From 371abe9a1d7a784f1499e924527b6fb493749144 Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Mon, 27 Apr 2009 22:21:26 +0000 Subject: [PATCH] [packages] freetype: update to v2.3.9, merge r15288 from 8.09, delete empty patch SVN-Revision: 15457 --- libs/freetype/Makefile | 6 +- .../patches/001-fix_broken_unix_cross.patch | 0 libs/freetype/patches/901-cve-2009-0946.patch | 147 ++++++++++++++++++ 3 files changed, 150 insertions(+), 3 deletions(-) delete mode 100644 libs/freetype/patches/001-fix_broken_unix_cross.patch create mode 100644 libs/freetype/patches/901-cve-2009-0946.patch diff --git a/libs/freetype/Makefile b/libs/freetype/Makefile index f40375f5f6..23d5e01d31 100644 --- a/libs/freetype/Makefile +++ b/libs/freetype/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -8,12 +8,12 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freetype -PKG_VERSION:=2.3.7 +PKG_VERSION:=2.3.9 PKG_RELEASE:=1 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/freetype -PKG_MD5SUM:=83306194817ebdea554133b4232a34aa +PKG_MD5SUM:=d76233108aca9c9606cdbd341562ad9a PKG_FIXUP = libtool diff --git a/libs/freetype/patches/001-fix_broken_unix_cross.patch b/libs/freetype/patches/001-fix_broken_unix_cross.patch deleted file mode 100644 index e69de29bb2..0000000000 diff --git a/libs/freetype/patches/901-cve-2009-0946.patch b/libs/freetype/patches/901-cve-2009-0946.patch new file mode 100644 index 0000000000..6505703687 --- /dev/null +++ b/libs/freetype/patches/901-cve-2009-0946.patch @@ -0,0 +1,147 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 + +Protect against malformed compressed data. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 + +Protect against invalid SID values in CFFs. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 + +Fix validation for various cmap table formats. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e + +Protect against too large glyphs. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b + + +--- a/src/cff/cffload.c ++++ b/src/cff/cffload.c +@@ -842,7 +842,20 @@ + goto Exit; + + for ( j = 1; j < num_glyphs; j++ ) +- charset->sids[j] = FT_GET_USHORT(); ++ { ++ FT_UShort sid = FT_GET_USHORT(); ++ ++ ++ /* this constant is given in the CFF specification */ ++ if ( sid < 65000 ) ++ charset->sids[j] = sid; ++ else ++ { ++ FT_ERROR(( "cff_charset_load:" ++ " invalid SID value %d set to zero\n", sid )); ++ charset->sids[j] = 0; ++ } ++ } + + FT_FRAME_EXIT(); + } +@@ -875,6 +888,20 @@ + goto Exit; + } + ++ /* check whether the range contains at least one valid glyph; */ ++ /* the constant is given in the CFF specification */ ++ if ( glyph_sid >= 65000 ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); ++ error = CFF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ ++ /* try to rescue some of the SIDs if `nleft' is too large */ ++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); ++ nleft = 65000 - 1 - glyph_sid; ++ } ++ + /* Fill in the range of sids -- `nleft + 1' glyphs. */ + for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) + charset->sids[j] = glyph_sid; +--- a/src/lzw/ftzopen.c ++++ b/src/lzw/ftzopen.c +@@ -332,6 +332,9 @@ + + while ( code >= 256U ) + { ++ if ( !state->prefix ) ++ goto Eof; ++ + FTLZW_STACK_PUSH( state->suffix[code - 256] ); + code = state->prefix[code - 256]; + } +--- a/src/smooth/ftsmooth.c ++++ b/src/smooth/ftsmooth.c +@@ -153,7 +153,7 @@ + slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; + } + +- /* allocate new one, depends on pixel format */ ++ /* allocate new one */ + pitch = width; + if ( hmul ) + { +@@ -194,6 +194,13 @@ + + #endif + ++ if ( pitch > 0xFFFF || height > 0xFFFF ) ++ { ++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", ++ width, height )); ++ return Smooth_Err_Raster_Overflow; ++ } ++ + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; + bitmap->num_grays = 256; + bitmap->width = width; +--- a/src/sfnt/ttcmap.c ++++ b/src/sfnt/ttcmap.c +@@ -1635,7 +1635,7 @@ + FT_INVALID_TOO_SHORT; + + length = TT_NEXT_ULONG( p ); +- if ( table + length > valid->limit || length < 8208 ) ++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) + FT_INVALID_TOO_SHORT; + + is32 = table + 12; +@@ -1863,7 +1863,8 @@ + p = table + 16; + count = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 20 + count * 2 ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 20 + count * 2 ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2048,7 +2049,8 @@ + p = table + 12; + num_groups = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 16 + 12 * num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2429,7 +2431,8 @@ + FT_ULong num_selectors = TT_NEXT_ULONG( p ); + + +- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 10 + 11 * num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2491,7 +2494,7 @@ + FT_ULong i, lastUni = 0; + + +- if ( ndp + numMappings * 4 > valid->limit ) ++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) -- 2.30.2