[maemo-commits] [maemo-commits] r18596 - in projects/haf/trunk/freetype: . debian

From: subversion at stage.maemo.org subversion at stage.maemo.org
Date: Wed Jun 3 18:22:04 EEST 2009 
Author: risun
Date: 2009-06-03 18:21:45 +0300 (Wed, 03 Jun 2009)
New Revision: 18596

Added:
   projects/haf/trunk/freetype/freetype-2.3.9.tar.bz2
   projects/haf/trunk/freetype/security-CVE-2009-0946.patch
Removed:
   projects/haf/trunk/freetype/freetype-2.3.5.tar.bz2
Modified:
   projects/haf/trunk/freetype/debian/changelog
   projects/haf/trunk/freetype/debian/control
   projects/haf/trunk/freetype/debian/rules
Log:
  * Updated: Sync with upstream stable version
  * Added: security-CVE-2009-0946.patch from Ubuntu jaunty-security
  * Fixes: NB#111884 Multiple integer overflows in FreeType 2.3.9
  * Fixes: NB#86647 Freetype arbitrary code execution vulnerabilities



Modified: projects/haf/trunk/freetype/debian/changelog
===================================================================
--- projects/haf/trunk/freetype/debian/changelog	2009-06-03 15:09:26 UTC (rev 18595)
+++ projects/haf/trunk/freetype/debian/changelog	2009-06-03 15:21:45 UTC (rev 18596)
@@ -1,3 +1,12 @@
+freetype (2.3.9-1osso1) unstable; urgency=low
+
+  * Updated: Sync with upstream stable version
+  * Added: security-CVE-2009-0946.patch from Ubuntu jaunty-security
+  * Fixes: NB#111884 Multiple integer overflows in FreeType 2.3.9
+  * Fixes: NB#86647 Freetype arbitrary code execution vulnerabilities
+
+ -- Richard Sun <richard.sun at nokia.com>  Wed,  3 Jun 2009 18:17:13 +0300
+
 freetype (2.3.5-1osso1) unstable; urgency=low
 
   * Updated: Upstream update from 2.2.1 to 2.3.5

Modified: projects/haf/trunk/freetype/debian/control
===================================================================
--- projects/haf/trunk/freetype/debian/control	2009-06-03 15:09:26 UTC (rev 18595)
+++ projects/haf/trunk/freetype/debian/control	2009-06-03 15:21:45 UTC (rev 18596)
@@ -2,7 +2,7 @@
 Section: devel
 Priority: optional
 Build-Depends: zlib1g-dev, bzip2
-Maintainer:  Jakub Pavelek <jakub.pavelek at nokia.com>
+Maintainer:  Richard Sun <richard.sun at nokia.com>
 Standards-Version: 3.5.9
 
 Package: libfreetype6

Modified: projects/haf/trunk/freetype/debian/rules
===================================================================
--- projects/haf/trunk/freetype/debian/rules	2009-06-03 15:09:26 UTC (rev 18595)
+++ projects/haf/trunk/freetype/debian/rules	2009-06-03 15:21:45 UTC (rev 18596)
@@ -27,23 +27,23 @@
 configure: configure-stamp
 configure-stamp:
 	dh_testdir
-	tar -xjf freetype-2.3.5.tar.bz2
-	# patch -p0 < CVE-2006-3467_pcf-strlen.patch
-	cd freetype-2.3.5 && ./configure --prefix=/usr --sysconfdir=/etc
+	tar -xjf freetype-2.3.9.tar.bz2
+	patch -p0 < security-CVE-2009-0946.patch
+	cd freetype-2.3.9 && ./configure --prefix=/usr --sysconfdir=/etc
 	touch configure-stamp
 
 
 build: configure-stamp build-stamp
 build-stamp:
 	dh_testdir
-	$(MAKE) -C freetype-2.3.5
+	$(MAKE) -C freetype-2.3.9
 	touch build-stamp
 
 clean:
 	dh_testdir
 	dh_testroot
 	rm -f build-stamp configure-stamp
-	rm -rf freetype-2.3.5
+	rm -rf freetype-2.3.9
 	rm -fr objs/.libs
 	dh_clean
 
@@ -52,7 +52,7 @@
 	dh_testroot
 	dh_clean -k
 	dh_installdirs
-	$(MAKE) -C freetype-2.3.5 install DESTDIR=$(CURDIR)/debian/tmp
+	$(MAKE) -C freetype-2.3.9 install DESTDIR=$(CURDIR)/debian/tmp
 	
 
 binary-indep: build install

Deleted: projects/haf/trunk/freetype/freetype-2.3.5.tar.bz2
===================================================================
(Binary files differ)

Added: projects/haf/trunk/freetype/freetype-2.3.9.tar.bz2
===================================================================
(Binary files differ)


Property changes on: projects/haf/trunk/freetype/freetype-2.3.9.tar.bz2
___________________________________________________________________
Name: svn:mime-type
   + application/octet-stream

Added: projects/haf/trunk/freetype/security-CVE-2009-0946.patch
===================================================================
--- projects/haf/trunk/freetype/security-CVE-2009-0946.patch	2009-06-03 15:09:26 UTC (rev 18595)
+++ projects/haf/trunk/freetype/security-CVE-2009-0946.patch	2009-06-03 15:21:45 UTC (rev 18596)
@@ -0,0 +1,136 @@
+# Patch comes from Ubuntu jaunty-security
+diff -Naur freetype-2.3.9/src/cff/cffload.c freetype-2.3.9-CVE-2009-0946/src/cff/cffload.c
+--- freetype-2.3.9/src/cff/cffload.c	2009-03-12 10:04:17.000000000 +0200
++++ freetype-2.3.9-CVE-2009-0946/src/cff/cffload.c	2009-06-03 18:06:12.000000000 +0300
+@@ -842,7 +842,19 @@
+             goto Exit;
+ 
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+ 
+           FT_FRAME_EXIT();
+         }
+@@ -875,6 +887,20 @@
+                 goto Exit;
+             }
+ 
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;
+diff -Naur freetype-2.3.9/src/lzw/ftzopen.c freetype-2.3.9-CVE-2009-0946/src/lzw/ftzopen.c
+--- freetype-2.3.9/src/lzw/ftzopen.c	2007-05-25 09:36:29.000000000 +0300
++++ freetype-2.3.9-CVE-2009-0946/src/lzw/ftzopen.c	2009-06-03 18:06:12.000000000 +0300
+@@ -332,6 +332,9 @@
+ 
+           while ( code >= 256U )
+           {
++          if ( !state->prefix )
++            goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }
+diff -Naur freetype-2.3.9/src/sfnt/ttcmap.c freetype-2.3.9-CVE-2009-0946/src/sfnt/ttcmap.c
+--- freetype-2.3.9/src/sfnt/ttcmap.c	2009-03-09 09:29:09.000000000 +0200
++++ freetype-2.3.9-CVE-2009-0946/src/sfnt/ttcmap.c	2009-06-03 18:06:12.000000000 +0300
+@@ -1635,7 +1635,7 @@
+       FT_INVALID_TOO_SHORT;
+ 
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+ 
+     is32       = table + 12;
+@@ -1863,7 +1863,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+ 
+ 
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+           FT_ULong  i, lastUni = 0;
+ 
+ 
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+ 
+           for ( i = 0; i < numMappings; ++i )
+diff -Naur freetype-2.3.9/src/smooth/ftsmooth.c freetype-2.3.9-CVE-2009-0946/src/smooth/ftsmooth.c
+--- freetype-2.3.9/src/smooth/ftsmooth.c	2009-01-12 21:12:35.000000000 +0200
++++ freetype-2.3.9-CVE-2009-0946/src/smooth/ftsmooth.c	2009-06-03 18:06:12.000000000 +0300
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+ 
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ 
+ #endif
+ 
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;
More information about the maemo-commits mailing list