[CVE-2009-0946] fix multiple integer overflows in FreeType library, bump release...
authorNicolas Thill <nico@openwrt.org>
Sun, 19 Apr 2009 21:24:52 +0000 (21:24 +0000)
committerNicolas Thill <nico@openwrt.org>
Sun, 19 Apr 2009 21:24:52 +0000 (21:24 +0000)
SVN-Revision: 15288

libs/freetype/Makefile
libs/freetype/patches/901-cve-2009-0946.patch [new file with mode: 0644]

index dd67a7b..b590d84 100644 (file)
@@ -1,5 +1,5 @@
 # 
-# Copyright (C) 2006 OpenWrt.org
+# Copyright (C) 2006-2009 OpenWrt.org
 #
 # This is free software, licensed under the GNU General Public License v2.
 # See /LICENSE for more information.
@@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk
 
 PKG_NAME:=freetype
 PKG_VERSION:=2.3.7
-PKG_RELEASE:=1
+PKG_RELEASE:=2
 
 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2
 PKG_SOURCE_URL:=@SF/freetype
diff --git a/libs/freetype/patches/901-cve-2009-0946.patch b/libs/freetype/patches/901-cve-2009-0946.patch
new file mode 100644 (file)
index 0000000..609d257
--- /dev/null
@@ -0,0 +1,147 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
+
+Protect against malformed compressed data.
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
+
+Protect against invalid SID values in CFFs.
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
+
+Fix validation for various cmap table formats.
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
+
+Protect against too large glyphs.
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
+
+
+--- a/src/cff/cffload.c
++++ b/src/cff/cffload.c
+@@ -841,7 +841,20 @@
+             goto Exit;
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+           FT_FRAME_EXIT();
+         }
+@@ -874,6 +887,20 @@
+                 goto Exit;
+             }
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification             */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;
+--- a/src/lzw/ftzopen.c
++++ b/src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+           while ( code >= 256U )
+           {
++            if ( !state->prefix )
++              goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }
+--- a/src/smooth/ftsmooth.c
++++ b/src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ #endif
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1571,7 +1571,7 @@
+       FT_INVALID_TOO_SHORT;
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+     is32       = table + 12;
+@@ -1799,7 +1799,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+     /* check glyph indices */
+@@ -1984,7 +1985,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+     /* check groups, they must be in increasing order */
+@@ -2365,7 +2367,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+     /* check selectors, they must be in increasing order */
+@@ -2427,7 +2430,7 @@
+           FT_ULong  i, lastUni = 0;
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+           for ( i = 0; i < numMappings; ++i )