head 1.14; access; symbols OPENPKG_E1_MP_HEAD:1.7 OPENPKG_E1_MP:1.7 OPENPKG_E1_MP_2_STABLE:1.7 OPENPKG_E1_FP:1.7 OPENPKG_2_STABLE_MP:1.8 OPENPKG_2_STABLE_20061018:1.7 OPENPKG_2_STABLE_20060622:1.7 OPENPKG_2_STABLE:1.7.0.2 OPENPKG_2_STABLE_BP:1.7 OPENPKG_2_5_RELEASE:1.5 OPENPKG_2_5_SOLID:1.5.0.2 OPENPKG_2_5_SOLID_BP:1.5 OPENPKG_2_4_RELEASE:1.4 OPENPKG_2_4_SOLID:1.4.0.8 OPENPKG_2_4_SOLID_BP:1.4 OPENPKG_CW_FP:1.4 OPENPKG_2_3_RELEASE:1.4 OPENPKG_2_3_SOLID:1.4.0.6 OPENPKG_2_3_SOLID_BP:1.4 OPENPKG_2_2_RELEASE:1.4 OPENPKG_2_2_SOLID:1.4.0.4 OPENPKG_2_2_SOLID_BP:1.4 OPENPKG_2_1_RELEASE:1.4 OPENPKG_2_1_SOLID:1.4.0.2 OPENPKG_2_1_SOLID_BP:1.4 OPENPKG_2_0_RELEASE:1.2 OPENPKG_2_0_SOLID:1.2.0.2 OPENPKG_2_0_SOLID_BP:1.2; locks; strict; comment @# @; 1.14 date 2009.10.08.21.16.41; author rse; state Exp; branches; next 1.13; commitid HFMmpilokQT5bM6u; 1.13 date 2009.04.18.14.15.24; author rse; state Exp; branches; next 1.12; commitid NIv7RvXmv5SlpvKt; 1.12 date 2009.03.13.20.43.17; author rse; state Exp; branches; next 1.11; commitid mJpZVXyIExmaIUFt; 1.11 date 2009.01.15.18.09.27; author rse; state Exp; branches; next 1.10; commitid DYG04o88j3tZGzyt; 1.10 date 2007.07.03.18.32.38; author rse; state Exp; branches; next 1.9; commitid aDLVmEbA4L0XSlos; 1.9 date 2007.05.24.08.18.42; author rse; state Exp; branches; next 1.8; commitid yDiZveJymTC2M9js; 1.8 date 2007.01.17.17.31.50; author cs; state Exp; branches; next 1.7; commitid 7qjoRRohOseUUS2s; 1.7 date 2006.05.14.08.27.56; author rse; state Exp; branches 1.7.2.1; next 1.6; commitid 8A5hqWx8X6vySXwr; 1.6 date 2005.12.15.10.00.12; author rse; state Exp; branches; next 1.5; commitid vamRKB9BOPu8dHdr; 1.5 date 2005.07.25.17.54.35; author rse; state Exp; branches 1.5.2.1; next 1.4; 1.4 date 2004.04.22.07.15.23; author rse; state Exp; branches; next 1.3; 1.3 date 2004.04.18.10.29.51; author rse; state Exp; branches; next 1.2; 1.2 date 2003.11.10.08.18.45; author rse; state Exp; branches; next 1.1; 1.1 date 2003.11.07.20.19.58; author rse; state Exp; branches; next ; 1.7.2.1 date 2007.01.26.17.00.48; author thl; state Exp; branches; next ; commitid RajVR207jGKgs24s; 1.5.2.1 date 2006.07.28.11.44.54; author rse; state Exp; branches; next ; commitid 7mMYaOKVrTJEyCGr; desc @@ 1.14 log @upgrading package: freetype 2.3.9 -> 2.3.10 @ text @Index: builds/unix/freetype-config.in --- builds/unix/freetype-config.in.orig 2009-02-04 00:09:49 +0100 +++ builds/unix/freetype-config.in 2009-04-18 16:09:28 +0200 @@@@ -131,7 +131,7 @@@@ fi if test "$echo_cflags" = "yes" ; then - cflags="-I$includedir/freetype2" + cflags="-I$includedir" if test "$includedir" != "/usr/include" ; then echo $cflags -I$includedir else Index: builds/unix/freetype2.in --- builds/unix/freetype2.in.orig 2009-03-12 09:10:23 +0100 +++ builds/unix/freetype2.in 2009-04-18 16:09:28 +0200 @@@@ -9,4 +9,4 @@@@ Requires: Libs: -L${libdir} -lfreetype Libs.private: @@LIBZ@@ @@FT2_EXTRA_LIBS@@ -Cflags: -I${includedir}/freetype2 -I${includedir} +Cflags: -I${includedir} Index: builds/unix/install.mk --- builds/unix/install.mk.orig 2006-04-01 07:16:40 +0200 +++ builds/unix/install.mk 2009-04-18 16:09:28 +0200 @@@@ -30,30 +30,30 @@@@ install: $(PROJECT_LIBRARY) $(MKINSTALLDIRS) $(DESTDIR)$(libdir) \ $(DESTDIR)$(libdir)/pkgconfig \ - $(DESTDIR)$(includedir)/freetype2/freetype/config \ - $(DESTDIR)$(includedir)/freetype2/freetype/cache \ + $(DESTDIR)$(includedir)/freetype/config \ + $(DESTDIR)$(includedir)/freetype/cache \ $(DESTDIR)$(bindir) \ $(DESTDIR)$(datadir)/aclocal $(LIBTOOL) --mode=install $(INSTALL) \ $(PROJECT_LIBRARY) $(DESTDIR)$(libdir) -for P in $(PUBLIC_H) ; do \ $(INSTALL_DATA) \ - $$P $(DESTDIR)$(includedir)/freetype2/freetype ; \ + $$P $(DESTDIR)$(includedir)/freetype ; \ done -for P in $(CONFIG_H) ; do \ $(INSTALL_DATA) \ - $$P $(DESTDIR)$(includedir)/freetype2/freetype/config ; \ + $$P $(DESTDIR)$(includedir)/freetype/config ; \ done - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/cache/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype/cache - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/internal/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype/internal + -$(DELETE) $(DESTDIR)$(includedir)/freetype/cache/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype/cache + -$(DELETE) $(DESTDIR)$(includedir)/freetype/internal/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype/internal $(INSTALL_DATA) $(BUILD_DIR)/ft2unix.h \ $(DESTDIR)$(includedir)/ft2build.h $(INSTALL_DATA) $(OBJ_BUILD)/ftconfig.h \ - $(DESTDIR)$(includedir)/freetype2/freetype/config/ftconfig.h + $(DESTDIR)$(includedir)/freetype/config/ftconfig.h $(INSTALL_DATA) $(OBJ_DIR)/ftmodule.h \ - $(DESTDIR)$(includedir)/freetype2/freetype/config/ftmodule.h + $(DESTDIR)$(includedir)/freetype/config/ftmodule.h $(INSTALL_SCRIPT) -m 755 $(OBJ_BUILD)/freetype-config \ $(DESTDIR)$(bindir)/freetype-config $(INSTALL_SCRIPT) -m 644 $(BUILD_DIR)/freetype2.m4 \ @@@@ -64,11 +64,10 @@@@ uninstall: -$(LIBTOOL) --mode=uninstall $(RM) $(DESTDIR)$(libdir)/$(LIBRARY).$A - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/config/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype/config - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2 + -$(DELETE) $(DESTDIR)$(includedir)/freetype/config/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype/config + -$(DELETE) $(DESTDIR)$(includedir)/freetype/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype -$(DELETE) $(DESTDIR)$(includedir)/ft2build.h -$(DELETE) $(DESTDIR)$(bindir)/freetype-config -$(DELETE) $(DESTDIR)$(datadir)/aclocal/freetype2.m4 Index: include/freetype/freetype.h --- include/freetype/freetype.h.orig 2009-03-03 22:29:45 +0100 +++ include/freetype/freetype.h 2009-04-18 16:09:28 +0200 @@@@ -16,15 +16,6 @@@@ /***************************************************************************/ -#ifndef FT_FREETYPE_H -#error "`ft2build.h' hasn't been included yet!" -#error "Please always use macros to include FreeType header files." -#error "Example:" -#error " #include " -#error " #include FT_FREETYPE_H" -#endif - - #ifndef __FREETYPE_H__ #define __FREETYPE_H__ @ 1.13 log @apply security fixes @ text @a100 153 ------------------------------------------------------------------------------ Upstream security fixes http://www.vuxml.org/freebsd/20b4f284-2bfc-11de-bdeb-0030843d3802.html An integer overflow error within the "cff_charset_compute_cids()" function in cff/cffload.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font. Multiple integer overflow errors within validation functions in sfnt/ttcmap.c can be exploited to bypass length validations and potentially cause buffer overflows via specially crafted fonts. An integer overflow error within the "ft_smooth_render_generic()" function in smooth/ftsmooth.c can be exploited to potentially cause a heap-based buffer overflow via a specially crafted font. Index: src/cff/cffload.c --- src/cff/cffload.c.orig 2009-03-12 09:04:17 +0100 +++ src/cff/cffload.c 2009-04-18 16:09:28 +0200 @@@@ -842,7 +842,20 @@@@ goto Exit; for ( j = 1; j < num_glyphs; j++ ) - charset->sids[j] = FT_GET_USHORT(); + { + FT_UShort sid = FT_GET_USHORT(); + + + /* this constant is given in the CFF specification */ + if ( sid < 65000 ) + charset->sids[j] = sid; + else + { + FT_ERROR(( "cff_charset_load:" + " invalid SID value %d set to zero\n", sid )); + charset->sids[j] = 0; + } + } FT_FRAME_EXIT(); } @@@@ -875,6 +888,20 @@@@ goto Exit; } + /* check whether the range contains at least one valid glyph; */ + /* the constant is given in the CFF specification */ + if ( glyph_sid >= 65000 ) { + FT_ERROR(( "cff_charset_load: invalid SID range\n" )); + error = CFF_Err_Invalid_File_Format; + goto Exit; + } + + /* try to rescue some of the SIDs if `nleft' is too large */ + if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { + FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); + nleft = 65000 - 1 - glyph_sid; + } + /* Fill in the range of sids -- `nleft + 1' glyphs. */ for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) charset->sids[j] = glyph_sid; Index: src/lzw/ftzopen.c --- src/lzw/ftzopen.c.orig 2007-05-25 08:36:29 +0200 +++ src/lzw/ftzopen.c 2009-04-18 16:09:28 +0200 @@@@ -332,6 +332,9 @@@@ while ( code >= 256U ) { + if ( !state->prefix ) + goto Eof; + FTLZW_STACK_PUSH( state->suffix[code - 256] ); code = state->prefix[code - 256]; } Index: src/sfnt/ttcmap.c --- src/sfnt/ttcmap.c.orig 2009-03-09 08:29:09 +0100 +++ src/sfnt/ttcmap.c 2009-04-18 16:09:28 +0200 @@@@ -1635,7 +1635,7 @@@@ FT_INVALID_TOO_SHORT; length = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 8208 ) + if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) FT_INVALID_TOO_SHORT; is32 = table + 12; @@@@ -1863,7 +1863,8 @@@@ p = table + 16; count = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 20 + count * 2 ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 20 + count * 2 ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@@@ -2048,7 +2049,8 @@@@ p = table + 12; num_groups = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 16 + 12 * num_groups ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 16 + 12 * num_groups ) FT_INVALID_TOO_SHORT; /* check groups, they must be in increasing order */ @@@@ -2429,7 +2431,8 @@@@ FT_ULong num_selectors = TT_NEXT_ULONG( p ); - if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) + if ( length > (FT_ULong)( valid->limit - table ) || + length < 10 + 11 * num_selectors ) FT_INVALID_TOO_SHORT; /* check selectors, they must be in increasing order */ @@@@ -2491,7 +2494,7 @@@@ FT_ULong i, lastUni = 0; - if ( ndp + numMappings * 4 > valid->limit ) + if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) FT_INVALID_TOO_SHORT; for ( i = 0; i < numMappings; ++i ) Index: src/smooth/ftsmooth.c --- src/smooth/ftsmooth.c.orig 2009-01-12 20:12:35 +0100 +++ src/smooth/ftsmooth.c 2009-04-18 16:09:28 +0200 @@@@ -153,7 +153,7 @@@@ slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; } - /* allocate new one, depends on pixel format */ + /* allocate new one */ pitch = width; if ( hmul ) { @@@@ -194,6 +194,13 @@@@ #endif + if ( pitch > 0xFFFF || height > 0xFFFF ) + { + FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", + width, height )); + return Smooth_Err_Raster_Overflow; + } + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; bitmap->num_grays = 256; bitmap->width = width; @ 1.12 log @upgrading package: freetype 2.3.8 -> 2.3.9 @ text @d3 1 a3 1 +++ builds/unix/freetype-config.in 2009-03-13 08:22:08 +0100 d15 1 a15 1 +++ builds/unix/freetype2.in 2009-03-13 21:39:02 +0100 d24 1 a24 1 +++ builds/unix/install.mk 2009-03-13 08:22:08 +0100 d84 1 a84 1 +++ include/freetype/freetype.h 2009-03-13 21:39:22 +0100 d101 153 @ 1.11 log @upgrading package: freetype 2.3.7 -> 2.3.8 @ text @d2 3 a4 3 --- builds/unix/freetype-config.in.orig 2008-06-09 23:25:37 +0200 +++ builds/unix/freetype-config.in 2009-01-15 19:02:18 +0100 @@@@ -128,7 +128,7 @@@@ d14 3 a16 4 --- builds/unix/freetype2.in.orig 2006-10-12 06:51:08 +0200 +++ builds/unix/freetype2.in 2009-01-15 19:02:18 +0100 @@@@ -8,4 +8,4 @@@@ Version: @@ft_version@@ d18 2 a19 1 Libs: -L${libdir} -lfreetype @@LIBZ@@ @@FT2_EXTRA_LIBS@@ d24 1 a24 1 +++ builds/unix/install.mk 2009-01-15 19:02:18 +0100 d83 2 a84 2 --- include/freetype/freetype.h.orig 2009-01-14 07:34:13 +0100 +++ include/freetype/freetype.h 2009-01-15 19:02:18 +0100 d98 3 a100 3 /*************************************************************************/ /* */ /* The `raster' component duplicates some of the declarations in */ @ 1.10 log @upgrading package: freetype 2.3.4 -> 2.3.5 @ text @d2 2 a3 2 --- builds/unix/freetype-config.in.orig 2006-10-12 06:51:08 +0200 +++ builds/unix/freetype-config.in 2007-07-03 20:27:44 +0200 d15 1 a15 1 +++ builds/unix/freetype2.in 2007-07-03 20:27:44 +0200 d24 1 a24 1 +++ builds/unix/install.mk 2007-07-03 20:27:44 +0200 d83 2 a84 2 --- include/freetype/freetype.h.orig 2007-07-02 23:06:00 +0200 +++ include/freetype/freetype.h 2007-07-03 20:27:44 +0200 @ 1.9 log @Security Fix (CVE-2007-2754) @ text @d2 2 a3 2 --- builds/unix/freetype-config.in.orig 2005-06-04 23:58:48 +0200 +++ builds/unix/freetype-config.in 2006-05-14 09:58:42 +0200 d14 2 a15 2 --- builds/unix/freetype2.in 2006-10-12 06:51:08 +0200 +++ builds/unix/freetype2.in 2007-01-17 18:25:06 +0100 d24 1 a24 1 +++ builds/unix/install.mk 2006-05-14 10:22:05 +0200 d83 2 a84 2 --- include/freetype/freetype.h.orig 2006-05-12 15:52:24 +0200 +++ include/freetype/freetype.h 2006-05-14 10:22:27 +0200 a100 39 ----------------------------------------------------------------------------- Security Fix (CVE-2007-2754) Index: src/truetype/ttgload.c --- src/truetype/ttgload.c 2007/04/09 08:40:11 1.177 +++ src/truetype/ttgload.c 2007/04/27 17:16:50 1.178 @@@@ -271,7 +271,11 @@@@ n_points = 0; if ( n_contours > 0 ) + { n_points = cont[-1] + 1; + if ( n_points < 0 ) + goto Invalid_Outline; + } /* note that we will add four phantom points later */ error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 ); @@@@ -682,7 +686,7 @@@@ FT_GlyphLoader gloader = loader->gloader; FT_Error error = TT_Err_Ok; FT_Outline* outline; - FT_UInt n_points; + FT_Int n_points; outline = &gloader->current.outline; @@@@ -709,7 +713,7 @@@@ /* Deltas apply to the unscaled data. */ FT_Vector* deltas; FT_Memory memory = loader->face->memory; - FT_UInt i; + FT_Int i; error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face), @ 1.8 log @upgrading package: freetype 2.2.1 -> 2.3.0 @ text @d101 39 @ 1.7 log @upgrading package: freetype 2.1.10 -> 2.2.1 @ text @d14 2 a15 2 --- builds/unix/freetype2.in.orig 2005-08-26 07:49:21 +0200 +++ builds/unix/freetype2.in 2006-05-14 10:21:15 +0200 d19 1 a19 1 Libs: -L${libdir} -lfreetype @@LIBZ@@ @ 1.7.2.1 log @MFC: make up leeway for 2_STABLE by virtue of build-time results @ text @d14 2 a15 2 --- builds/unix/freetype2.in 2006-10-12 06:51:08 +0200 +++ builds/unix/freetype2.in 2007-01-17 18:25:06 +0100 d19 1 a19 1 Libs: -L${libdir} -lfreetype @@LIBZ@@ @@FT2_EXTRA_LIBS@@ @ 1.6 log @apply two patches from the FreeType CVS via the FreeBSD ports (fixing bold text rendering and memory handling) @ text @d3 1 a3 1 +++ builds/unix/freetype-config.in 2005-07-25 19:50:08 +0200 d14 2 a15 2 --- builds/unix/freetype2.in.orig 2003-06-01 23:30:03 +0200 +++ builds/unix/freetype2.in 2005-07-25 19:50:08 +0200 d20 1 a20 1 -Cflags: -I${includedir}/freetype2 d23 3 a25 3 --- builds/unix/install.mk.orig 2004-12-06 09:42:41 +0100 +++ builds/unix/install.mk 2005-07-25 19:51:06 +0200 @@@@ -26,33 +26,33 @@@@ d27 7 a33 9 $(MKINSTALLDIRS) $(DESTDIR)$(libdir) \ $(DESTDIR)$(libdir)/pkgconfig \ - $(DESTDIR)$(includedir)/freetype2/freetype/config \ - $(DESTDIR)$(includedir)/freetype2/freetype/internal \ - $(DESTDIR)$(includedir)/freetype2/freetype/cache \ + $(DESTDIR)$(includedir)/freetype/config \ + $(DESTDIR)$(includedir)/freetype/internal \ + $(DESTDIR)$(includedir)/freetype/cache \ $(DESTDIR)$(bindir) \ d35 1 a35 1 $(LIBTOOL) --mode=install $(INSTALL) \ a41 5 -for P in $(BASE_H) ; do \ $(INSTALL_DATA) \ - $$P $(DESTDIR)$(includedir)/freetype2/freetype/internal ; \ + $$P $(DESTDIR)$(includedir)/freetype/internal ; \ done d47 8 a54 5 -for P in $(CACHE_H) ; do \ $(INSTALL_DATA) \ - $$P $(DESTDIR)$(includedir)/freetype2/freetype/cache ; \ + $$P $(DESTDIR)$(includedir)/freetype/cache ; \ done d57 1 a57 1 $(INSTALL_DATA) $(OBJ_BUILD)/ftconfig.h \ d60 3 d66 1 a66 1 @@@@ -63,15 +63,15 @@@@ a69 2 - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/cache/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype/cache a71 2 - -$(DELETE) $(DESTDIR)$(includedir)/freetype2/freetype/internal/* - -$(DELDIR) $(DESTDIR)$(includedir)/freetype2/freetype/internal a74 2 + -$(DELETE) $(DESTDIR)$(includedir)/freetype/cache/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype/cache a76 2 + -$(DELETE) $(DESTDIR)$(includedir)/freetype/internal/* + -$(DELDIR) $(DESTDIR)$(includedir)/freetype/internal a78 1 + -$(DELDIR) $(DESTDIR)$(includedir) d83 2 a84 2 --- include/freetype/freetype.h.orig 2005-06-06 08:18:32 +0200 +++ include/freetype/freetype.h 2005-07-25 19:50:08 +0200 d98 3 a100 33 #ifndef __FREETYPE_H__ #define __FREETYPE_H__ Index: src/base/ftsynth.c --- src/base/ftsynth.c.orig Tue Dec 13 00:44:56 2005 +++ src/base/ftsynth.c Tue Dec 13 00:45:05 2005 @@@@ -123,7 +123,6 @@@@ if ( !error ) { slot->advance.x += xstr; - slot->advance.y += ystr; slot->metrics.width += xstr; slot->metrics.height += ystr; Index: src/sfnt/sfdriver.c.orig --- src/sfnt/sfdriver.c.orig Wed Aug 3 18:46:34 2005 +++ src/sfnt/sfdriver.c Wed Aug 3 18:47:24 2005 @@@@ -367,8 +367,13 @@@@ /* see `ttsbit.h' and `sfnt.h' */ tt_face_set_sbit_strike, tt_face_load_sbit_strikes, - 0 /* tt_find_sbit_image */, - 0 /* tt_load_sbit_metrics */, +#ifdef FT_OPTIMIZE_MEMORY + 0, + 0, +#else + tt_find_sbit_image, + tt_load_sbit_metrics, +#endif tt_face_load_sbit_image, tt_face_free_sbit_strikes, @ 1.5 log @upgrading package: freetype 2.1.9 -> 2.1.10 @ text @d111 30 @ 1.5.2.1 log @multiple security fixes (CVE-2006-3467, CVE-2006-2661, CVE-2006-1861 aka CVE-2006-2493, CVE-2006-0747) @ text @a110 352 ----------------------------------------------------------------------------- Security Fix (CVE-2006-3467) Integer overflow allows remote attackers to cause a Denial of Service (crash) and possibly execute arbitrary code via unknown vectors, as demonstrated by the Red Hat "bad1.pcf" test file, due to a partial fix of CVE-2006-1861. --- src/pcf/pcfread.c.strlen2 2003-01-22 17:45:28.000000000 -0500 +++ src/pcf/pcfread.c 2006-06-28 15:01:19.000000000 -0400 @@@@ -428,6 +428,14 @@@@ for ( i = 0; i < nprops; i++ ) { + /* 2006:0500 (mbarnes) - Detect invalid string length. + * XXX Is this is best error code to return? */ + if ( props[i].name < 0 ) + { + error = FT_Err_Invalid_File_Format; + goto Bail; + } + /* XXX: make atom */ if ( FT_NEW_ARRAY( properties[i].name, ft_strlen( strings + props[i].name ) + 1 ) ) @@@@ -438,6 +446,14 @@@@ if ( props[i].isString ) { + /* 2006:0500 (mbarnes) - Detect invalid string length. + * XXX Is this the best error code to return? */ + if ( props[i].value < 0 ) + { + error = FT_Err_Invalid_File_Format; + goto Bail; + } + if ( FT_NEW_ARRAY( properties[i].value.atom, ft_strlen( strings + props[i].value ) + 1 ) ) goto Bail; ----------------------------------------------------------------------------- Security Fix Serious bug that caused some programs to go into an infinite loop (Denial of Service) when dealing with fonts that don't have a properly sorted kerning sub-table. --- src/sfnt/ttkern.c 2005-03-03 12:18:15.000000000 +0100 +++ src/sfnt/ttkern.c 2006-05-30 16:04:57.000000000 +0200 @@@@ -246,7 +246,9 @@@@ } else /* linear search */ { - for ( count = num_pairs; count > 0; count-- ) + FT_UInt count2; + + for ( count2 = num_pairs; count2 > 0; count2-- ) { FT_ULong key = FT_NEXT_ULONG( p ); ----------------------------------------------------------------------------- Security Fix (CVE-2006-2661) Allows remote attackers to cause a Denial of Service (crash) via a crafted font file that triggers a NULL dereference. --- src/base/ftutil.c 2005-03-03 23:59:06.000000000 +0100 +++ src/base/ftutil.c 2006-05-30 17:05:10.000000000 +0200 @@@@ -67,6 +67,11 @@@@ } FT_MEM_ZERO( *P, size ); } + else if ( size < 0 ) + { + /* may help catch/prevent nasty security issues */ + return FT_Err_Invalid_Argument; + } else *P = NULL; @@@@ -99,6 +104,11 @@@@ return FT_Err_Out_Of_Memory; } } + else if (size < 0) + { + /* may help catch/prevent security issues */ + return FT_Err_Invalid_Argument; + } else *P = NULL; @@@@ -127,6 +137,11 @@@@ if ( !*P ) return FT_Alloc( memory, size, P ); + if ( size < 0 || current < 0 ) + { + return FT_Err_Invalid_Argument; + } + /* if the new block if zero-sized, clear the current one */ if ( size <= 0 ) { @@@@ -169,6 +184,11 @@@@ if ( !*P ) return FT_QAlloc( memory, size, P ); + if ( size < 0 || current < 0 ) + { + return FT_Err_Invalid_Argument; + } + /* if the new block if zero-sized, clear the current one */ if ( size <= 0 ) { ----------------------------------------------------------------------------- Security Fix (CVE-2006-1861 aka CVE-2006-2493) Multiple integer overflows allow remote attackers to cause a Denial of Service (crash) and possibly execute arbitrary code. --- include/freetype/fterrdef.h 2004-02-12 09:33:20.000000000 +0100 +++ include/freetype/fterrdef.h 2006-06-02 15:42:00.000000000 +0200 @@@@ -226,6 +226,8 @@@@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ --- src/base/ftmac.c 2004-08-28 10:02:46.000000000 +0200 +++ src/base/ftmac.c 2006-06-02 15:45:18.000000000 +0200 @@@@ -430,6 +430,7 @@@@ short res_id; unsigned char *buffer, *p, *size_p = NULL; FT_ULong total_size = 0; + FT_ULong old_total_size = 0; FT_ULong post_size, pfb_chunk_size; Handle post_data; char code, last_code; @@@@ -462,6 +463,15 @@@@ last_code = code; } + /* detect integer overflows */ + if ( total_size < old_total_size ) + { + error = FT_Err_Array_Too_Large; + goto Error; + } + + old_total_size = total_size; + if ( FT_ALLOC( buffer, (FT_Long)total_size ) ) goto Error; --- src/bdf/bdflib.c 2006-06-02 15:40:24.000000000 +0200 +++ src/bdf/bdflib.c 2006-06-02 15:42:00.000000000 +0200 @@@@ -1092,6 +1092,7 @@@@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@@@ -1569,6 +1570,14 @@@@ goto Exit; } + /* Check that the encoding is in the range [0,65536] because */ + /* otherwise p->have (a bitmap with static size) overflows. */ + if ( p->glyph_enc >= sizeof(p->have)*8 ) + { + error = BDF_Err_Invalid_File_Format; + goto Exit; + } + /* Check to see whether this encoding has already been encountered. */ /* If it has then change it to unencoded so it gets added if */ /* indicated. */ @@@@ -1814,6 +1823,9 @@@@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@@@ -1824,7 +1836,16 @@@@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size < 0 || bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; --- src/cff/cffgload.c 2006-06-02 15:40:24.000000000 +0200 +++ src/cff/cffgload.c 2006-06-02 15:42:00.000000000 +0200 @@@@ -2284,7 +2284,7 @@@@ FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ) { FT_Error error; @@@@ -2330,7 +2330,7 @@@@ error = sfnt->load_sbit_image( face, (FT_ULong)size->strike_index, - (FT_UInt)glyph_index, + glyph_index, (FT_Int)load_flags, stream, &glyph->root.bitmap, @@@@ -2393,7 +2393,12 @@@@ /* subsetted font, glyph_indices and CIDs are identical, though */ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && cff->charset.cids ) - glyph_index = cff->charset.cids[glyph_index]; + { + if ( glyph_index < cff->charset.max_cid ) + glyph_index = cff->charset.cids[glyph_index]; + else + glyph_index = 0; + } cff_decoder_init( &decoder, face, size, glyph, hinting, FT_LOAD_TARGET_MODE( load_flags ) ); --- src/cff/cffgload.h 2004-05-13 23:59:17.000000000 +0200 +++ src/cff/cffgload.h 2006-06-02 15:42:00.000000000 +0200 @@@@ -196,7 +196,7 @@@@ FT_BEGIN_HEADER FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ); --- src/cff/cffload.c 2006-06-02 15:40:24.000000000 +0200 +++ src/cff/cffload.c 2006-06-02 15:42:00.000000000 +0200 @@@@ -1688,6 +1688,8 @@@@ for ( i = 0; i < num_glyphs; i++ ) charset->cids[charset->sids[i]] = (FT_UShort)i; + + charset->max_cid = max_cid; } Exit: --- src/cff/cfftypes.h 2003-12-20 08:30:05.000000000 +0100 +++ src/cff/cfftypes.h 2006-06-02 15:42:00.000000000 +0200 @@@@ -84,6 +84,7 @@@@ FT_BEGIN_HEADER FT_UShort* sids; FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ /* for CID-keyed fonts */ + FT_UInt max_cid; } CFF_CharsetRec, *CFF_Charset; --- src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200 +++ src/sfnt/ttcmap.c 2006-06-02 15:42:00.000000000 +0200 @@@@ -2144,9 +2144,7 @@@@ charmap.encoding = FT_ENCODING_NONE; /* will be filled later */ offset = TT_NEXT_ULONG( p ); - if ( offset && - table + offset + 2 < limit && - table + offset >= table ) + if ( offset && offset <= face->cmap_size - 2) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap ); ----------------------------------------------------------------------------- Security Fix (CVE-2006-0747) Integer underflow which allows remote attackers to cause a Denial of Service (crash) via a font file with an odd number of blue values, which causes the underflow when decrementing by 2 in a context that assumes an even number of values. --- src/pshinter/pshglob.c 2004-04-02 09:13:53.000000000 +0200 +++ src/pshinter/pshglob.c 2006-05-30 16:28:56.000000000 +0200 @@@@ -150,7 +150,7 @@@@ FT_UNUSED( target ); - for ( ; read_count > 0; read_count -= 2 ) + for ( ; read_count > 1; read_count -= 2 ) { FT_Int reference, delta; FT_UInt count; --- src/cff/cffload.c 2005-05-06 07:49:46.000000000 +0200 +++ src/cff/cffload.c 2006-05-30 16:28:56.000000000 +0200 @@@@ -1235,7 +1235,7 @@@@ } /* access element */ - if ( off1 ) + if ( off1 && off2 > off1 ) { *pbyte_len = off2 - off1; @@@@ -2040,6 +2040,9 @@@@ FT_FRAME_EXIT(); if ( error ) goto Exit; + + /* ensure that 'num_blue_values' is even */ + priv->num_blue_values &= ~1; } /* read the local subrs, if any */ --- src/type1/t1load.c 2005-04-14 13:39:28.000000000 +0200 +++ src/type1/t1load.c 2006-05-30 16:28:56.000000000 +0200 @@@@ -1989,6 +1989,9 @@@@ keyword_flags ); if ( error ) goto Exit; + + /* ensure even-ness of 'num_blue_values' */ + priv->num_blue_values &= ~1; #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT @ 1.4 log @upgrading package: freetype 2.1.7 -> 2.1.8 @ text @d2 3 a4 3 --- builds/unix/freetype-config.in.orig 2004-04-17 20:58:43.000000000 +0200 +++ builds/unix/freetype-config.in 2004-04-22 09:10:11.000000000 +0200 @@@@ -105,7 +105,7 @@@@ d14 2 a15 2 --- builds/unix/freetype2.in.orig 2003-06-01 23:30:03.000000000 +0200 +++ builds/unix/freetype2.in 2004-04-22 09:04:34.000000000 +0200 d23 2 a24 2 --- builds/unix/install.mk.orig 2003-11-09 09:37:13.000000000 +0100 +++ builds/unix/install.mk 2004-04-22 09:04:34.000000000 +0200 d61 1 a61 1 $(INSTALL_DATA) $(BUILD_DIR)/ftconfig.h \ d93 2 a94 2 --- include/freetype/freetype.h.orig 2004-04-13 23:08:17.000000000 +0200 +++ include/freetype/freetype.h 2004-04-22 09:04:34.000000000 +0200 @ 1.3 log @include a bugfix from the vendor @ text @d2 3 a4 3 --- builds/unix/freetype-config.in.orig 2003-04-24 07:45:59.000000000 +0200 +++ builds/unix/freetype-config.in 2003-11-10 09:15:43.000000000 +0100 @@@@ -79,7 +79,7 @@@@ d8 5 a12 5 - cflags="-I@@includedir@@/freetype2" + cflags="-I@@includedir@@" if test "@@includedir@@" != "/usr/include" ; then echo $cflags -I@@includedir@@ else d15 1 a15 1 +++ builds/unix/freetype2.in 2003-11-10 09:15:43.000000000 +0100 d24 1 a24 1 +++ builds/unix/install.mk 2003-11-10 09:16:36.000000000 +0100 d93 2 a94 2 --- include/freetype/freetype.h.orig 2003-11-09 09:38:13.000000000 +0100 +++ include/freetype/freetype.h 2003-11-10 09:15:43.000000000 +0100 a110 21 ------------------------------------------------------------------------------ Check for the "eexec" keyword in Type1 fonts. This fixes a potential hang when viewing certain PDF documents. See http://bugzilla.gnome.org/show_bug.cgi?id=129400 for details. Index: src/type1/t1load.c --- src/type1/t1load.c 2003/12/12 15:38:39 1.88 +++ src/type1/t1load.c 2003/12/22 11:35:36 1.89 @@@@ -1527,6 +1527,11 @@@@ parser->root.cursor = cur2; } + /* look for `eexec' */ + else if ( *cur == 'e' && cur + 5 < limit && + ft_strncmp( (char*)cur, "eexec", 5 ) == 0 ) + break; + /* look for `closefile' which ends the eexec section */ else if ( *cur == 'c' && cur + 9 < limit && ft_strncmp( (char*)cur, "closefile", 9 ) == 0 ) @ 1.2 log @upgrading package: freetype 2.1.6 -> 2.1.7 @ text @d111 21 @ 1.1 log @cleanup packaging and resulting filesystem layout @ text @d3 1 a3 1 +++ builds/unix/freetype-config.in 2003-11-07 19:50:30.000000000 +0100 d15 1 a15 1 +++ builds/unix/freetype2.in 2003-11-07 19:50:46.000000000 +0100 d23 3 a25 3 --- builds/unix/install.mk.orig 2003-06-09 06:46:27.000000000 +0200 +++ builds/unix/install.mk 2003-11-07 19:51:34.000000000 +0100 @@@@ -26,28 +26,28 @@@@ d61 7 a67 1 @@@@ -61,15 +61,15 @@@@ d93 2 a94 2 --- include/freetype/freetype.h.orig 2003-11-03 21:12:39.000000000 +0100 +++ include/freetype/freetype.h 2003-11-07 19:49:05.000000000 +0100 @