From d73eb4cc7e858caab10b781ab59aa0084b2ba651 Mon Sep 17 00:00:00 2001 From: Nicolas Thill Date: Sun, 19 Apr 2009 21:24:52 +0000 Subject: [PATCH] [CVE-2009-0946] fix multiple integer overflows in FreeType library, bump release number SVN-Revision: 15288 --- libs/freetype/Makefile | 4 +- libs/freetype/patches/901-cve-2009-0946.patch | 147 ++++++++++++++++++ 2 files changed, 149 insertions(+), 2 deletions(-) create mode 100644 libs/freetype/patches/901-cve-2009-0946.patch diff --git a/libs/freetype/Makefile b/libs/freetype/Makefile index dd67a7b7da..b590d84014 100644 --- a/libs/freetype/Makefile +++ b/libs/freetype/Makefile @@ -1,5 +1,5 @@ # -# Copyright (C) 2006 OpenWrt.org +# Copyright (C) 2006-2009 OpenWrt.org # # This is free software, licensed under the GNU General Public License v2. # See /LICENSE for more information. @@ -10,7 +10,7 @@ include $(TOPDIR)/rules.mk PKG_NAME:=freetype PKG_VERSION:=2.3.7 -PKG_RELEASE:=1 +PKG_RELEASE:=2 PKG_SOURCE:=$(PKG_NAME)-$(PKG_VERSION).tar.bz2 PKG_SOURCE_URL:=@SF/freetype diff --git a/libs/freetype/patches/901-cve-2009-0946.patch b/libs/freetype/patches/901-cve-2009-0946.patch new file mode 100644 index 0000000000..609d257a98 --- /dev/null +++ b/libs/freetype/patches/901-cve-2009-0946.patch @@ -0,0 +1,147 @@ +http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946 + +Protect against malformed compressed data. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0a05ba257b6ddd87dacf8d54b626e4b360e0a596 + +Protect against invalid SID values in CFFs. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=0545ec1ca36b27cb928128870a83e5f668980bc5 + +Fix validation for various cmap table formats. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a18788b14db60ae3673f932249cd02d33a227c4e + +Protect against too large glyphs. +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=79972af4f0485a11dcb19551356c45245749fc5b + + +--- a/src/cff/cffload.c ++++ b/src/cff/cffload.c +@@ -841,7 +841,20 @@ + goto Exit; + + for ( j = 1; j < num_glyphs; j++ ) +- charset->sids[j] = FT_GET_USHORT(); ++ { ++ FT_UShort sid = FT_GET_USHORT(); ++ ++ ++ /* this constant is given in the CFF specification */ ++ if ( sid < 65000 ) ++ charset->sids[j] = sid; ++ else ++ { ++ FT_ERROR(( "cff_charset_load:" ++ " invalid SID value %d set to zero\n", sid )); ++ charset->sids[j] = 0; ++ } ++ } + + FT_FRAME_EXIT(); + } +@@ -874,6 +887,20 @@ + goto Exit; + } + ++ /* check whether the range contains at least one valid glyph; */ ++ /* the constant is given in the CFF specification */ ++ if ( glyph_sid >= 65000 ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range\n" )); ++ error = CFF_Err_Invalid_File_Format; ++ goto Exit; ++ } ++ ++ /* try to rescue some of the SIDs if `nleft' is too large */ ++ if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) { ++ FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" )); ++ nleft = 65000 - 1 - glyph_sid; ++ } ++ + /* Fill in the range of sids -- `nleft + 1' glyphs. */ + for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ ) + charset->sids[j] = glyph_sid; +--- a/src/lzw/ftzopen.c ++++ b/src/lzw/ftzopen.c +@@ -332,6 +332,9 @@ + + while ( code >= 256U ) + { ++ if ( !state->prefix ) ++ goto Eof; ++ + FTLZW_STACK_PUSH( state->suffix[code - 256] ); + code = state->prefix[code - 256]; + } +--- a/src/smooth/ftsmooth.c ++++ b/src/smooth/ftsmooth.c +@@ -153,7 +153,7 @@ + slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP; + } + +- /* allocate new one, depends on pixel format */ ++ /* allocate new one */ + pitch = width; + if ( hmul ) + { +@@ -194,6 +194,13 @@ + + #endif + ++ if ( pitch > 0xFFFF || height > 0xFFFF ) ++ { ++ FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n", ++ width, height )); ++ return Smooth_Err_Raster_Overflow; ++ } ++ + bitmap->pixel_mode = FT_PIXEL_MODE_GRAY; + bitmap->num_grays = 256; + bitmap->width = width; +--- a/src/sfnt/ttcmap.c ++++ b/src/sfnt/ttcmap.c +@@ -1571,7 +1571,7 @@ + FT_INVALID_TOO_SHORT; + + length = TT_NEXT_ULONG( p ); +- if ( table + length > valid->limit || length < 8208 ) ++ if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 ) + FT_INVALID_TOO_SHORT; + + is32 = table + 12; +@@ -1799,7 +1799,8 @@ + p = table + 16; + count = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 20 + count * 2 ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 20 + count * 2 ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -1984,7 +1985,8 @@ + p = table + 12; + num_groups = TT_NEXT_ULONG( p ); + +- if ( table + length > valid->limit || length < 16 + 12 * num_groups ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 16 + 12 * num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2365,7 +2367,8 @@ + FT_ULong num_selectors = TT_NEXT_ULONG( p ); + + +- if ( table + length > valid->limit || length < 10 + 11 * num_selectors ) ++ if ( length > (FT_ULong)( valid->limit - table ) || ++ length < 10 + 11 * num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2427,7 +2430,7 @@ + FT_ULong i, lastUni = 0; + + +- if ( ndp + numMappings * 4 > valid->limit ) ++ if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) -- 2.30.2