commit 405fc055b02d4149c99c8d6b93151ff319d86604 Author: Marek Kasik mkasik@redhat.com Date: Tue Nov 15 17:41:05 2011 +0100
Fix CVE-2011-3439
Resolves: #753837
freetype-2.4.2-CVE-2011-3439.patch | 76 ++++++++++++++++++++++++++++++++++++ freetype.spec | 8 +++- 2 files changed, 83 insertions(+), 1 deletions(-) --- diff --git a/freetype-2.4.2-CVE-2011-3439.patch b/freetype-2.4.2-CVE-2011-3439.patch new file mode 100644 index 0000000..a2affe2 --- /dev/null +++ b/freetype-2.4.2-CVE-2011-3439.patch @@ -0,0 +1,76 @@ +--- freetype-2.4.2/src/cid/cidload.c 2009-07-03 15:28:24.000000000 +0200 ++++ freetype-2.4.2/src/cid/cidload.c 2011-11-15 17:37:01.000000000 +0100 +@@ -4,7 +4,7 @@ + /* */ + /* CID-keyed Type1 font loader (body). */ + /* */ +-/* Copyright 1996-2001, 2002, 2003, 2004, 2005, 2006, 2009 by */ ++/* Copyright 1996-2006, 2009, 2011 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -110,7 +110,7 @@ + CID_FaceDict dict; + + +- if ( parser->num_dict < 0 ) ++ if ( parser->num_dict < 0 || parser->num_dict >= cid->num_dicts ) + { + FT_ERROR(( "cid_load_keyword: invalid use of `%s'\n", + keyword->ident )); +@@ -158,7 +158,7 @@ + FT_Fixed temp_scale; + + +- if ( parser->num_dict >= 0 ) ++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) + { + dict = face->cid.font_dicts + parser->num_dict; + matrix = &dict->font_matrix; +@@ -249,7 +249,7 @@ + CID_FaceDict dict; + + +- if ( parser->num_dict >= 0 ) ++ if ( parser->num_dict >= 0 && parser->num_dict < face->cid.num_dicts ) + { + dict = face->cid.font_dicts + parser->num_dict; + +@@ -413,12 +413,25 @@ + FT_Byte* p; + + ++ /* Check for possible overflow. */ ++ if ( num_subrs == FT_UINT_MAX ) ++ { ++ error = CID_Err_Syntax_Error; ++ goto Fail; ++ } ++ + /* reallocate offsets array if needed */ + if ( num_subrs + 1 > max_offsets ) + { + FT_UInt new_max = FT_PAD_CEIL( num_subrs + 1, 4 ); + + ++ if ( new_max <= max_offsets ) ++ { ++ error = CID_Err_Syntax_Error; ++ goto Fail; ++ } ++ + if ( FT_RENEW_ARRAY( offsets, max_offsets, new_max ) ) + goto Fail; + +@@ -436,6 +449,11 @@ + + FT_FRAME_EXIT(); + ++ /* offsets must be ordered */ ++ for ( count = 1; count <= num_subrs; count++ ) ++ if ( offsets[count - 1] > offsets[count] ) ++ goto Fail; ++ + /* now, compute the size of subrs charstrings, */ + /* allocate, and read them */ + data_len = offsets[num_subrs] - offsets[0]; diff --git a/freetype.spec b/freetype.spec index 1ed8c5f..825d315 100644 --- a/freetype.spec +++ b/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.4.2 -Release: 6%{?dist} +Release: 7%{?dist} License: FTL or GPLv2+ Group: System Environment/Libraries URL: http://www.freetype.org @@ -30,6 +30,7 @@ Patch89: freetype-2.4.2-CVE-2010-3311.patch Patch90: freetype-2.4.2-CVE-2010-3855.patch Patch91: freetype-2.4.2-CVE-2011-0226.patch Patch92: freetype-2.4.2-CVE-2011-3256.patch +Patch93: freetype-2.4.2-CVE-2011-3439.patch
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
@@ -100,6 +101,7 @@ popd %patch90 -p1 -b .CVE-2010-3855 %patch91 -p1 -b .CVE-2011-0226 %patch92 -p1 -b .CVE-2011-3256 +%patch93 -p1 -b .CVE-2011-3439
%build
@@ -232,6 +234,10 @@ rm -rf $RPM_BUILD_ROOT %doc docs/tutorial
%changelog +* Tue Nov 15 2011 Marek Kasik mkasik@redhat.com 2.4.2-7 +- Fix CVE-2011-3439 +- Resolves: #753837 + * Thu Oct 20 2011 Marek Kasik mkasik@redhat.com 2.4.2-6 - Add freetype-2.4.2-CVE-2011-3256.patch (Handle some border cases)