kpriv/pkgsrc
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity

patch-[a-d]: Upstream patches for CVE-2009-0946.

Browse source 
Bump PKGREVISION.
This commit is contained in:
tnn 2009-05-02 19:44:51 +00:00
parent 1b9cde1ca2
commit 01943c4380
6 changed files with 171 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

3
graphics/freetype2/Makefile
View file

@ -1,7 +1,8 @@
# $NetBSD: Makefile,v 1.68 2009/04/16 20:26:25 drochner Exp $
# $NetBSD: Makefile,v 1.69 2009/05/02 19:44:51 tnn Exp $
DISTNAME= freetype-2.3.9
PKGNAME= ${DISTNAME:S/-/2-/}
PKGREVISION= 1
CATEGORIES= graphics
MASTER_SITES= ${MASTER_SITE_SOURCEFORGE:=freetype/} \
ftp://ring.aist.go.jp/pub/graphics/freetype/freetype2/

6
graphics/freetype2/distinfo
View file

@ -1,5 +1,9 @@
$NetBSD: distinfo,v 1.30 2009/04/16 20:26:25 drochner Exp $
$NetBSD: distinfo,v 1.31 2009/05/02 19:44:51 tnn Exp $
SHA1 (freetype-2.3.9.tar.bz2) = db08969cb5053879ff9e973fe6dd2c52c7ea2d4e
RMD160 (freetype-2.3.9.tar.bz2) = c0351c2a3f43e64d26d2a964b1131a3dbf2fa162
Size (freetype-2.3.9.tar.bz2) = 1363190 bytes
SHA1 (patch-aa) = a203699d1734eaa97aea6898bb527cf5ee6a09b1
SHA1 (patch-ab) = da1c8894476fd6d7123e8718d2b36072c98e5e72
SHA1 (patch-ac) = 9ec38f8b41652737a9474cc358d44ba1e2a4a54a
SHA1 (patch-ad) = 556c116b7e80fc0633cca50d8923d183ac1762c3

33
graphics/freetype2/patches/patch-aa Normal file
View file

@ -0,0 +1,33 @@
$NetBSD: patch-aa,v 1.17 2009/05/02 19:44:51 tnn Exp $
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b
diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
index a6db504..cacc490 100644
--- src/smooth/ftsmooth.c
+++ src/smooth/ftsmooth.c
@@ -153,7 +153,7 @@
slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
}
- /* allocate new one, depends on pixel format */
+ /* allocate new one */
pitch = width;
if ( hmul )
{
@@ -194,6 +194,13 @@
#endif
+ if ( pitch > 0xFFFF || height > 0xFFFF )
+ {
+ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
+ width, height ));
+ return Smooth_Err_Raster_Overflow;
+ }
+
bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
bitmap->num_grays = 256;
bitmap->width = width;
--
cgit v0.8.2.1

58
graphics/freetype2/patches/patch-ab Normal file
View file

@ -0,0 +1,58 @@
$NetBSD: patch-ab,v 1.12 2009/05/02 19:44:51 tnn Exp $
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e
diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
index 6830391..1bd2ce7 100644
--- src/sfnt/ttcmap.c
+++ src/sfnt/ttcmap.c
@@ -1635,7 +1635,7 @@
FT_INVALID_TOO_SHORT;
length = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 8208 )
+ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
FT_INVALID_TOO_SHORT;
is32 = table + 12;
@@ -1863,7 +1863,8 @@
p = table + 16;
count = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 20 + count * 2 )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 20 + count * 2 )
FT_INVALID_TOO_SHORT;
/* check glyph indices */
@@ -2048,7 +2049,8 @@
p = table + 12;
num_groups = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 16 + 12 * num_groups )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 16 + 12 * num_groups )
FT_INVALID_TOO_SHORT;
/* check groups, they must be in increasing order */
@@ -2429,7 +2431,8 @@
FT_ULong num_selectors = TT_NEXT_ULONG( p );
- if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+ length < 10 + 11 * num_selectors )
FT_INVALID_TOO_SHORT;
/* check selectors, they must be in increasing order */
@@ -2491,7 +2494,7 @@
FT_ULong i, lastUni = 0;
- if ( ndp + numMappings * 4 > valid->limit )
+ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
FT_INVALID_TOO_SHORT;
for ( i = 0; i < numMappings; ++i )
--
cgit v0.8.2.1

20
graphics/freetype2/patches/patch-ac Normal file
View file

@ -0,0 +1,20 @@
$NetBSD: patch-ac,v 1.4 2009/05/02 19:44:51 tnn Exp $
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596
diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
index fc78315..c0483de 100644
--- src/lzw/ftzopen.c
+++ src/lzw/ftzopen.c
@@ -332,6 +332,9 @@
while ( code >= 256U )
{
+ if ( !state->prefix )
+ goto Eof;
+
FTLZW_STACK_PUSH( state->suffix[code - 256] );
code = state->prefix[code - 256];
}
--
cgit v0.8.2.1

53
graphics/freetype2/patches/patch-ad Normal file
View file

@ -0,0 +1,53 @@
$NetBSD: patch-ad,v 1.2 2009/05/02 19:44:51 tnn Exp $
http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5
diff --git a/src/cff/cffload.c b/src/cff/cffload.c
index 22163fb..24b899d 100644
--- src/cff/cffload.c
+++ src/cff/cffload.c
@@ -842,7 +842,20 @@
goto Exit;
for ( j = 1; j < num_glyphs; j++ )
- charset->sids[j] = FT_GET_USHORT();
+ {
+ FT_UShort sid = FT_GET_USHORT();
+
+
+ /* this constant is given in the CFF specification */
+ if ( sid < 65000 )
+ charset->sids[j] = sid;
+ else
+ {
+ FT_ERROR(( "cff_charset_load:"
+ " invalid SID value %d set to zero\n", sid ));
+ charset->sids[j] = 0;
+ }
+ }
FT_FRAME_EXIT();
}
@@ -875,6 +888,20 @@
goto Exit;
}
+ /* check whether the range contains at least one valid glyph; */
+ /* the constant is given in the CFF specification */
+ if ( glyph_sid >= 65000 ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
+ error = CFF_Err_Invalid_File_Format;
+ goto Exit;
+ }
+
+ /* try to rescue some of the SIDs if `nleft' is too large */
+ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
+ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
+ nleft = 65000 - 1 - glyph_sid;
+ }
+
/* Fill in the range of sids -- `nleft + 1' glyphs. */
for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
charset->sids[j] = glyph_sid;
--
cgit v0.8.2.1