Bug#779656: unblock: freetype/2.5.2-3
Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
Please unblock package freetype. It fixes multiple security issues.
unblock freetype/2.5.2-3
Debdiff:
diff -u freetype-2.5.2/debian/changelog freetype-2.5.2/debian/changelog
--- freetype-2.5.2/debian/changelog
+++ freetype-2.5.2/debian/changelog
@@ -1,3 +1,40 @@
+freetype (2.5.2-3) unstable; urgency=medium
+
+ * Fix Savannah bug #43535. CVE-2014-9675
+ * [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1
+ * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check
+ in the summation of POST fragment lengths. CVE-2014-0674-part-2
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold
+ too long tracing messages. CVS-2014-9674-fixup-2
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1
+ * Fix Savannah bug #43538. CVE-2014-9674-part-1
+ * Fix Savannah bug #43539. CVE-2014-9673
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by
+ a broken POST table in resource-fork. CVE-2014-9673-fixup
+ * Fix Savannah bug #43540. CVE-2014-9672
+ * Fix Savannah bug #43547. CVE-2014-9671
+ * Fix Savannah bug #43548. CVE-2014-9670
+ * [sfnt] Fix Savannah bug #43588. CVE-2014-9669
+ * [sfnt] Fix Savannah bug #43589. CVE-2014-9668
+ * [sfnt] Fix Savannah bug #43590. CVE-2014-9667
+ * [sfnt] Fix Savannah bug #43591. CVE-2014-9666
+ * Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665
+ * Fix uninitialized variable warning. CVE-2014-9665-fixup-2
+ * Make `FT_Bitmap_Convert' correctly handle negative `pitch' values.
+ CVE-2014-9665-fixup
+ * [type1, type42] Fix Savannah bug #43655. CVE-2014-9664
+ * [sfnt] Fix Savannah bug #43656. CVE-2014-9663
+ * [cff] Fix Savannah bug #43658. CVE-2014-9662
+ * [type42] Allow only embedded TrueType fonts. CVE-2014-9661
+ * [bdf] Fix Savannah bug #43660. CVE-2014-9660
+ * [cff] Fix Savannah bug #43661. CVE-2014-9659
+ * [sfnt] Fix Savannah bug #43672. CVE-2014-9658
+ * [truetype] Fix Savannah bug #43679. CVE-2014-9657
+ * [sfnt] Fix Savannah bug #43680. CVE-2014-9656
+ * All CVEs patched. Closes: #777656.
+
+ -- Keith Packard <keithp@keithp.com> Mon, 23 Feb 2015 22:04:36 -0800
+
freetype (2.5.2-2) unstable; urgency=medium
* Acknowledge security NMU; thanks to Michael Gilbert.
diff -u freetype-2.5.2/debian/patches-freetype/series freetype-2.5.2/debian/patches-freetype/series
--- freetype-2.5.2/debian/patches-freetype/series
+++ freetype-2.5.2/debian/patches-freetype/series
@@ -10,0 +11,27 @@
+0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch
+0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch
+0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch
+0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch
+0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch
+0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch
+0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch
+0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch
+0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch
+0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch
+0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch
+0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch
+0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch
+0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch
+0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch
+0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch
+0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch
+0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch
+0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch
+0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch
+0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch
+0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch
+0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch
+0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch
+0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch
+0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch
+0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch
+++ freetype-2.5.2/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch
@@ -0,0 +1,33 @@
+From 6de5eb9ffbbad7065ce34b3c267f2f95e4f45ea1 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 10:51:21 +0100
+Subject: [sfnt] Fix Savannah bug #43680. CVE-2014-9656
+
+This adds an additional constraint to make the fix from 2013-01-25
+really work.
+
+* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>:
+Check `p' before `num_glyphs'.
+
+(cherry picked from commit f0292bb9920aa1dbfed5f53861e7c7a89b35833a)
+---
+ freetype-2.5.2/src/sfnt/ttsbit.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c
+index 7469ff1..38c680e 100644
+--- freetype-2.5.2/src/sfnt/ttsbit.c
++++ freetype-2.5.2/src/sfnt/ttsbit.c
+@@ -1143,7 +1143,8 @@
+ num_glyphs = FT_NEXT_ULONG( p );
+
+ /* overflow check for p + ( num_glyphs + 1 ) * 4 */
+- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
++ if ( p + 4 > p_limit ||
++ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) )
+ goto NoBitmap;
+
+ for ( mm = 0; mm < num_glyphs; mm++ )
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch
+++ freetype-2.5.2/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch
@@ -0,0 +1,46 @@
+From aa9ce85c823ad7e26db3106df0a1bfa4cfd03b01 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 10:22:08 +0100
+Subject: [truetype] Fix Savannah bug #43679. CVE-2014-9657
+
+* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
+`record_size'.
+
+(cherry picked from commit eca0f067068020870a429fe91f6329e499390d55)
+---
+ freetype-2.5.2/src/truetype/ttpload.c | 12 +++++++-----
+ 1 file changed, 7 insertions(+), 5 deletions(-)
+
+diff --git freetype-2.5.2/src/truetype/ttpload.c freetype-2.5.2/src/truetype/ttpload.c
+index 9723a51..9991925 100644
+--- freetype-2.5.2/src/truetype/ttpload.c
++++ freetype-2.5.2/src/truetype/ttpload.c
+@@ -508,9 +508,9 @@
+ record_size = FT_NEXT_ULONG( p );
+
+ /* The maximum number of bytes in an hdmx device record is the */
+- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
+- /* the reason why `record_size' is a long (which we read as */
+- /* unsigned long for convenience). In practice, two bytes */
++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
++ /* explaining why `record_size' is a long (which we read as */
++ /* unsigned long for convenience). In practice, two bytes are */
+ /* sufficient to hold the size value. */
+ /* */
+ /* There are at least two fonts, HANNOM-A and HANNOM-B version */
+@@ -522,8 +522,10 @@
+ record_size &= 0xFFFFU;
+
+ /* The limit for `num_records' is a heuristic value. */
+-
+- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
++ if ( version != 0 ||
++ num_records > 255 ||
++ record_size > 0x10001L ||
++ record_size < 4 )
+ {
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch
+++ freetype-2.5.2/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch
@@ -0,0 +1,29 @@
+From 19389867e134b069bb4462c0a930461a3dc6c2b9 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 09:31:32 +0100
+Subject: [sfnt] Fix Savannah bug #43672. CVE-2014-9658
+
+* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for
+minimum table length test.
+
+(cherry picked from commit f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c)
+---
+ freetype-2.5.2/src/sfnt/ttkern.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttkern.c freetype-2.5.2/src/sfnt/ttkern.c
+index 32c4008..455e7b5 100644
+--- freetype-2.5.2/src/sfnt/ttkern.c
++++ freetype-2.5.2/src/sfnt/ttkern.c
+@@ -99,7 +99,7 @@
+ length = FT_NEXT_USHORT( p );
+ coverage = FT_NEXT_USHORT( p );
+
+- if ( length <= 6 )
++ if ( length <= 6 + 8 )
+ break;
+
+ p_next += length;
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch
+++ freetype-2.5.2/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch
@@ -0,0 +1,99 @@
+From 2c67877c034f28520d4daabf2d24ac94b2d47df0 Mon Sep 17 00:00:00 2001
+From: Dave Arnold <darnold@adobe.com>
+Date: Thu, 4 Dec 2014 06:10:16 +0100
+Subject: [cff] Fix Savannah bug #43661. CVE-2014-9659
+
+* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM,
+cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after
+hintmask is constructed.
+
+* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to
+avoid reading past end of hintmask.
+
+(cherry picked from commit 2cdc4562f873237f1c77d43540537c7a721d3fd8)
+---
+ freetype-2.5.2/src/cff/cf2hints.c | 5 ++++-
+ freetype-2.5.2/src/cff/cf2intrp.c | 21 ++++++++++++++-------
+ 2 files changed, 18 insertions(+), 8 deletions(-)
+
+diff --git freetype-2.5.2/src/cff/cf2hints.c freetype-2.5.2/src/cff/cf2hints.c
+index 5f44161..ba28e0c 100644
+--- freetype-2.5.2/src/cff/cf2hints.c
++++ freetype-2.5.2/src/cff/cf2hints.c
+@@ -792,9 +792,12 @@
+ maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask );
+
+ /* use the hStem hints only, which are first in the mask */
+- /* TODO: compare this to cffhintmaskGetBitCount */
+ bitCount = cf2_arrstack_size( hStemHintArray );
+
++ /* Defense-in-depth. Should never return here. */
++ if ( bitCount > hintMask->bitCount )
++ return;
++
+ /* synthetic embox hints get highest priority */
+ if ( font->blues.doEmBoxHints )
+ {
+diff --git freetype-2.5.2/src/cff/cf2intrp.c freetype-2.5.2/src/cff/cf2intrp.c
+index 5610917..a269606 100644
+--- freetype-2.5.2/src/cff/cf2intrp.c
++++ freetype-2.5.2/src/cff/cf2intrp.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* Adobe's CFF Interpreter (body). */
+ /* */
+-/* Copyright 2007-2013 Adobe Systems Incorporated. */
++/* Copyright 2007-2014 Adobe Systems Incorporated. */
+ /* */
+ /* This software, and all works of authorship, whether in source or */
+ /* object code form as indicated by the copyright notice(s) included */
+@@ -593,8 +593,11 @@
+
+ /* never add hints after the mask is computed */
+ if ( cf2_hintmask_isValid( &hintMask ) )
++ {
+ FT_TRACE4(( "cf2_interpT2CharString:"
+ " invalid horizontal hint mask\n" ));
++ break;
++ }
+
+ cf2_doStems( font,
+ opStack,
+@@ -614,8 +617,11 @@
+
+ /* never add hints after the mask is computed */
+ if ( cf2_hintmask_isValid( &hintMask ) )
++ {
+ FT_TRACE4(( "cf2_interpT2CharString:"
+ " invalid vertical hint mask\n" ));
++ break;
++ }
+
+ cf2_doStems( font,
+ opStack,
+@@ -1141,15 +1147,16 @@
+ /* `cf2_hintmask_read' (which also traces the mask bytes) */
+ FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" ));
+
+- /* if there are arguments on the stack, there this is an */
+- /* implied cf2_cmdVSTEMHM */
+- if ( cf2_stack_count( opStack ) != 0 )
++ /* never add hints after the mask is computed */
++ if ( cf2_stack_count( opStack ) > 1 &&
++ cf2_hintmask_isValid( &hintMask ) )
+ {
+- /* never add hints after the mask is computed */
+- if ( cf2_hintmask_isValid( &hintMask ) )
+- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
++ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" ));
++ break;
+ }
+
++ /* if there are arguments on the stack, there this is an */
++ /* implied cf2_cmdVSTEMHM */
+ cf2_doStems( font,
+ opStack,
+ &vStemHintArray,
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch
+++ freetype-2.5.2/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch
@@ -0,0 +1,35 @@
+From beec79fa289f8cd246b985d9925dd60964ae5491 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 13:29:10 +0100
+Subject: [bdf] Fix Savannah bug #43660. CVE-2014-9660
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check
+`_BDF_GLYPH_BITS'.
+
+(cherry picked from commit af8346172a7b573715134f7a51e6c5c60fa7f2ab)
+---
+ freetype-2.5.2/src/bdf/bdflib.c | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c
+index 0b8412d..d613159 100644
+--- freetype-2.5.2/src/bdf/bdflib.c
++++ freetype-2.5.2/src/bdf/bdflib.c
+@@ -1544,6 +1544,14 @@
+ /* Check for the ENDFONT field. */
+ if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
+ {
++ if ( p->flags & _BDF_GLYPH_BITS )
++ {
++ /* Missing ENDCHAR field. */
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" ));
++ error = FT_THROW( Corrupted_Font_Glyphs );
++ goto Exit;
++ }
++
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+ font->glyphs_used,
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch
+++ freetype-2.5.2/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch
@@ -0,0 +1,34 @@
+From f81e0823c5bbf7692b20819328a2dd78bfa196b8 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 12:44:33 +0100
+Subject: [type42] Allow only embedded TrueType fonts. CVE-2014-9661
+
+This is a follow-up to Savannah bug #43659.
+
+* src/type42/t42objs.c (T42_Face_Init): Exclusively use the
+`truetype' font driver for loading the font contained in the `sfnts'
+array.
+
+(cherry picked from commit 42fcd6693ec7bd6ffc65ddc63e74287a65dda669)
+---
+ freetype-2.5.2/src/type42/t42objs.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git freetype-2.5.2/src/type42/t42objs.c freetype-2.5.2/src/type42/t42objs.c
+index f5aa2ca..af64bf7 100644
+--- freetype-2.5.2/src/type42/t42objs.c
++++ freetype-2.5.2/src/type42/t42objs.c
+@@ -286,7 +286,9 @@
+ FT_Open_Args args;
+
+
+- args.flags = FT_OPEN_MEMORY;
++ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
++ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ),
++ "truetype" );
+ args.memory_base = face->ttf_data;
+ args.memory_size = face->ttf_size;
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch
+++ freetype-2.5.2/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch
@@ -0,0 +1,102 @@
+From 5b1379de7cd336cde51a3fc45cfe5da8f70ebe89 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 09:16:39 +0100
+Subject: [cff] Fix Savannah bug #43658. CVE-2014-9662
+
+* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle
+return values of point allocation routines.
+
+(cherry picked from commit 5f201ab5c24cb69bc96b724fd66e739928d6c5e2)
+---
+ freetype-2.5.2/src/cff/cf2ft.c | 48 +++++++++++++++++++++++++++++++++---------
+ 1 file changed, 38 insertions(+), 10 deletions(-)
+
+diff --git freetype-2.5.2/src/cff/cf2ft.c freetype-2.5.2/src/cff/cf2ft.c
+index 4abbc9d..f8bf1b4 100644
+--- freetype-2.5.2/src/cff/cf2ft.c
++++ freetype-2.5.2/src/cff/cf2ft.c
+@@ -140,6 +140,8 @@
+ cf2_builder_lineTo( CF2_OutlineCallbacks callbacks,
+ const CF2_CallbackParams params )
+ {
++ FT_Error error;
++
+ /* downcast the object pointer */
+ CF2_Outline outline = (CF2_Outline)callbacks;
+ CFF_Builder* builder;
+@@ -154,15 +156,27 @@
+ {
+ /* record the move before the line; also check points and set */
+ /* `path_begun' */
+- cff_builder_start_point( builder,
+- params->pt0.x,
+- params->pt0.y );
++ error = cff_builder_start_point( builder,
++ params->pt0.x,
++ params->pt0.y );
++ if ( error )
++ {
++ if ( !*callbacks->error )
++ *callbacks->error = error;
++ return;
++ }
+ }
+
+ /* `cff_builder_add_point1' includes a check_points call for one point */
+- cff_builder_add_point1( builder,
+- params->pt1.x,
+- params->pt1.y );
++ error = cff_builder_add_point1( builder,
++ params->pt1.x,
++ params->pt1.y );
++ if ( error )
++ {
++ if ( !*callbacks->error )
++ *callbacks->error = error;
++ return;
++ }
+ }
+
+
+@@ -170,6 +184,8 @@
+ cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks,
+ const CF2_CallbackParams params )
+ {
++ FT_Error error;
++
+ /* downcast the object pointer */
+ CF2_Outline outline = (CF2_Outline)callbacks;
+ CFF_Builder* builder;
+@@ -184,13 +200,25 @@
+ {
+ /* record the move before the line; also check points and set */
+ /* `path_begun' */
+- cff_builder_start_point( builder,
+- params->pt0.x,
+- params->pt0.y );
++ error = cff_builder_start_point( builder,
++ params->pt0.x,
++ params->pt0.y );
++ if ( error )
++ {
++ if ( !*callbacks->error )
++ *callbacks->error = error;
++ return;
++ }
+ }
+
+ /* prepare room for 3 points: 2 off-curve, 1 on-curve */
+- cff_check_points( builder, 3 );
++ error = cff_check_points( builder, 3 );
++ if ( error )
++ {
++ if ( !*callbacks->error )
++ *callbacks->error = error;
++ return;
++ }
+
+ cff_builder_add_point( builder,
+ params->pt1.x,
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch
+++ freetype-2.5.2/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch
@@ -0,0 +1,40 @@
+From 82c605d68a03166c21a974b58155f78bce031cd1 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 06:24:45 +0100
+Subject: [sfnt] Fix Savannah bug #43656. CVE-2014-9663
+
+* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
+tests.
+
+(cherry picked from commit 9bd20b7304aae61de5d50ac359cf27132bafd4c1)
+---
+ freetype-2.5.2/src/sfnt/ttcmap.c | 6 +++---
+ 1 file changed, 3 insertions(+), 3 deletions(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c
+index 9b7856b..c6ed872 100644
+--- freetype-2.5.2/src/sfnt/ttcmap.c
++++ freetype-2.5.2/src/sfnt/ttcmap.c
+@@ -825,9 +825,6 @@
+ FT_Error error = FT_Err_Ok;
+
+
+- if ( length < 16 )
+- FT_INVALID_TOO_SHORT;
+-
+ /* in certain fonts, the `length' field is invalid and goes */
+ /* out of bound. We try to correct this here... */
+ if ( table + length > valid->limit )
+@@ -838,6 +835,9 @@
+ length = (FT_UInt)( valid->limit - table );
+ }
+
++ if ( length < 16 )
++ FT_INVALID_TOO_SHORT;
++
+ p = table + 6;
+ num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch
+++ freetype-2.5.2/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch
@@ -0,0 +1,43 @@
+From 31fddea8aa48f4c3fed12ff985da0a24b5561f46 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 21 Nov 2014 22:19:28 +0100
+Subject: [type1, type42] Fix Savannah bug #43655. CVE-2014-9664
+
+* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
+(t42_parse_charstrings): Fix boundary testing.
+
+(cherry picked from commit dd89710f0f643eb0f99a3830e0712d26c7642acd)
+---
+ freetype-2.5.2/src/type1/t1load.c | 2 +-
+ freetype-2.5.2/src/type42/t42parse.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git freetype-2.5.2/src/type1/t1load.c freetype-2.5.2/src/type1/t1load.c
+index 4b5026b..fca3279 100644
+--- freetype-2.5.2/src/type1/t1load.c
++++ freetype-2.5.2/src/type1/t1load.c
+@@ -1599,7 +1599,7 @@
+ FT_PtrDist len;
+
+
+- if ( cur + 1 >= limit )
++ if ( cur + 2 >= limit )
+ {
+ error = FT_THROW( Invalid_File_Format );
+ goto Fail;
+diff --git freetype-2.5.2/src/type42/t42parse.c freetype-2.5.2/src/type42/t42parse.c
+index 3cdd8a1..0b3e0c6 100644
+--- freetype-2.5.2/src/type42/t42parse.c
++++ freetype-2.5.2/src/type42/t42parse.c
+@@ -832,7 +832,7 @@
+ FT_PtrDist len;
+
+
+- if ( cur + 1 >= limit )
++ if ( cur + 2 >= limit )
+ {
+ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+ error = FT_THROW( Invalid_File_Format );
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch
+++ freetype-2.5.2/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch
@@ -0,0 +1,169 @@
+From 91c554119a126f4476b2675a3729e8890a2b2e4a Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 19 Nov 2014 21:21:23 +0100
+Subject: Make `FT_Bitmap_Convert' correctly handle negative `pitch' values.
+ CVE-2014-9665-fixup
+
+* src/base/ftbitmap.c (FT_Bitmap_Convert): Always use positive value
+for the pitch while copying data.
+Correctly set pitch sign in target bitmap.
+
+(cherry picked from commit df485774fbbc7fd7dc9d3b278846f454654ad5df)
+---
+ freetype-2.5.2/src/base/ftbitmap.c | 63 +++++++++++++++++++++-----------------
+ 1 file changed, 35 insertions(+), 28 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c
+index 182b1cc..9223007 100644
+--- freetype-2.5.2/src/base/ftbitmap.c
++++ freetype-2.5.2/src/base/ftbitmap.c
+@@ -443,6 +443,8 @@
+ FT_Error error = FT_Err_Ok;
+ FT_Memory memory;
+
++ FT_Int source_pitch, target_pitch;
++
+
+ if ( !library )
+ return FT_THROW( Invalid_Library_Handle );
+@@ -459,13 +461,15 @@
+ case FT_PIXEL_MODE_LCD_V:
+ case FT_PIXEL_MODE_BGRA:
+ {
+- FT_Int pad;
++ FT_Int pad, old_target_pitch;
+ FT_Long old_size;
+
+
+- old_size = target->rows * target->pitch;
+- if ( old_size < 0 )
+- old_size = -old_size;
++ old_target_pitch = target->pitch;
++ if ( old_target_pitch < 0 )
++ old_target_pitch = -old_target_pitch;
++
++ old_size = target->rows * old_target_pitch;
+
+ target->pixel_mode = FT_PIXEL_MODE_GRAY;
+ target->rows = source->rows;
+@@ -479,16 +483,18 @@
+ pad = alignment - pad;
+ }
+
+- target->pitch = source->width + pad;
++ target_pitch = source->width + pad;
+
+- if ( target->pitch > 0 &&
+- (FT_ULong)target->rows > FT_ULONG_MAX / target->pitch )
++ if ( target_pitch > 0 &&
++ (FT_ULong)target->rows > FT_ULONG_MAX / target_pitch )
+ return FT_THROW( Invalid_Argument );
+
+- if ( target->rows * target->pitch > old_size &&
++ if ( target->rows * target_pitch > old_size &&
+ FT_QREALLOC( target->buffer,
+- old_size, target->rows * target->pitch ) )
++ old_size, target->rows * target_pitch ) )
+ return error;
++
++ target->pitch = target->pitch < 0 ? -target_pitch : target_pitch;
+ }
+ break;
+
+@@ -496,6 +502,10 @@
+ error = FT_THROW( Invalid_Argument );
+ }
+
++ source_pitch = source->pitch;
++ if ( source_pitch < 0 )
++ source_pitch = -source_pitch;
++
+ switch ( source->pixel_mode )
+ {
+ case FT_PIXEL_MODE_MONO:
+@@ -548,8 +558,8 @@
+ }
+ }
+
+- s += source->pitch;
+- t += target->pitch;
++ s += source_pitch;
++ t += target_pitch;
+ }
+ }
+ break;
+@@ -559,11 +569,9 @@
+ case FT_PIXEL_MODE_LCD:
+ case FT_PIXEL_MODE_LCD_V:
+ {
+- FT_Int width = source->width;
+- FT_Byte* s = source->buffer;
+- FT_Byte* t = target->buffer;
+- FT_Int s_pitch = source->pitch;
+- FT_Int t_pitch = target->pitch;
++ FT_Int width = source->width;
++ FT_Byte* s = source->buffer;
++ FT_Byte* t = target->buffer;
+ FT_Int i;
+
+
+@@ -573,8 +581,8 @@
+ {
+ FT_ARRAY_COPY( t, s, width );
+
+- s += s_pitch;
+- t += t_pitch;
++ s += source_pitch;
++ t += target_pitch;
+ }
+ }
+ break;
+@@ -625,8 +633,8 @@
+ }
+ }
+
+- s += source->pitch;
+- t += target->pitch;
++ s += source_pitch;
++ t += target_pitch;
+ }
+ }
+ break;
+@@ -664,18 +672,17 @@
+ if ( source->width & 1 )
+ tt[0] = (FT_Byte)( ( ss[0] & 0xF0 ) >> 4 );
+
+- s += source->pitch;
+- t += target->pitch;
++ s += source_pitch;
++ t += target_pitch;
+ }
+ }
+ break;
+
++
+ case FT_PIXEL_MODE_BGRA:
+ {
+- FT_Byte* s = source->buffer;
+- FT_Byte* t = target->buffer;
+- FT_Int s_pitch = source->pitch;
+- FT_Int t_pitch = target->pitch;
++ FT_Byte* s = source->buffer;
++ FT_Byte* t = target->buffer;
+ FT_Int i;
+
+
+@@ -696,8 +703,8 @@
+ tt += 1;
+ }
+
+- s += s_pitch;
+- t += t_pitch;
++ s += source_pitch;
++ t += target_pitch;
+ }
+ }
+ break;
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch
+++ freetype-2.5.2/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch
@@ -0,0 +1,31 @@
+From 3c8cb26b672f02272604a66fd5af0f53cab1c872 Mon Sep 17 00:00:00 2001
+From: Keith Packard <keithp@keithp.com>
+Date: Mon, 23 Feb 2015 20:47:24 -0800
+Subject: Fix uninitialized variable warning. CVE-2014-9665-fixup-2
+
+The 'target_pitch' value is computed in one switch and used in
+another; every use case is covered by the computation above, but the
+compiler can't figure that out, leaving a warning which we turn into
+an error.
+
+Signed-off-by: Keith Packard <keithp@keithp.com>
+---
+ freetype-2.5.2/src/base/ftbitmap.c | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c
+index 9223007..b9c2ef4 100644
+--- freetype-2.5.2/src/base/ftbitmap.c
++++ freetype-2.5.2/src/base/ftbitmap.c
+@@ -443,7 +443,7 @@
+ FT_Error error = FT_Err_Ok;
+ FT_Memory memory;
+
+- FT_Int source_pitch, target_pitch;
++ FT_Int source_pitch, target_pitch = 0;
+
+
+ if ( !library )
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch
+++ freetype-2.5.2/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch
@@ -0,0 +1,237 @@
+From 6dfb8afb2f8e7018ab20ad4ec001633edda3a96c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 19 Nov 2014 21:28:21 +0100
+Subject: Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665
+
+This doesn't break ABI.
+
+* include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays',
+`pixel_mode', and `palette_mode' unsigned types.
+
+* src/base/ftbitmap.c: Updated.
+(FT_Bitmap_Copy): Fix casts.
+
+* src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c:
+Updated.
+
+(cherry picked from commit b3500af717010137046ec4076d1e1c0641e33727)
+---
+ freetype-2.5.2/include/ftimage.h | 10 +++++-----
+ freetype-2.5.2/src/base/ftbitmap.c | 25 +++++++++++++------------
+ freetype-2.5.2/src/cache/ftcsbits.c | 8 ++++----
+ freetype-2.5.2/src/raster/ftraster.c | 12 ++++++------
+ freetype-2.5.2/src/sfnt/pngshim.c | 10 +++++-----
+ 5 files changed, 33 insertions(+), 32 deletions(-)
+
+diff --git freetype-2.5.2/include/ftimage.h freetype-2.5.2/include/ftimage.h
+index ea71a78..b66f036 100644
+--- freetype-2.5.2/include/ftimage.h
++++ freetype-2.5.2/include/ftimage.h
+@@ -318,13 +318,13 @@ FT_BEGIN_HEADER
+ /* */
+ typedef struct FT_Bitmap_
+ {
+- int rows;
+- int width;
++ unsigned int rows;
++ unsigned int width;
+ int pitch;
+ unsigned char* buffer;
+- short num_grays;
+- char pixel_mode;
+- char palette_mode;
++ unsigned short num_grays;
++ unsigned char pixel_mode;
++ unsigned char palette_mode;
+ void* palette;
+
+ } FT_Bitmap;
+diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c
+index b9c2ef4..127bfc5 100644
+--- freetype-2.5.2/src/base/ftbitmap.c
++++ freetype-2.5.2/src/base/ftbitmap.c
+@@ -62,7 +62,7 @@
+
+ if ( pitch < 0 )
+ pitch = -pitch;
+- size = (FT_ULong)( pitch * source->rows );
++ size = (FT_ULong)pitch * source->rows;
+
+ if ( target->buffer )
+ {
+@@ -72,7 +72,7 @@
+
+ if ( target_pitch < 0 )
+ target_pitch = -target_pitch;
+- target_size = (FT_ULong)( target_pitch * target->rows );
++ target_size = (FT_ULong)target_pitch * target->rows;
+
+ if ( target_size != size )
+ (void)FT_QREALLOC( target->buffer, target_size, size );
+@@ -106,7 +106,7 @@
+ int pitch;
+ int new_pitch;
+ FT_UInt bpp;
+- FT_Int i, width, height;
++ FT_UInt i, width, height;
+ unsigned char* buffer = NULL;
+
+
+@@ -144,17 +144,17 @@
+ if ( ypixels == 0 && new_pitch <= pitch )
+ {
+ /* zero the padding */
+- FT_Int bit_width = pitch * 8;
+- FT_Int bit_last = ( width + xpixels ) * bpp;
++ FT_UInt bit_width = pitch * 8;
++ FT_UInt bit_last = ( width + xpixels ) * bpp;
+
+
+ if ( bit_last < bit_width )
+ {
+ FT_Byte* line = bitmap->buffer + ( bit_last >> 3 );
+ FT_Byte* end = bitmap->buffer + pitch;
+- FT_Int shift = bit_last & 7;
++ FT_UInt shift = bit_last & 7;
+ FT_UInt mask = 0xFF00U >> shift;
+- FT_Int count = height;
++ FT_UInt count = height;
+
+
+ for ( ; count > 0; count--, line += pitch, end += pitch )
+@@ -180,7 +180,7 @@
+
+ if ( bitmap->pitch > 0 )
+ {
+- FT_Int len = ( width * bpp + 7 ) >> 3;
++ FT_UInt len = ( width * bpp + 7 ) >> 3;
+
+
+ for ( i = 0; i < bitmap->rows; i++ )
+@@ -189,7 +189,7 @@
+ }
+ else
+ {
+- FT_Int len = ( width * bpp + 7 ) >> 3;
++ FT_UInt len = ( width * bpp + 7 ) >> 3;
+
+
+ for ( i = 0; i < bitmap->rows; i++ )
+@@ -220,7 +220,8 @@
+ {
+ FT_Error error;
+ unsigned char* p;
+- FT_Int i, x, y, pitch;
++ FT_Int i, x, pitch;
++ FT_UInt y;
+ FT_Int xstr, ystr;
+
+
+@@ -461,8 +462,8 @@
+ case FT_PIXEL_MODE_LCD_V:
+ case FT_PIXEL_MODE_BGRA:
+ {
+- FT_Int pad, old_target_pitch;
+- FT_Long old_size;
++ FT_Int pad, old_target_pitch;
++ FT_ULong old_size;
+
+
+ old_target_pitch = target->pitch;
+diff --git freetype-2.5.2/src/cache/ftcsbits.c freetype-2.5.2/src/cache/ftcsbits.c
+index 6df1c19..59727d1 100644
+--- freetype-2.5.2/src/cache/ftcsbits.c
++++ freetype-2.5.2/src/cache/ftcsbits.c
+@@ -4,7 +4,7 @@
+ /* */
+ /* FreeType sbits manager (body). */
+ /* */
+-/* Copyright 2000-2006, 2009-2011, 2013 by */
++/* Copyright 2000-2006, 2009-2011, 2013, 2014 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -142,12 +142,12 @@
+ goto BadGlyph;
+ }
+
+- /* Check that our values fit into 8-bit containers! */
++ /* Check whether our values fit into 8-bit containers! */
+ /* If this is not the case, our bitmap is too large */
+ /* and we will leave it as `missing' with sbit.buffer = 0 */
+
+-#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d )
+-#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d )
++#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d )
++#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d )
+
+ /* horizontal advance in pixels */
+ xadvance = ( slot->advance.x + 32 ) >> 6;
+diff --git freetype-2.5.2/src/raster/ftraster.c freetype-2.5.2/src/raster/ftraster.c
+index 8aa1113..6415d66 100644
+--- freetype-2.5.2/src/raster/ftraster.c
++++ freetype-2.5.2/src/raster/ftraster.c
+@@ -2550,7 +2550,7 @@
+
+ e1 = TRUNC( e1 );
+
+- if ( e1 >= 0 && e1 < ras.target.rows )
++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows )
+ {
+ PByte p;
+
+@@ -2644,7 +2644,7 @@
+ /* bounding box instead */
+ if ( pxl < 0 )
+ pxl = e1;
+- else if ( TRUNC( pxl ) >= ras.target.rows )
++ else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows )
+ pxl = e2;
+
+ /* check that the other pixel isn't set */
+@@ -2659,9 +2659,9 @@
+ if ( ras.target.pitch > 0 )
+ bits += ( ras.target.rows - 1 ) * ras.target.pitch;
+
+- if ( e1 >= 0 &&
+- e1 < ras.target.rows &&
+- *bits & f1 )
++ if ( e1 >= 0 &&
++ (ULong)e1 < ras.target.rows &&
++ *bits & f1 )
+ return;
+ }
+ else
+@@ -2673,7 +2673,7 @@
+
+ e1 = TRUNC( pxl );
+
+- if ( e1 >= 0 && e1 < ras.target.rows )
++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows )
+ {
+ bits -= e1 * ras.target.pitch;
+ if ( ras.target.pitch > 0 )
+diff --git freetype-2.5.2/src/sfnt/pngshim.c freetype-2.5.2/src/sfnt/pngshim.c
+index 878de1f..79374b7 100644
+--- freetype-2.5.2/src/sfnt/pngshim.c
++++ freetype-2.5.2/src/sfnt/pngshim.c
+@@ -205,11 +205,11 @@
+ goto Exit;
+ }
+
+- if ( !populate_map_and_metrics &&
+- ( x_offset + metrics->width > map->width ||
+- y_offset + metrics->height > map->rows ||
+- pix_bits != 32 ||
+- map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
++ if ( !populate_map_and_metrics &&
++ ( (FT_UInt)x_offset + metrics->width > map->width ||
++ (FT_UInt)y_offset + metrics->height > map->rows ||
++ pix_bits != 32 ||
++ map->pixel_mode != FT_PIXEL_MODE_BGRA ) )
+ {
+ error = FT_THROW( Invalid_Argument );
+ goto Exit;
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch
+++ freetype-2.5.2/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch
@@ -0,0 +1,35 @@
+From 4ebd46e114fb98084d937d09e003c9fd8f6f5939 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 21:42:13 +0100
+Subject: [sfnt] Fix Savannah bug #43591. CVE-2014-9666
+
+* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition
+and multiplication overflow.
+
+(cherry picked from commit 257c270bd25e15890190a28a1456e7623bba4439)
+---
+ freetype-2.5.2/src/sfnt/ttsbit.c | 8 +++++---
+ 1 file changed, 5 insertions(+), 3 deletions(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c
+index 38c680e..f223c5a 100644
+--- freetype-2.5.2/src/sfnt/ttsbit.c
++++ freetype-2.5.2/src/sfnt/ttsbit.c
+@@ -380,9 +380,11 @@
+ p += 34;
+ decoder->bit_depth = *p;
+
+- if ( decoder->strike_index_array > face->sbit_table_size ||
+- decoder->strike_index_array + 8 * decoder->strike_index_count >
+- face->sbit_table_size )
++ /* decoder->strike_index_array + */
++ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */
++ if ( decoder->strike_index_array > face->sbit_table_size ||
++ decoder->strike_index_count >
++ ( face->sbit_table_size - decoder->strike_index_array ) / 8 )
+ error = FT_THROW( Invalid_File_Format );
+ }
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch
+++ freetype-2.5.2/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch
@@ -0,0 +1,53 @@
+From f4e4eb6ba541c32bbad8a1d8db68e5a4cb9ba423 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 21:26:44 +0100
+Subject: [sfnt] Fix Savannah bug #43590. CVE-2014-9667
+
+* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+Protect against addition overflow.
+
+(cherry picked from commit 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891)
+---
+ freetype-2.5.2/src/sfnt/ttload.c | 12 +++++++++---
+ 1 file changed, 9 insertions(+), 3 deletions(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttload.c freetype-2.5.2/src/sfnt/ttload.c
+index 0a3cd29..8338150 100644
+--- freetype-2.5.2/src/sfnt/ttload.c
++++ freetype-2.5.2/src/sfnt/ttload.c
+@@ -5,7 +5,7 @@
+ /* Load the basic TrueType tables, i.e., tables that can be either in */
+ /* TTF or OTF fonts (body). */
+ /* */
+-/* Copyright 1996-2010, 2012, 2013 by */
++/* Copyright 1996-2010, 2012-2014 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -207,7 +207,10 @@
+ }
+
+ /* we ignore invalid tables */
+- if ( table.Offset + table.Length > stream->size )
++
++ /* table.Offset + table.Length > stream->size ? */
++ if ( table.Length > stream->size ||
++ table.Offset > stream->size - table.Length )
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+ continue;
+@@ -395,7 +398,10 @@
+ entry->Length = FT_GET_ULONG();
+
+ /* ignore invalid tables */
+- if ( entry->Offset + entry->Length > stream->size )
++
++ /* entry->Offset + entry->Length > stream->size ? */
++ if ( entry->Length > stream->size ||
++ entry->Offset > stream->size - entry->Length )
+ continue;
+ else
+ {
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch
+++ freetype-2.5.2/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch
@@ -0,0 +1,33 @@
+From eae341fbe8a57e4d30050b71f2956f1da053eb4b Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 21:06:08 +0100
+Subject: [sfnt] Fix Savannah bug #43589. CVE-2014-9668
+
+* src/sfnt/sfobjs.c (woff_open_font): Protect against addition
+overflow.
+
+(cherry picked from commit f46add13895337ece929b18bb8f036431b3fb538)
+---
+ freetype-2.5.2/src/sfnt/sfobjs.c | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git freetype-2.5.2/src/sfnt/sfobjs.c freetype-2.5.2/src/sfnt/sfobjs.c
+index a31c77c..d202ca0 100644
+--- freetype-2.5.2/src/sfnt/sfobjs.c
++++ freetype-2.5.2/src/sfnt/sfobjs.c
+@@ -574,8 +574,10 @@
+
+
+ if ( table->Offset != woff_offset ||
+- table->Offset + table->CompLength > woff.length ||
+- sfnt_offset + table->OrigLength > woff.totalSfntSize ||
++ table->CompLength > woff.length ||
++ table->Offset > woff.length - table->CompLength ||
++ table->OrigLength > woff.totalSfntSize ||
++ sfnt_offset > woff.totalSfntSize - table->OrigLength ||
+ table->CompLength > table->OrigLength )
+ {
+ error = FT_THROW( Invalid_Table );
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch
+++ freetype-2.5.2/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch
@@ -0,0 +1,123 @@
+From 3cba76af29963f3fd1925ed6128cdf95bf8d4823 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 20:51:20 +0100
+Subject: [sfnt] Fix Savannah bug #43588. CVE-2014-9669
+
+* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
+tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
+against overflow in additions and multiplications.
+
+(cherry picked from commit 602040b1112c9f94d68e200be59ea7ac3d104565)
+---
+ freetype-2.5.2/src/sfnt/ttcmap.c | 39 ++++++++++++++++++++++++++++++---------
+ 1 file changed, 30 insertions(+), 9 deletions(-)
+
+diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c
+index c6ed872..9050ebf 100644
+--- freetype-2.5.2/src/sfnt/ttcmap.c
++++ freetype-2.5.2/src/sfnt/ttcmap.c
+@@ -1649,7 +1649,8 @@
+ p = is32 + 8192; /* skip `is32' array */
+ num_groups = TT_NEXT_ULONG( p );
+
+- if ( p + num_groups * 12 > valid->limit )
++ /* p + num_groups * 12 > valid->limit ? */
++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -1674,7 +1675,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+
+ count = (FT_UInt32)( end - start + 1 );
+@@ -1872,7 +1878,9 @@
+ count = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 20 + count * 2 )
++ /* length < 20 + count * 2 ? */
++ length < 20 ||
++ ( length - 20 ) / 2 < count )
+ FT_INVALID_TOO_SHORT;
+
+ /* check glyph indices */
+@@ -2059,7 +2067,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2081,7 +2091,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+ }
+
+@@ -2383,7 +2398,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2764,7 +2781,9 @@
+
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 10 + 11 * num_selectors )
++ /* length < 10 + 11 * num_selectors ? */
++ length < 10 ||
++ ( length - 10 ) / 11 < num_selectors )
+ FT_INVALID_TOO_SHORT;
+
+ /* check selectors, they must be in increasing order */
+@@ -2800,7 +2819,8 @@
+ FT_ULong lastBase = 0;
+
+
+- if ( defp + numRanges * 4 > valid->limit )
++ /* defp + numRanges * 4 > valid->limit ? */
++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numRanges; ++i )
+@@ -2827,7 +2847,8 @@
+ FT_ULong i, lastUni = 0;
+
+
+- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numMappings; ++i )
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch
+++ freetype-2.5.2/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch
@@ -0,0 +1,36 @@
+From e92ff3eeb7981a88a85f2c0a7f1f4be9a28c57d9 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 6 Nov 2014 23:25:05 +0100
+Subject: Fix Savannah bug #43548. CVE-2014-9670
+
+* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and
+column values.
+
+(cherry picked from commit ef1eba75187adfac750f326b563fe543dd5ff4e6)
+---
+ freetype-2.5.2/src/pcf/pcfread.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c
+index ee41c5d..c7d38e1 100644
+--- freetype-2.5.2/src/pcf/pcfread.c
++++ freetype-2.5.2/src/pcf/pcfread.c
+@@ -812,6 +812,15 @@ THE SOFTWARE.
+ if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) )
+ return FT_THROW( Invalid_File_Format );
+
++ /* sanity checks */
++ if ( firstCol < 0 ||
++ firstCol > lastCol ||
++ lastCol > 0xFF ||
++ firstRow < 0 ||
++ firstRow > lastRow ||
++ lastRow > 0xFF )
++ return FT_THROW( Invalid_Table );
++
+ FT_TRACE4(( "pdf_get_encodings:\n" ));
+
+ FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n",
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch
+++ freetype-2.5.2/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch
@@ -0,0 +1,42 @@
+From 8d2acf52b8f956338f7b381817d3fdb06b64f756 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 6 Nov 2014 22:32:46 +0100
+Subject: Fix Savannah bug #43547. CVE-2014-9671
+
+* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+values.
+
+(cherry picked from commit 0e2f5d518c60e2978f26400d110eff178fa7e3c3)
+---
+ freetype-2.5.2/src/pcf/pcfread.c | 15 +++++++++++++++
+ 1 file changed, 15 insertions(+)
+
+diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c
+index c7d38e1..f487faa 100644
+--- freetype-2.5.2/src/pcf/pcfread.c
++++ freetype-2.5.2/src/pcf/pcfread.c
+@@ -151,6 +151,21 @@ THE SOFTWARE.
+ break;
+ }
+
++ /* we now check whether the `size' and `offset' values are reasonable: */
++ /* `offset' + `size' must not exceed the stream size */
++ tables = face->toc.tables;
++ for ( n = 0; n < toc->count; n++ )
++ {
++ /* we need two checks to avoid overflow */
++ if ( ( tables->size > stream->size ) ||
++ ( tables->offset > stream->size - tables->size ) )
++ {
++ error = FT_THROW( Invalid_Table );
++ goto Exit;
++ }
++ tables++;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+ {
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch
+++ freetype-2.5.2/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch
@@ -0,0 +1,42 @@
+From fd240e4f474a3d1006b3467fb9a891d94770fdf4 Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 16:11:38 +0900
+Subject: Fix Savannah bug #43540. CVE-2014-9672
+
+* src/base/ftmac.c (parse_fond): Prevent a buffer overrun
+caused by a font including too many (> 63) strings to store
+names[] table.
+
+(cherry picked from commit 18a8f0d9943369449bc4de92d411c78fb08d616c)
+---
+ freetype-2.5.2/src/base/ftmac.c | 5 +++--
+ 1 file changed, 3 insertions(+), 2 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftmac.c freetype-2.5.2/src/base/ftmac.c
+index 9b49da8..184a2e1 100644
+--- freetype-2.5.2/src/base/ftmac.c
++++ freetype-2.5.2/src/base/ftmac.c
+@@ -440,9 +440,10 @@
+ style = (StyleTable*)p;
+ p += sizeof ( StyleTable );
+ string_count = EndianS16_BtoN( *(short*)(p) );
++ string_count = FT_MIN( 64, string_count );
+ p += sizeof ( short );
+
+- for ( i = 0; i < string_count && i < 64; i++ )
++ for ( i = 0; i < string_count; i++ )
+ {
+ names[i] = p;
+ p += names[i][0];
+@@ -459,7 +460,7 @@
+ ps_name[ps_name_len] = 0;
+ }
+ if ( style->indexes[face_index] > 1 &&
+- style->indexes[face_index] <= FT_MIN( string_count, 64 ) )
++ style->indexes[face_index] <= string_count )
+ {
+ unsigned char* suffixes = names[style->indexes[face_index] - 1];
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch
+++ freetype-2.5.2/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch
@@ -0,0 +1,33 @@
+From 9c29f8a914862850a8e5c9fdf35d226ac7be30b8 Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 14:36:12 +0900
+Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?=
+ =?UTF-8?q?=20Avoid=20memory=20leak=20CVE-2014-9673-fixup=0Aby=20a=20broke?=
+ =?UTF-8?q?n=20POST=20table=20in=20resource-fork.=20=20Return=20after=20fr?=
+ =?UTF-8?q?eeing=0Athe=20buffered=20POST=20table=20when=20it=20is=20found?=
+ =?UTF-8?q?=20to=20be=20broken.?=
+
+(cherry picked from commit 5aff85301bdce7677766fa1367c82ff41a739637)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index bd0c66e..6014a93 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1626,9 +1626,9 @@
+ if ( error )
+ goto Exit2;
+ if ( FT_READ_LONG( rlen ) )
+- goto Exit;
++ goto Exit2;
+ if ( FT_READ_USHORT( flags ) )
+- goto Exit;
++ goto Exit2;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch
+++ freetype-2.5.2/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch
@@ -0,0 +1,59 @@
+From 9dab65dee316318b89f3dd83515509b64bb3f17d Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 15:52:23 +0900
+Subject: Fix Savannah bug #43539. CVE-2014-9673
+
+* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+by a broken POST table in resource-fork.
+
+(cherry picked from commit 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 17 +++++++++++++++++
+ 1 file changed, 17 insertions(+)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index 6014a93..e860413 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1627,6 +1627,11 @@
+ goto Exit2;
+ if ( FT_READ_LONG( rlen ) )
+ goto Exit2;
++ if ( rlen < 0 )
++ {
++ error = FT_THROW( Invalid_Offset );
++ goto Exit2;
++ }
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit2;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+@@ -1644,7 +1649,14 @@
+ rlen = 0;
+
+ if ( ( flags >> 8 ) == type )
++ {
++ if ( 0x7FFFFFFFL - rlen < len )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto Exit2;
++ }
+ len += rlen;
++ }
+ else
+ {
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+@@ -1673,6 +1685,11 @@
+ }
+
+ error = FT_ERR( Cannot_Open_Resource );
++ if ( rlen > 0x7FFFFFFFL - pfb_pos )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto Exit2;
++ }
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch
+++ freetype-2.5.2/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch
@@ -0,0 +1,45 @@
+From 6dc3fe8132e53773c2d48c7c07caf65bc020aa3d Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 15:43:29 +0900
+Subject: Fix Savannah bug #43538. CVE-2014-9674-part-1
+
+* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+by a broken POST table in resource-fork.
+
+(cherry picked from commit 240c94a185cd8dae7d03059abec8a5662c35ecd3)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 15 ++++++++++++++-
+ 1 file changed, 14 insertions(+), 1 deletion(-)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index e860413..6be07ca 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1603,10 +1603,23 @@
+ goto Exit;
+ if ( FT_READ_LONG( temp ) )
+ goto Exit;
++ if ( 0 > temp )
++ error = FT_THROW( Invalid_Offset );
++ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
++ error = FT_THROW( Array_Too_Large );
++
++ if ( error )
++ goto Exit;
++
+ pfb_len += temp + 6;
+ }
+
+- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
++ if ( 0x7FFFFFFFL - 2 < pfb_len )
++ error = FT_THROW( Array_Too_Large );
++ else
++ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
++
++ if ( error )
+ goto Exit;
+
+ pfb_data[0] = 0x80;
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch
+++ freetype-2.5.2/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch
@@ -0,0 +1,165 @@
+From f50779191264fd754d76fbf9b0703a930902ae50 Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 16:02:17 +0900
+Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?=
+ =?UTF-8?q?=20Use=20unsigned=20long=20CVE-2014-9674-fixup-1=0Avariables=20?=
+ =?UTF-8?q?to=20read=20the=20lengths=20in=20POST=20fragments.=20=20Suggest?=
+ =?UTF-8?q?ed=20by=0AMateusz=20Jurczyk=20<mjurczyk@google.com>.?=
+
+(cherry picked from commit 453316792fee912cfced48e9e270e9eb19892e64)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 63 ++++++++++++++++++++++------------------
+ 1 file changed, 34 insertions(+), 29 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index 6be07ca..2ec2ed8 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1583,9 +1583,9 @@
+ FT_Memory memory = library->memory;
+ FT_Byte* pfb_data = NULL;
+ int i, type, flags;
+- FT_Long len;
+- FT_Long pfb_len, pfb_pos, pfb_lenpos;
+- FT_Long rlen, temp;
++ FT_ULong len;
++ FT_ULong pfb_len, pfb_pos, pfb_lenpos;
++ FT_ULong rlen, temp;
+
+
+ if ( face_index == -1 )
+@@ -1601,25 +1601,27 @@
+ error = FT_Stream_Seek( stream, offsets[i] );
+ if ( error )
+ goto Exit;
+- if ( FT_READ_LONG( temp ) )
++ if ( FT_READ_ULONG( temp ) )
+ goto Exit;
+- if ( 0 > temp )
++#if 0
++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
++ if ( 0x7FFFFFFFUL < temp )
++ {
+ error = FT_THROW( Invalid_Offset );
+- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+- error = FT_THROW( Array_Too_Large );
+-
+- if ( error )
+ goto Exit;
++ }
++#endif
+
+ pfb_len += temp + 6;
+ }
+
+- if ( 0x7FFFFFFFL - 2 < pfb_len )
++ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n",
++ resource_cnt, pfb_len + 2));
++ if ( pfb_len + 2 < 6 ) {
+ error = FT_THROW( Array_Too_Large );
+- else
+- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+-
+- if ( error )
++ goto Exit;
++ }
++ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+ goto Exit;
+
+ pfb_data[0] = 0x80;
+@@ -1638,21 +1640,27 @@
+ error = FT_Stream_Seek( stream, offsets[i] );
+ if ( error )
+ goto Exit2;
+- if ( FT_READ_LONG( rlen ) )
++ if ( FT_READ_ULONG( rlen ) )
+ goto Exit2;
+- if ( rlen < 0 )
++#if 0
++ if ( 0x7FFFFFFFUL < rlen )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit2;
+ }
++#endif
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit2;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
++ error = FT_ERR( Array_Too_Large );
+ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
+ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
++ {
++ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i ));
+ continue;
++ }
+
+ /* the flags are part of the resource, so rlen >= 2. */
+ /* but some fonts declare rlen = 0 for empty fragment */
+@@ -1662,16 +1670,10 @@
+ rlen = 0;
+
+ if ( ( flags >> 8 ) == type )
+- {
+- if ( 0x7FFFFFFFL - rlen < len )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto Exit2;
+- }
+ len += rlen;
+- }
+ else
+ {
++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_lenpos ] = (FT_Byte)( len );
+@@ -1682,6 +1684,7 @@
+ if ( ( flags >> 8 ) == 5 ) /* End of font mark */
+ break;
+
++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+@@ -1697,21 +1700,17 @@
+ pfb_data[pfb_pos++] = 0;
+ }
+
+- error = FT_ERR( Cannot_Open_Resource );
+- if ( rlen > 0x7FFFFFFFL - pfb_pos )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto Exit2;
+- }
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
+ error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+ if ( error )
+ goto Exit2;
+ pfb_pos += rlen;
+ }
+
++ error = FT_ERR( Array_Too_Large );
+ if ( pfb_pos + 2 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+@@ -1732,6 +1731,12 @@
+ aface );
+
+ Exit2:
++ if ( error == FT_ERR( Array_Too_Large ) )
++ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" ));
++ else if ( error == FT_ERR( Invalid_Offset ) )
++ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
++ if ( error )
++ error = FT_ERR( Cannot_Open_Resource );
+ FT_FREE( pfb_data );
+
+ Exit:
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch
+++ freetype-2.5.2/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch
@@ -0,0 +1,111 @@
+From 02dd014303d7a151398321cfc7001426306b6e3b Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 16:39:00 +0900
+Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?=
+ =?UTF-8?q?=20Insert=20comments=20CVS-2014-9674-fixup-2=0Aand=20fold=20too?=
+ =?UTF-8?q?=20long=20tracing=20messages.?=
+
+(cherry picked from commit 1720e81e3ecc7c266e54fe40175cc39c47117bf5)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 34 ++++++++++++++++++++++++----------
+ 1 file changed, 24 insertions(+), 10 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index 2ec2ed8..4a9eb7f 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1603,21 +1603,28 @@
+ goto Exit;
+ if ( FT_READ_ULONG( temp ) )
+ goto Exit;
+-#if 0
+- FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
++
++ /* FT2 allocator takes signed long buffer length,
++ * too large value causing overflow should be checked
++ */
++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n",
++ i, temp));
+ if ( 0x7FFFFFFFUL < temp )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit;
+ }
+-#endif
+
+ pfb_len += temp + 6;
+ }
+
+- FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n",
++ FT_TRACE2(( " total buffer size to concatenate %d"
++ " POST fragments: 0x%08x\n",
+ resource_cnt, pfb_len + 2));
+ if ( pfb_len + 2 < 6 ) {
++ FT_TRACE2(( " too long fragment length makes"
++ " pfb_len confused: 0x%08x\n",
++ pfb_len ));
+ error = FT_THROW( Array_Too_Large );
+ goto Exit;
+ }
+@@ -1642,13 +1649,16 @@
+ goto Exit2;
+ if ( FT_READ_ULONG( rlen ) )
+ goto Exit2;
+-#if 0
++
++ /* FT2 allocator takes signed long buffer length,
++ * too large fragment length causing overflow should be checked
++ */
+ if ( 0x7FFFFFFFUL < rlen )
+ {
+ error = FT_THROW( Invalid_Offset );
+ goto Exit2;
+ }
+-#endif
++
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit2;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+@@ -1673,7 +1683,8 @@
+ len += rlen;
+ else
+ {
+- FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer"
++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_lenpos ] = (FT_Byte)( len );
+@@ -1684,7 +1695,8 @@
+ if ( ( flags >> 8 ) == 5 ) /* End of font mark */
+ break;
+
+- FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer"
++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+@@ -1703,7 +1715,8 @@
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
+- FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer"
++ " 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
+ error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+ if ( error )
+ goto Exit2;
+@@ -1732,7 +1745,8 @@
+
+ Exit2:
+ if ( error == FT_ERR( Array_Too_Large ) )
+- FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" ));
++ FT_TRACE2(( " Abort due to too-short buffer to store"
++ " all POST fragments\n" ));
+ else if ( error == FT_ERR( Invalid_Offset ) )
+ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
+ if ( error )
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch
+++ freetype-2.5.2/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch
@@ -0,0 +1,42 @@
+From 227701e7a216e77f97fc170702d70f9c1a84992a Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Thu, 27 Nov 2014 00:20:48 +0900
+Subject: =?UTF-8?q?*=20src/base/ftobj.c=20(Mac=5FRead=5FPOST=5FResource):?=
+ =?UTF-8?q?=20Additional=20CVE-2014-0674-part-2=0Aoverflow=20check=20in=20?=
+ =?UTF-8?q?the=20summation=20of=20POST=20fragment=20lengths,=0Asuggested?=
+ =?UTF-8?q?=20by=20Mateusz=20Jurczyk=20<mjurczyk@google.com>.?=
+
+(cherry picked from commit cd4a5a26e591d01494567df9dec7f72d59551f6e)
+---
+ freetype-2.5.2/src/base/ftobjs.c | 7 ++++---
+ 1 file changed, 4 insertions(+), 3 deletions(-)
+
+diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c
+index 4a9eb7f..038a0f8 100644
+--- freetype-2.5.2/src/base/ftobjs.c
++++ freetype-2.5.2/src/base/ftobjs.c
+@@ -1609,8 +1609,10 @@
+ */
+ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n",
+ i, temp));
+- if ( 0x7FFFFFFFUL < temp )
++ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
+ {
++ FT_TRACE2(( " too long fragment length makes"
++ " pfb_len confused: temp=0x%08x\n", temp ));
+ error = FT_THROW( Invalid_Offset );
+ goto Exit;
+ }
+@@ -1623,8 +1625,7 @@
+ resource_cnt, pfb_len + 2));
+ if ( pfb_len + 2 < 6 ) {
+ FT_TRACE2(( " too long fragment length makes"
+- " pfb_len confused: 0x%08x\n",
+- pfb_len ));
++ " pfb_len confused: pfb_len=0x%08x\n", pfb_len ));
+ error = FT_THROW( Array_Too_Large );
+ goto Exit;
+ }
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch
+++ freetype-2.5.2/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch
@@ -0,0 +1,235 @@
+From 37be20dfb7ceec9bb2c10ac19f339043a8e20229 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 26 Feb 2014 13:08:07 +0100
+Subject: [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1
+
+bdflib puts data from the input stream into a buffer in chunks of
+1024 bytes. The data itself gets then parsed line by line, simply
+increasing the current pointer into the buffer; if the search for
+the final newline character exceeds the buffer size, more data gets
+read.
+
+However, in case the current line's end is very near to the buffer
+end, and the keyword to compare with is longer than the current
+line's length, an out-of-bounds read might happen since `memcmp'
+doesn't stop properly at the string end.
+
+* src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons
+stop at string ends.
+
+(cherry picked from commit 9a56764037dfc01a89fe61f5c67971bf50343d00)
+---
+ freetype-2.5.2/src/bdf/bdflib.c | 50 ++++++++++++++++++++---------------------
+ 1 file changed, 25 insertions(+), 25 deletions(-)
+
+diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c
+index d613159..4192139 100644
+--- freetype-2.5.2/src/bdf/bdflib.c
++++ freetype-2.5.2/src/bdf/bdflib.c
+@@ -1409,7 +1409,7 @@
+
+ /* If the property happens to be a comment, then it doesn't need */
+ /* to be added to the internal hash table. */
+- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 )
++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
+ {
+ /* Add the property to the font property table. */
+ error = hash_insert( fp->name,
+@@ -1427,13 +1427,13 @@
+ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
+ /* present, and the SPACING property should override the default */
+ /* spacing. */
+- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 )
++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ font->default_char = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ font->font_ascent = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ font->font_descent = fp->value.l;
+- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 )
++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
+ {
+ if ( !fp->value.atom )
+ {
+@@ -1491,7 +1491,7 @@
+ memory = font->memory;
+
+ /* Check for a comment. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ linelen -= 7;
+
+@@ -1508,7 +1508,7 @@
+ /* The very first thing expected is the number of glyphs. */
+ if ( !( p->flags & _BDF_GLYPHS ) )
+ {
+- if ( ft_memcmp( line, "CHARS", 5 ) != 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
+ error = FT_THROW( Missing_Chars_Field );
+@@ -1542,7 +1542,7 @@
+ }
+
+ /* Check for the ENDFONT field. */
+- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
+ if ( p->flags & _BDF_GLYPH_BITS )
+ {
+@@ -1564,7 +1564,7 @@
+ }
+
+ /* Check for the ENDCHAR field. */
+- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ {
+ p->glyph_enc = 0;
+ p->flags &= ~_BDF_GLYPH_BITS;
+@@ -1580,7 +1580,7 @@
+ goto Exit;
+
+ /* Check for the STARTCHAR field. */
+- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 )
++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ {
+ /* Set the character name in the parse info first until the */
+ /* encoding can be checked for an unencoded character. */
+@@ -1614,7 +1614,7 @@
+ }
+
+ /* Check for the ENCODING field. */
+- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 )
++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_GLYPH ) )
+ {
+@@ -1800,7 +1800,7 @@
+ }
+
+ /* Expect the SWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1816,7 +1816,7 @@
+ }
+
+ /* Expect the DWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1844,7 +1844,7 @@
+ }
+
+ /* Expect the BBX field next. */
+- if ( ft_memcmp( line, "BBX", 3 ) == 0 )
++ if ( ft_strncmp( line, "BBX", 3 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1912,7 +1912,7 @@
+ }
+
+ /* And finally, gather up the bitmap. */
+- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
+ {
+ unsigned long bitmap_size;
+
+@@ -1987,7 +1987,7 @@
+ p = (_bdf_parse_t *) client_data;
+
+ /* Check for the end of the properties. */
+- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 )
++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ {
+ /* If the FONT_ASCENT or FONT_DESCENT properties have not been */
+ /* encountered yet, then make sure they are added as properties and */
+@@ -2028,12 +2028,12 @@
+ }
+
+ /* Ignore the _XFREE86_GLYPH_RANGES properties. */
+- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ goto Exit;
+
+ /* Handle COMMENT fields and properties in a special way to preserve */
+ /* the spacing. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ name = value = line;
+ value += 7;
+@@ -2097,7 +2097,7 @@
+
+ /* Check for a comment. This is done to handle those fonts that have */
+ /* comments before the STARTFONT line for some reason. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ if ( p->opts->keep_comments != 0 && p->font != 0 )
+ {
+@@ -2123,7 +2123,7 @@
+ {
+ memory = p->memory;
+
+- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 )
++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
+ {
+ /* we don't emit an error message since this code gets */
+ /* explicitly caught one level higher */
+@@ -2171,7 +2171,7 @@
+ }
+
+ /* Check for the start of the properties. */
+- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_BBX ) )
+ {
+@@ -2200,7 +2200,7 @@
+ }
+
+ /* Check for the FONTBOUNDINGBOX field. */
+- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_SIZE ) )
+ {
+@@ -2231,7 +2231,7 @@
+ }
+
+ /* The next thing to check for is the FONT field. */
+- if ( ft_memcmp( line, "FONT", 4 ) == 0 )
++ if ( ft_strncmp( line, "FONT", 4 ) == 0 )
+ {
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -2266,7 +2266,7 @@
+ }
+
+ /* Check for the SIZE field. */
+- if ( ft_memcmp( line, "SIZE", 4 ) == 0 )
++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_NAME ) )
+ {
+@@ -2320,7 +2320,7 @@
+ }
+
+ /* Check for the CHARS field -- font properties are optional */
+- if ( ft_memcmp( line, "CHARS", 5 ) == 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
+ {
+ char nbuf[128];
+
+--
+2.1.4
+
only in patch2:
unchanged:
--- freetype-2.5.2.orig/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch
+++ freetype-2.5.2/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch
@@ -0,0 +1,244 @@
+From d9ed3044b65fb901c6c3a36b815a40932b450c1c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 7 Nov 2014 07:42:33 +0100
+Subject: Fix Savannah bug #43535. CVE-2014-9675
+
+* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one
+character more than `strncmp'.
+s/ft_strncmp/_bdf_strncmp/ everywhere.
+
+(cherry picked from commit 2c4832d30939b45c05757f0a05128ce64c4cacc7)
+---
+ freetype-2.5.2/src/bdf/bdflib.c | 62 ++++++++++++++++++++++++-----------------
+ 1 file changed, 37 insertions(+), 25 deletions(-)
+
+diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c
+index 4192139..42de23d 100644
+--- freetype-2.5.2/src/bdf/bdflib.c
++++ freetype-2.5.2/src/bdf/bdflib.c
+@@ -169,6 +169,18 @@
+ sizeof ( _bdf_properties[0] );
+
+
++ /* An auxiliary macro to parse properties, to be used in conditionals. */
++ /* It behaves like `strncmp' but also tests the following character */
++ /* whether it is a whitespace or NULL. */
++ /* `property' is a constant string of length `n' to compare with. */
++#define _bdf_strncmp( name, property, n ) \
++ ( ft_strncmp( name, property, n ) || \
++ !( name[n] == ' ' || \
++ name[n] == '\0' || \
++ name[n] == '\n' || \
++ name[n] == '\r' || \
++ name[n] == '\t' ) )
++
+ /* Auto correction messages. */
+ #define ACMSG1 "FONT_ASCENT property missing. " \
+ "Added `FONT_ASCENT %hd'.\n"
+@@ -1409,7 +1421,7 @@
+
+ /* If the property happens to be a comment, then it doesn't need */
+ /* to be added to the internal hash table. */
+- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
++ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 )
+ {
+ /* Add the property to the font property table. */
+ error = hash_insert( fp->name,
+@@ -1427,13 +1439,13 @@
+ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
+ /* present, and the SPACING property should override the default */
+ /* spacing. */
+- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
++ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ font->default_char = fp->value.l;
+- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
++ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ font->font_ascent = fp->value.l;
+- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
++ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ font->font_descent = fp->value.l;
+- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
++ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 )
+ {
+ if ( !fp->value.atom )
+ {
+@@ -1491,7 +1503,7 @@
+ memory = font->memory;
+
+ /* Check for a comment. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ linelen -= 7;
+
+@@ -1508,7 +1520,7 @@
+ /* The very first thing expected is the number of glyphs. */
+ if ( !( p->flags & _BDF_GLYPHS ) )
+ {
+- if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
++ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
+ error = FT_THROW( Missing_Chars_Field );
+@@ -1542,7 +1554,7 @@
+ }
+
+ /* Check for the ENDFONT field. */
+- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
+ if ( p->flags & _BDF_GLYPH_BITS )
+ {
+@@ -1564,7 +1576,7 @@
+ }
+
+ /* Check for the ENDCHAR field. */
+- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ {
+ p->glyph_enc = 0;
+ p->flags &= ~_BDF_GLYPH_BITS;
+@@ -1580,7 +1592,7 @@
+ goto Exit;
+
+ /* Check for the STARTCHAR field. */
+- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
++ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ {
+ /* Set the character name in the parse info first until the */
+ /* encoding can be checked for an unencoded character. */
+@@ -1614,7 +1626,7 @@
+ }
+
+ /* Check for the ENCODING field. */
+- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
++ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_GLYPH ) )
+ {
+@@ -1800,7 +1812,7 @@
+ }
+
+ /* Expect the SWIDTH (scalable width) field next. */
+- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1816,7 +1828,7 @@
+ }
+
+ /* Expect the DWIDTH (scalable width) field next. */
+- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1844,7 +1856,7 @@
+ }
+
+ /* Expect the BBX field next. */
+- if ( ft_strncmp( line, "BBX", 3 ) == 0 )
++ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1912,7 +1924,7 @@
+ }
+
+ /* And finally, gather up the bitmap. */
+- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 )
+ {
+ unsigned long bitmap_size;
+
+@@ -1987,7 +1999,7 @@
+ p = (_bdf_parse_t *) client_data;
+
+ /* Check for the end of the properties. */
+- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ {
+ /* If the FONT_ASCENT or FONT_DESCENT properties have not been */
+ /* encountered yet, then make sure they are added as properties and */
+@@ -2028,12 +2040,12 @@
+ }
+
+ /* Ignore the _XFREE86_GLYPH_RANGES properties. */
+- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
++ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ goto Exit;
+
+ /* Handle COMMENT fields and properties in a special way to preserve */
+ /* the spacing. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ name = value = line;
+ value += 7;
+@@ -2097,7 +2109,7 @@
+
+ /* Check for a comment. This is done to handle those fonts that have */
+ /* comments before the STARTFONT line for some reason. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ if ( p->opts->keep_comments != 0 && p->font != 0 )
+ {
+@@ -2123,7 +2135,7 @@
+ {
+ memory = p->memory;
+
+- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
++ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 )
+ {
+ /* we don't emit an error message since this code gets */
+ /* explicitly caught one level higher */
+@@ -2171,7 +2183,7 @@
+ }
+
+ /* Check for the start of the properties. */
+- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
++ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_BBX ) )
+ {
+@@ -2200,7 +2212,7 @@
+ }
+
+ /* Check for the FONTBOUNDINGBOX field. */
+- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
++ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_SIZE ) )
+ {
+@@ -2231,7 +2243,7 @@
+ }
+
+ /* The next thing to check for is the FONT field. */
+- if ( ft_strncmp( line, "FONT", 4 ) == 0 )
++ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 )
+ {
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -2266,7 +2278,7 @@
+ }
+
+ /* Check for the SIZE field. */
+- if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
++ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_NAME ) )
+ {
+@@ -2320,7 +2332,7 @@
+ }
+
+ /* Check for the CHARS field -- font properties are optional */
+- if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
++ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 )
+ {
+ char nbuf[128];
+
+--
+2.1.4
+
-- System Information:
Debian Release: 8.0
APT prefers unstable
APT policy: (500, 'unstable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Init: systemd (via /run/systemd/system)
Reply to: