rpms/freetype1/F-8 freetype-1.4pre-CVE-2008-1808.patch, NONE, 1.1 freetype1.spec, 1.3, 1.4

Hans de Goede (jwrdegoede) fedora-extras-commits at redhat.com
Sat Jun 14 08:51:34 UTC 2008


Author: jwrdegoede

Update of /cvs/extras/rpms/freetype1/F-8
In directory cvs-int.fedora.redhat.com:/tmp/cvs-serv5823

Modified Files:
	freetype1.spec 
Added Files:
	freetype-1.4pre-CVE-2008-1808.patch 
Log Message:
* Sat Jun 14 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.6.pre
- Backport fixes for CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808 to
  freetype 1 (where applicable, bz 450773, 450774)


freetype-1.4pre-CVE-2008-1808.patch:

--- NEW FILE freetype-1.4pre-CVE-2008-1808.patch ---
diff -up freetype-1.3.1/lib/ttfile.c~ freetype-1.3.1/lib/ttfile.c
--- freetype-1.3.1/lib/ttfile.c~	2008-06-14 09:51:56.000000000 +0200
+++ freetype-1.3.1/lib/ttfile.c	2008-06-14 09:51:56.000000000 +0200
@@ -931,6 +931,9 @@
   EXPORT_FUNC
   TT_Error  TT_Skip_File( STREAM_ARGS Long  distance )
   {
+    if ( distance < 0 )
+      return TT_Err_Invalid_File_Offset;
+
     return TT_Seek_File( STREAM_VARS ftell( CUR_Stream->file ) -
                                      CUR_Stream->base + distance );
   }
diff -up freetype-1.3.1/lib/ttinterp.c~ freetype-1.3.1/lib/ttinterp.c
--- freetype-1.3.1/lib/ttinterp.c~	2008-06-14 09:56:48.000000000 +0200
+++ freetype-1.3.1/lib/ttinterp.c	2008-06-14 09:56:48.000000000 +0200
@@ -4144,7 +4144,7 @@
 
     /* XXX: this is probably wrong... at least it prevents memory */
     /*      corruption when zp2 is the twilight zone              */
-    if ( last_point > CUR.zp2.n_points )
+    if ( BOUNDS ( last_point , CUR.zp2.n_points ) )
     {
       if ( CUR.zp2.n_points > 0 )
         last_point = CUR.zp2.n_points - 1;
diff -up freetype-1.3.1/lib/ttload.c~ freetype-1.3.1/lib/ttload.c
--- freetype-1.3.1/lib/ttload.c~	2008-06-14 09:37:02.000000000 +0200
+++ freetype-1.3.1/lib/ttload.c	2008-06-14 09:46:33.000000000 +0200
@@ -284,6 +284,12 @@
 
     /* read frame data into face table */
     maxProfile->version               = GET_ULong();
+    
+    if (maxProfile->version < 0x10000L)
+    {
+      PERROR(( "!! invalid file format" ));
+      return TT_Err_Invalid_File_Format;
+    }
 
     maxProfile->numGlyphs             = GET_UShort();
 
@@ -294,6 +300,14 @@
 
     maxProfile->maxZones              = GET_UShort();
     maxProfile->maxTwilightPoints     = GET_UShort();
+    /* we add 4 phantom points later */
+    if ( maxProfile->maxTwilightPoints > ( 0xFFFFU - 4 ) )
+    {
+      PERROR(( "Too much twilight points in `maxp' table;\n" ));
+      PERROR(( "  some glyphs might be rendered incorrectly.\n" ));
+ 
+      maxProfile->maxTwilightPoints = 0xFFFFU - 4;
+    }
 
     maxProfile->maxStorage            = GET_UShort();
     maxProfile->maxFunctionDefs       = GET_UShort();
@@ -330,8 +344,10 @@
      
     /* We also increase maxPoints and maxContours in order to support */
     /* some broken fonts.                                             */
-    face->maxPoints   += 8;
-    face->maxContours += 4;
+    if ( face->maxPoints < ( 0xFFFFU - 8 ) )
+      face->maxPoints   += 8;
+    if ( face->maxContours < ( 0xFFFFU - 4 ) )
+      face->maxContours += 4;
 
     PTRACE2(( "GASP loaded.\n" ));
     return TT_Err_Ok;


Index: freetype1.spec
===================================================================
RCS file: /cvs/extras/rpms/freetype1/F-8/freetype1.spec,v
retrieving revision 1.3
retrieving revision 1.4
diff -u -r1.3 -r1.4
--- freetype1.spec	5 Sep 2007 18:37:14 -0000	1.3
+++ freetype1.spec	14 Jun 2008 08:50:42 -0000	1.4
@@ -4,7 +4,7 @@
 
 Name:           freetype1
 Version:        1.4
-Release:        0.4.pre%{?dist}
+Release:        0.6.pre%{?dist}
 Summary:        Free TrueType font rendering engine, compatibility version
 Group:          System Environment/Libraries
 License:        FTL
@@ -14,6 +14,7 @@
 Source:         http://downloads.sourceforge.net/freetype/freetype-1.3.1.tar.gz
 Patch0:         freetype-1.3.1-1.4pre.patch
 Patch1:         freetype-1.4-disable-ft1-bci.patch
+Patch2:         freetype-1.4pre-CVE-2008-1808.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires:  zlib-devel libXt-devel gettext
 
@@ -59,6 +60,12 @@
 %patch1 -p1 -b .disable-ft1-bci
 %endif
 
+%patch2 -p1
+
+iconv -f ISO-8859-1 -t UTF-8 docs/i18n.txt > docs/i18n.txt.tmp
+touch -r docs/i18n.txt docs/i18n.txt.tmp
+mv docs/i18n.txt.tmp docs/i18n.txt
+
 
 %build
 # Work around code generation problem with strict-aliasing
@@ -118,6 +125,13 @@
 
 
 %changelog
+* Sat Jun 14 2008 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.6.pre
+- Backport fixes for CVE-2008-1806, CVE-2008-1807 and CVE-2008-1808 to
+  freetype 1 (where applicable, bz 450773, 450774)
+
+* Tue Feb 19 2008 Fedora Release Engineering <rel-eng at fedoraproject.org> - 1.4-0.5.pre
+- Autorebuild for GCC 4.3
+
 * Wed Sep  5 2007 Hans de Goede <j.w.r.degoede at hhs.nl> 1.4-0.4.pre
 - Update license tag
 




More information about the fedora-extras-commits mailing list