 22:05:21 tron Exp $ +# $NetBSD: Makefile,v 1.52.2.1 2006/08/22 23:44:07 salo Exp $ DISTNAME= freetype-2.2.1 +PKGREVISION= 2 PKGNAME= ${DISTNAME:S/-/2-/} CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ @@ -25,6 +26,10 @@ BUILD_DIRS= ${WRKSRC} CONFIGURE_ARGS+= --includedir=${PREFIX}/include CONFIGURE_ENV+= ac_cv_path_GREP=${GREP:Q} ac_cv_path_EGREP=${EGREP:Q} +.if exists(/System/Library/Frameworks/Carbon.framework) +LDFLAGS+= -framework Carbon +.endif + PKGCONFIG_OVERRIDE= builds/unix/freetype2.in .include "../../mk/bsd.prefs.mk" diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo index 956782a90a9..cbf8b6bb9bb 100644 --- a/graphics/freetype2/distinfo +++ b/graphics/freetype2/distinfo @@ -1,5 +1,7 @@ -$NetBSD: distinfo,v 1.18 2006/05/31 10:24:54 tron Exp $ +$NetBSD: distinfo,v 1.18.2.1 2006/08/22 23:44:08 salo Exp $ SHA1 (freetype-2.2.1.tar.bz2) = 4aa7d5ce2198fad586cf09ef7c9d3a6277320167 RMD160 (freetype-2.2.1.tar.bz2) = 1c7eb4a43501c8fd5e89d0399e184847351ee160 Size (freetype-2.2.1.tar.bz2) = 1212258 bytes +SHA1 (patch-aa) = 58c8295d1b67be20a37b75d4786b25ca38779bf9 +SHA1 (patch-ab) = 4f96f0b6dc90d90e9db38e9eb0e363f183b43e99 diff --git a/graphics/freetype2/patches/patch-aa b/graphics/freetype2/patches/patch-aa new file mode 100644 index 00000000000..037fb7b23ad --- /dev/null +++ b/graphics/freetype2/patches/patch-aa @@ -0,0 +1,457 @@ +$NetBSD: patch-aa,v 1.6.2.1 2006/08/22 23:44:08 salo Exp $ + +--- src/pcf/pcfread.c.orig 2006-01-23 17:35:18.000000000 +0100 ++++ src/pcf/pcfread.c +@@ -102,7 +102,8 @@ THE SOFTWARE. + return PCF_Err_Cannot_Open_Resource; + + if ( toc->version != PCF_FILE_VERSION || +- toc->count > FT_ARRAY_MAX( face->toc.tables ) ) ++ toc->count > FT_ARRAY_MAX( face->toc.tables ) || ++ toc->count == 0 ) + return PCF_Err_Invalid_File_Format; + + if ( FT_NEW_ARRAY( face->toc.tables, toc->count ) ) +@@ -116,6 +117,41 @@ THE SOFTWARE. + tables++; + } + ++ /* Sort tables and check for overlaps. Because they are almost */ ++ /* always ordered already, an in-place bubble sort with simultaneous */ ++ /* boundary checking seems appropriate. */ ++ tables = face->toc.tables; ++ ++ for ( n = 0; n < toc->count - 1; n++ ) ++ { ++ FT_UInt i, have_change; ++ ++ ++ have_change = 0; ++ ++ for ( i = 0; i < toc->count - 1 - n; i++ ) ++ { ++ PCF_TableRec tmp; ++ ++ ++ if ( tables[i].offset > tables[i + 1].offset ) ++ { ++ tmp = tables[i]; ++ tables[i] = tables[i + 1]; ++ tables[i + 1] = tmp; ++ ++ have_change = 1; ++ } ++ ++ if ( ( tables[i].size > tables[i + 1].offset ) || ++ ( tables[i].offset > tables[i + 1].offset - tables[i].size ) ) ++ return PCF_Err_Invalid_Offset; ++ } ++ ++ if ( !have_change ) ++ break; ++ } ++ + #if defined( FT_DEBUG_LEVEL_TRACE ) + + { +@@ -130,7 +166,8 @@ THE SOFTWARE. + tables = face->toc.tables; + for ( i = 0; i < toc->count; i++ ) + { +- for( j = 0; j < sizeof ( tableNames ) / sizeof ( tableNames[0] ); j++ ) ++ for ( j = 0; j < sizeof ( tableNames ) / sizeof ( tableNames[0] ); ++ j++ ) + if ( tables[i].type == (FT_UInt)( 1 << j ) ) + name = tableNames[j]; + +@@ -153,13 +190,15 @@ THE SOFTWARE. + } + + ++#define PCF_METRIC_SIZE 12 ++ + static + const FT_Frame_Field pcf_metric_header[] = + { + #undef FT_STRUCTURE + #define FT_STRUCTURE PCF_MetricRec + +- FT_FRAME_START( 12 ), ++ FT_FRAME_START( PCF_METRIC_SIZE ), + FT_FRAME_SHORT_LE( leftSideBearing ), + FT_FRAME_SHORT_LE( rightSideBearing ), + FT_FRAME_SHORT_LE( characterWidth ), +@@ -176,7 +215,7 @@ THE SOFTWARE. + #undef FT_STRUCTURE + #define FT_STRUCTURE PCF_MetricRec + +- FT_FRAME_START( 12 ), ++ FT_FRAME_START( PCF_METRIC_SIZE ), + FT_FRAME_SHORT( leftSideBearing ), + FT_FRAME_SHORT( rightSideBearing ), + FT_FRAME_SHORT( characterWidth ), +@@ -187,13 +226,15 @@ THE SOFTWARE. + }; + + ++#define PCF_COMPRESSED_METRIC_SIZE 5 ++ + static + const FT_Frame_Field pcf_compressed_metric_header[] = + { + #undef FT_STRUCTURE + #define FT_STRUCTURE PCF_Compressed_MetricRec + +- FT_FRAME_START( 5 ), ++ FT_FRAME_START( PCF_COMPRESSED_METRIC_SIZE ), + FT_FRAME_BYTE( leftSideBearing ), + FT_FRAME_BYTE( rightSideBearing ), + FT_FRAME_BYTE( characterWidth ), +@@ -221,7 +262,7 @@ THE SOFTWARE. + ? pcf_metric_msb_header + : pcf_metric_header; + +- /* the following sets 'error' but doesn't return in case of failure */ ++ /* the following sets `error' but doesn't return in case of failure */ + (void)FT_STREAM_READ_FIELDS( fields, metric ); + } + else +@@ -261,17 +302,19 @@ THE SOFTWARE. + for ( i = 0; i < ntables; i++ ) + if ( tables[i].type == type ) + { +- if ( stream->pos > tables[i].offset ) { ++ if ( stream->pos > tables[i].offset ) ++ { + error = PCF_Err_Invalid_Stream_Skip; + goto Fail; + } + +- if ( FT_STREAM_SKIP( tables[i].offset - stream->pos ) ) { ++ if ( FT_STREAM_SKIP( tables[i].offset - stream->pos ) ) ++ { + error = PCF_Err_Invalid_Stream_Skip; + goto Fail; + } + +- *asize = tables[i].size; /* unused - to be removed */ ++ *asize = tables[i].size; + *aformat = tables[i].format; + + return PCF_Err_Ok; +@@ -298,13 +341,15 @@ THE SOFTWARE. + } + + ++#define PCF_PROPERTY_SIZE 9 ++ + static + const FT_Frame_Field pcf_property_header[] = + { + #undef FT_STRUCTURE + #define FT_STRUCTURE PCF_ParsePropertyRec + +- FT_FRAME_START( 9 ), ++ FT_FRAME_START( PCF_PROPERTY_SIZE ), + FT_FRAME_LONG_LE( name ), + FT_FRAME_BYTE ( isString ), + FT_FRAME_LONG_LE( value ), +@@ -318,7 +363,7 @@ THE SOFTWARE. + #undef FT_STRUCTURE + #define FT_STRUCTURE PCF_ParsePropertyRec + +- FT_FRAME_START( 9 ), ++ FT_FRAME_START( PCF_PROPERTY_SIZE ), + FT_FRAME_LONG( name ), + FT_FRAME_BYTE( isString ), + FT_FRAME_LONG( value ), +@@ -353,8 +398,8 @@ THE SOFTWARE. + PCF_Face face ) + { + PCF_ParseProperty props = 0; +- PCF_Property properties = 0; +- FT_Int nprops, i; ++ PCF_Property properties; ++ FT_UInt nprops, i; + FT_ULong format, size; + FT_Error error; + FT_Memory memory = FT_FACE(face)->memory; +@@ -390,6 +435,15 @@ THE SOFTWARE. + + FT_TRACE4(( " nprop = %d\n", nprops )); + ++ /* rough estimate */ ++ if ( nprops > size / PCF_PROPERTY_SIZE ) ++ { ++ error = PCF_Err_Invalid_Table; ++ goto Bail; ++ } ++ ++ face->nprops = nprops; ++ + if ( FT_NEW_ARRAY( props, nprops ) ) + goto Bail; + +@@ -427,6 +481,13 @@ THE SOFTWARE. + + FT_TRACE4(( " string_size = %ld\n", string_size )); + ++ /* rough estimate */ ++ if ( string_size > size - nprops * PCF_PROPERTY_SIZE ) ++ { ++ error = PCF_Err_Invalid_Table; ++ goto Bail; ++ } ++ + if ( FT_NEW_ARRAY( strings, string_size ) ) + goto Bail; + +@@ -437,13 +498,24 @@ THE SOFTWARE. + if ( FT_NEW_ARRAY( properties, nprops ) ) + goto Bail; + ++ face->properties = properties; ++ + for ( i = 0; i < nprops; i++ ) + { +- /* XXX: make atom */ ++ FT_Long name_offset = props[i].name; ++ ++ ++ if ( ( name_offset < 0 ) || ++ ( (FT_ULong)name_offset > string_size ) ) ++ { ++ error = PCF_Err_Invalid_Offset; ++ goto Bail; ++ } ++ + if ( FT_NEW_ARRAY( properties[i].name, +- ft_strlen( strings + props[i].name ) + 1 ) ) ++ ft_strlen( strings + name_offset ) + 1 ) ) + goto Bail; +- ft_strcpy( properties[i].name, strings + props[i].name ); ++ ft_strcpy( properties[i].name, strings + name_offset ); + + FT_TRACE4(( " %s:", properties[i].name )); + +@@ -451,8 +523,18 @@ THE SOFTWARE. + + if ( props[i].isString ) + { ++ FT_Long value_offset = props[i].value; ++ ++ ++ if ( ( value_offset < 0 ) || ++ ( (FT_ULong)value_offset > string_size ) ) ++ { ++ error = PCF_Err_Invalid_Offset; ++ goto Bail; ++ } ++ + if ( FT_NEW_ARRAY( properties[i].value.atom, +- ft_strlen( strings + props[i].value ) + 1 ) ) ++ ft_strlen( strings + value_offset ) + 1 ) ) + goto Bail; + ft_strcpy( properties[i].value.atom, strings + props[i].value ); + +@@ -466,14 +548,8 @@ THE SOFTWARE. + } + } + +- face->properties = properties; +- face->nprops = nprops; +- +- FT_FREE( props ); +- FT_FREE( strings ); +- +- return PCF_Err_Ok; +- ++ error = PCF_Err_Ok; ++ + Bail: + FT_FREE( props ); + FT_FREE( strings ); +@@ -488,11 +564,9 @@ THE SOFTWARE. + { + FT_Error error = PCF_Err_Ok; + FT_Memory memory = FT_FACE(face)->memory; +- FT_ULong format = 0; +- FT_ULong size = 0; ++ FT_ULong format, size; + PCF_Metric metrics = 0; +- int i; +- int nmetrics = -1; ++ FT_ULong nmetrics, i; + + + error = pcf_seek_to_table_type( stream, +@@ -504,7 +578,8 @@ THE SOFTWARE. + if ( error ) + return error; + +- error = FT_READ_ULONG_LE( format ); ++ if ( FT_READ_ULONG_LE( format ) ) ++ goto Bail; + + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) && + !PCF_FORMAT_MATCH( format, PCF_COMPRESSED_METRICS ) ) +@@ -524,16 +599,30 @@ THE SOFTWARE. + else + (void)FT_READ_USHORT_LE( nmetrics ); + } +- if ( error || nmetrics == -1 ) ++ if ( error ) + return PCF_Err_Invalid_File_Format; + + face->nmetrics = nmetrics; + ++ FT_TRACE4(( "pcf_get_metrics:\n" )); ++ ++ FT_TRACE4(( " number of metrics: %d\n", nmetrics )); ++ ++ /* rough estimate */ ++ if ( PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) ++ { ++ if ( nmetrics > size / PCF_METRIC_SIZE ) ++ return PCF_Err_Invalid_Table; ++ } ++ else ++ { ++ if ( nmetrics > size / PCF_COMPRESSED_METRIC_SIZE ) ++ return PCF_Err_Invalid_Table; ++ } ++ + if ( FT_NEW_ARRAY( face->metrics, nmetrics ) ) + return PCF_Err_Out_Of_Memory; + +- FT_TRACE4(( "pcf_get_metrics:\n" )); +- + metrics = face->metrics; + for ( i = 0; i < nmetrics; i++ ) + { +@@ -541,7 +630,7 @@ THE SOFTWARE. + + metrics[i].bits = 0; + +- FT_TRACE4(( " idx %d: width=%d, " ++ FT_TRACE5(( " idx %d: width=%d, " + "lsb=%d, rsb=%d, ascent=%d, descent=%d, swidth=%d\n", + i, + ( metrics + i )->characterWidth, +@@ -557,6 +646,8 @@ THE SOFTWARE. + + if ( error ) + FT_FREE( face->metrics ); ++ ++ Bail: + return error; + } + +@@ -597,14 +688,16 @@ THE SOFTWARE. + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) + return PCF_Err_Invalid_File_Format; + ++ FT_TRACE4(( "pcf_get_bitmaps:\n" )); ++ ++ FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); ++ + if ( nbitmaps != face->nmetrics ) + return PCF_Err_Invalid_File_Format; + + if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) + return error; + +- FT_TRACE4(( "pcf_get_bitmaps:\n" )); +- + for ( i = 0; i < nbitmaps; i++ ) + { + if ( PCF_BYTE_ORDER( format ) == MSBFirst ) +@@ -612,7 +705,7 @@ THE SOFTWARE. + else + (void)FT_READ_LONG_LE( offsets[i] ); + +- FT_TRACE4(( " bitmap %d: offset %ld (0x%lX)\n", ++ FT_TRACE5(( " bitmap %d: offset %ld (0x%lX)\n", + i, offsets[i], offsets[i] )); + } + if ( error ) +@@ -640,15 +733,22 @@ THE SOFTWARE. + FT_UNUSED( sizebitmaps ); /* only used for debugging */ + + for ( i = 0; i < nbitmaps; i++ ) +- face->metrics[i].bits = stream->pos + offsets[i]; ++ { ++ /* rough estimate */ ++ if ( ( offsets[i] < 0 ) || ++ ( (FT_ULong)offsets[i] > size ) ) ++ { ++ FT_ERROR(( "pcf_get_bitmaps:")); ++ FT_ERROR(( " invalid offset to bitmap data of glyph %d\n", i )); ++ } ++ else ++ face->metrics[i].bits = stream->pos + offsets[i]; ++ } + + face->bitmapsFormat = format; + +- FT_FREE ( offsets ); +- return error; +- + Bail: +- FT_FREE ( offsets ); ++ FT_FREE( offsets ); + return error; + } + +@@ -734,7 +834,7 @@ THE SOFTWARE. + + tmpEncoding[j].glyph = (FT_Short)encodingOffset; + +- FT_TRACE4(( " code %d (0x%04X): idx %d\n", ++ FT_TRACE5(( " code %d (0x%04X): idx %d\n", + tmpEncoding[j].enc, tmpEncoding[j].enc, + tmpEncoding[j].glyph )); + +@@ -828,7 +928,8 @@ THE SOFTWARE. + if ( error ) + goto Bail; + +- error = FT_READ_ULONG_LE( format ); ++ if ( FT_READ_ULONG_LE( format ) ) ++ goto Bail; + + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) && + !PCF_FORMAT_MATCH( format, PCF_ACCEL_W_INKBOUNDS ) ) +@@ -876,7 +977,6 @@ THE SOFTWARE. + accel->ink_minbounds = accel->minbounds; /* I'm not sure about this */ + accel->ink_maxbounds = accel->maxbounds; + } +- return error; + + Bail: + return error; +@@ -1082,11 +1182,12 @@ THE SOFTWARE. + else + root->family_name = NULL; + +- /* Note: We shift all glyph indices by +1 since we must ++ /* ++ * Note: We shift all glyph indices by +1 since we must + * respect the convention that glyph 0 always corresponds +- * to the "missing glyph". ++ * to the `missing glyph'. + * +- * This implies bumping the number of "available" glyphs by 1. ++ * This implies bumping the number of `available' glyphs by 1. + */ + root->num_glyphs = face->nmetrics + 1; + +@@ -1171,7 +1272,7 @@ THE SOFTWARE. + Exit: + if ( error ) + { +- /* this is done to respect the behaviour of the original */ ++ /* This is done to respect the behaviour of the original */ + /* PCF font driver. */ + error = PCF_Err_Invalid_File_Format; + } diff --git a/graphics/freetype2/patches/patch-ab b/graphics/freetype2/patches/patch-ab new file mode 100644 index 00000000000..cbc22924362 --- /dev/null +++ b/graphics/freetype2/patches/patch-ab @@ -0,0 +1,52 @@ +$NetBSD: patch-ab,v 1.7.16.1 2006/08/22 23:44:08 salo Exp $ + +--- src/pcf/pcfdrivr.c.orig 2006-02-17 07:40:36.000000000 +0100 ++++ src/pcf/pcfdrivr.c +@@ -203,19 +203,23 @@ THE SOFTWARE. + + /* free properties */ + { +- PCF_Property prop = face->properties; ++ PCF_Property prop; + FT_Int i; + + +- for ( i = 0; i < face->nprops; i++ ) ++ if ( face->properties ) + { +- prop = &face->properties[i]; ++ for ( i = 0; i < face->nprops; i++ ) ++ { ++ prop = &face->properties[i]; + +- FT_FREE( prop->name ); +- if ( prop->isString ) +- FT_FREE( prop->value.atom ); ++ if ( prop ) { ++ FT_FREE( prop->name ); ++ if ( prop->isString ) ++ FT_FREE( prop->value.atom ); ++ } ++ } + } +- + FT_FREE( face->properties ); + } + +@@ -258,6 +262,8 @@ THE SOFTWARE. + FT_Error error2; + + ++ PCF_Face_Done( pcfface ); ++ + /* this didn't work, try gzip support! */ + error2 = FT_Stream_OpenGzip( &face->gzip_stream, stream ); + if ( FT_ERROR_BASE( error2 ) == FT_Err_Unimplemented_Feature ) +@@ -357,6 +363,7 @@ THE SOFTWARE. + + Fail: + FT_TRACE2(( "[not a valid PCF file]\n" )); ++ PCF_Face_Done( pcfface ); + error = PCF_Err_Unknown_File_Format; /* error */ + goto Exit; + } -- cgit v1.2.3