From 6268358eda017e59c2b7eab422ab9c9cc4508052 Mon Sep 17 00:00:00 2001 From: drochner Date: Thu, 5 Apr 2007 16:29:38 +0000 Subject: pull in a patch from freetype CVS: * src/bdf/bdflib.c (setsbit, sbitset): Handle values >= 128 gracefully. (_bdf_set_default_spacing): Increase `name' buffer size to 256 and issue an error for longer names. (_bdf_parse_glyphs): Limit allowed number of glyphs in font to the number of code points in Unicode. This fixes CVE-2007-1351. --- graphics/freetype2/Makefile | 3 +- graphics/freetype2/distinfo | 3 +- graphics/freetype2/patches/patch-ac | 55 +++++++++++++++++++++++++++++++++++++ 3 files changed, 59 insertions(+), 2 deletions(-) create mode 100644 graphics/freetype2/patches/patch-ac (limited to 'graphics/freetype2') diff --git a/graphics/freetype2/Makefile b/graphics/freetype2/Makefile index 6fc3b0c762e..324aa05b86b 100644 --- a/graphics/freetype2/Makefile +++ b/graphics/freetype2/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.57 2007/03/24 12:49:08 drochner Exp $ +# $NetBSD: Makefile,v 1.58 2007/04/05 16:29:38 drochner Exp $ DISTNAME= freetype-2.3.2 +PKGREVISION= 1 PKGNAME= ${DISTNAME:S/-/2-/} CATEGORIES= graphics MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \ diff --git a/graphics/freetype2/distinfo b/graphics/freetype2/distinfo index daf542497dc..d462e45f845 100644 --- a/graphics/freetype2/distinfo +++ b/graphics/freetype2/distinfo @@ -1,7 +1,8 @@ -$NetBSD: distinfo,v 1.21 2007/03/23 22:09:18 joerg Exp $ +$NetBSD: distinfo,v 1.22 2007/04/05 16:29:38 drochner Exp $ SHA1 (freetype-2.3.2.tar.bz2) = 4188a2ed344ddf89bdb1a054fb441019aa4b143d RMD160 (freetype-2.3.2.tar.bz2) = e4da77b6f8956d69e57269c5681560beda0ddb27 Size (freetype-2.3.2.tar.bz2) = 1252007 bytes SHA1 (patch-aa) = 0682e65e006c7b02535034c3e247be676af3b98f SHA1 (patch-ab) = 257118397011eb68197008842e98b8ef6c96e48d +SHA1 (patch-ac) = b00c86bf322e2ac6a71a24e27916ca1fa312009b diff --git a/graphics/freetype2/patches/patch-ac b/graphics/freetype2/patches/patch-ac new file mode 100644 index 00000000000..74ee4b8532e --- /dev/null +++ b/graphics/freetype2/patches/patch-ac @@ -0,0 +1,55 @@ +$NetBSD: patch-ac,v 1.2 2007/04/05 16:29:38 drochner Exp $ + +--- src/bdf/bdflib.c.orig 2007-02-12 22:29:20.000000000 +0100 ++++ src/bdf/bdflib.c +@@ -385,8 +385,10 @@ + } _bdf_parse_t; + + +-#define setsbit( m, cc ) ( m[(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) +-#define sbitset( m, cc ) ( m[(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) ++#define setsbit( m, cc ) \ ++ ( m[(FT_Byte)(cc) >> 3] |= (FT_Byte)( 1 << ( (cc) & 7 ) ) ) ++#define sbitset( m, cc ) \ ++ ( m[(FT_Byte)(cc) >> 3] & ( 1 << ( (cc) & 7 ) ) ) + + + static void +@@ -1130,7 +1132,7 @@ + bdf_options_t* opts ) + { + unsigned long len; +- char name[128]; ++ char name[256]; + _bdf_list_t list; + FT_Memory memory; + FT_Error error = BDF_Err_Ok; +@@ -1149,6 +1151,13 @@ + font->spacing = opts->font_spacing; + + len = (unsigned long)( ft_strlen( font->name ) + 1 ); ++ /* Limit ourselves to 256 characters in the font name. */ ++ if ( len >= 256 ) ++ { ++ error = BDF_Err_Invalid_Argument; ++ goto Exit; ++ } ++ + FT_MEM_COPY( name, font->name, len ); + + error = _bdf_list_split( &list, (char *)"-", name, len ); +@@ -1467,6 +1476,14 @@ + if ( p->cnt == 0 ) + font->glyphs_size = 64; + ++ /* Limit ourselves to 1,114,112 glyphs in the font (this is the */ ++ /* number of code points available in Unicode). */ ++ if ( p->cnt >= 1114112UL ) ++ { ++ error = BDF_Err_Invalid_Argument; ++ goto Exit; ++ } ++ + if ( FT_NEW_ARRAY( font->glyphs, font->glyphs_size ) ) + goto Exit; + -- cgit v1.2.3