Mailinglist Archive: opensuse-commit (849 mails)

< Previous Next >
commit pango for openSUSE:11.4

Hello community,

here is the log from the commit of package pango for openSUSE:11.4
checked in at Tue Mar 1 12:52:24 CET 2011.



--------
--- old-versions/11.4/all/pango/pango.changes 2010-10-13 20:26:40.000000000
+0200
+++ /mounts/work_src_done/11.4/pango/pango.changes 2011-03-01
08:25:23.000000000 +0100
@@ -1,0 +2,8 @@
+Mon Feb 28 09:32:26 CET 2011 - vuntz@xxxxxxxxxxxx
+
+- Add pango-CVE-2011-0020.patch: fixes heap corruption in font
+ parsing with FreeType2 backend. Fix bnc#666101, CVE-2011-0020.
+- Add pango-CVE-2011-0064.patch: handle realloc failure in the
+ buffer to fix potential crashes. Fix bnc#672502, CVE-2011-0064.
+
+-------------------------------------------------------------------

calling whatdependson for 11.4-i586


New:
----
pango-CVE-2011-0020.patch
pango-CVE-2011-0064.patch

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ pango.spec ++++++
--- /var/tmp/diff_new_pack.BtGxy9/_old 2011-03-01 12:51:46.000000000 +0100
+++ /var/tmp/diff_new_pack.BtGxy9/_new 2011-03-01 12:51:46.000000000 +0100
@@ -1,7 +1,7 @@
#
-# spec file for package pango (Version 1.28.3)
+# spec file for package pango
#
-# Copyright (c) 2010 SUSE LINUX Products GmbH, Nuernberg, Germany.
+# Copyright (c) 2011 SUSE LINUX Products GmbH, Nuernberg, Germany.
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
License: LGPLv2.1+
Group: System/Libraries
Version: 1.28.3
-Release: 1
+Release: 3.<RELEASE2>
# NOTE: on upgrade to a new upstream version, change the Obsoletes from <= to
< (here and in baselibs.conf)
Summary: Library for Layout and Rendering of Text
Source:
ftp://ftp.gnome.org/pub/GNOME/sources/pango/1.18/%{name}-%{version}.tar.bz2
@@ -32,6 +32,10 @@
Source99: baselibs.conf
# PATCH-FIX-UPSTREAM pango64.patch bgo129534 -- needed for biarch.
Unfortunately, this is not good enough for usptream.
Patch0: pango64.patch
+# PATCH-FIX-UPSTREAM pango-CVE-2011-0020.patch bnc#666101 CVE-2011-0020
vuntz@xxxxxxxxxxxx -- heap corruption in font parsing with FreeType2 backend
+Patch1: pango-CVE-2011-0020.patch
+# PATCH-FIX-UPSTREAM pango-CVE-2011-0064.patch bnc#672502 CVE-2011-0064.
vuntz@xxxxxxxxxxxx -- handle realloc failure in the buffer
+Patch2: pango-CVE-2011-0064.patch
BuildRequires: gcc-c++
BuildRequires: gtk-doc
BuildRequires: pkg-config
@@ -128,6 +132,8 @@
cp -a %{S:1} .
%patch0 -p0
%endif
+%patch1 -p1
+%patch2 -p1

%build
%configure --disable-static --with-pic

++++++ pango-CVE-2011-0020.patch ++++++
From 4e6248d76f55c6184f28afe614d7d76b6fa3d455 Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@xxxxxxxxxx>
Date: Thu, 17 Feb 2011 16:19:48 +0000
Subject: Bug 639882 - Heap corruption in font parsing with FreeType2 backend

---
diff --git a/pango/pangoft2-render.c b/pango/pangoft2-render.c
index bd3b7d4..42923f4 100644
--- a/pango/pangoft2-render.c
+++ b/pango/pangoft2-render.c
@@ -121,9 +121,14 @@ pango_ft2_font_render_box_glyph (int width,

box->bitmap.width = width;
box->bitmap.rows = height;
- box->bitmap.pitch = height;
+ box->bitmap.pitch = width;

- box->bitmap.buffer = g_malloc0 (box->bitmap.rows * box->bitmap.pitch);
+ box->bitmap.buffer = g_malloc0_n (box->bitmap.rows, box->bitmap.pitch);
+
+ if (G_UNLIKELY (!box->bitmap.buffer)) {
+ g_slice_free (PangoFT2RenderedGlyph, box);
+ return NULL;
+ }

/* draw the box */
for (j = 0; j < line_width; j++)
@@ -226,6 +231,11 @@ pango_ft2_font_render_glyph (PangoFont *font,
rendered->bitmap_left = face->glyph->bitmap_left;
rendered->bitmap_top = face->glyph->bitmap_top;

+ if (G_UNLIKELY (!rendered->bitmap.buffer)) {
+ g_slice_free (PangoFT2RenderedGlyph, rendered);
+ return NULL;
+ }
+
return rendered;
}
else
@@ -276,6 +286,8 @@ pango_ft2_renderer_draw_glyph (PangoRenderer *renderer,
if (rendered_glyph == NULL)
{
rendered_glyph = pango_ft2_font_render_glyph (font, glyph);
+ if (rendered_glyph == NULL)
+ return;
add_glyph_to_cache = TRUE;
}

--
cgit v0.8.3.4
++++++ pango-CVE-2011-0064.patch ++++++
From 3104961bc0ffaf847d2a1e116e6de4fdc1cd8ada Mon Sep 17 00:00:00 2001
From: Behdad Esfahbod <behdad@xxxxxxxxxx>
Date: Thu, 2 Dec 2010 16:00:46 +1300
Subject: [PATCH] Handle realloc failure in the buffer

Ported from http://cgit.freedesktop.org/harfbuzz/commit/?id=a6a79df5fe2e
by Karl Tomlinson <karlt+@xxxxxxxxx>
---
pango/opentype/hb-buffer-private.h | 1 +
pango/opentype/hb-buffer.c | 70 +++++++++++++++++++++---------------
pango/opentype/hb-buffer.h | 2 +-
3 files changed, 43 insertions(+), 30 deletions(-)

diff --git a/pango/opentype/hb-buffer-private.h
b/pango/opentype/hb-buffer-private.h
index 45cdc4d..f194786 100644
--- a/pango/opentype/hb-buffer-private.h
+++ b/pango/opentype/hb-buffer-private.h
@@ -72,6 +72,7 @@ struct _hb_buffer_t {
unsigned int allocated;

hb_bool_t have_output; /* weather we have an output buffer going on */
+ hb_bool_t in_error; /* Allocation failed */
unsigned int in_length;
unsigned int out_length;
unsigned int in_pos;
diff --git a/pango/opentype/hb-buffer.c b/pango/opentype/hb-buffer.c
index 93b51e5..e9788ad 100644
--- a/pango/opentype/hb-buffer.c
+++ b/pango/opentype/hb-buffer.c
@@ -52,23 +52,21 @@ static hb_buffer_t _hb_buffer_nil = {
* in_string and out_string.
*/

-/* XXX err handling */
-
/* Internal API */

-static void
+static hb_bool_t
hb_buffer_ensure_separate (hb_buffer_t *buffer, unsigned int size)
{
- hb_buffer_ensure (buffer, size);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, size))) return FALSE;
if (buffer->out_string == buffer->in_string)
{
assert (buffer->have_output);
- if (!buffer->positions)
- buffer->positions = calloc (buffer->allocated, sizeof
(buffer->positions[0]));

buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
memcpy (buffer->out_string, buffer->in_string, buffer->out_length * sizeof
(buffer->out_string[0]));
}
+
+ return TRUE;
}

/* Public API */
@@ -114,6 +112,7 @@ void
hb_buffer_clear (hb_buffer_t *buffer)
{
buffer->have_output = FALSE;
+ buffer->in_error = FALSE;
buffer->in_length = 0;
buffer->out_length = 0;
buffer->in_pos = 0;
@@ -122,32 +121,42 @@ hb_buffer_clear (hb_buffer_t *buffer)
buffer->max_lig_id = 0;
}

-void
+hb_bool_t
hb_buffer_ensure (hb_buffer_t *buffer, unsigned int size)
{
- unsigned int new_allocated = buffer->allocated;
-
- if (size > new_allocated)
+ if (HB_UNLIKELY (size > buffer->allocated))
{
+ unsigned int new_allocated = buffer->allocated;
+ hb_internal_glyph_position_t *new_pos;
+ hb_internal_glyph_info_t *new_info;
+ hb_bool_t separate_out;
+
+ if (HB_UNLIKELY (buffer->in_error))
+ return FALSE;
+
+ separate_out = buffer->out_string != buffer->in_string;
+
while (size > new_allocated)
new_allocated += (new_allocated >> 1) + 8;

- if (buffer->positions)
- buffer->positions = realloc (buffer->positions, new_allocated * sizeof
(buffer->positions[0]));
+ new_pos = (hb_internal_glyph_position_t *) realloc (buffer->positions,
new_allocated * sizeof (buffer->positions[0]));
+ new_info = (hb_internal_glyph_info_t *) realloc (buffer->in_string,
new_allocated * sizeof (buffer->in_string[0]));

- if (buffer->out_string != buffer->in_string)
- {
- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof
(buffer->in_string[0]));
- buffer->out_string = (hb_internal_glyph_info_t *) buffer->positions;
- }
- else
- {
- buffer->in_string = realloc (buffer->in_string, new_allocated * sizeof
(buffer->in_string[0]));
- buffer->out_string = buffer->in_string;
- }
+ if (HB_UNLIKELY (!new_pos || !new_info))
+ buffer->in_error = TRUE;
+
+ if (HB_LIKELY (new_pos))
+ buffer->positions = new_pos;

- buffer->allocated = new_allocated;
+ if (HB_LIKELY (new_info))
+ buffer->in_string = new_info;
+
+ buffer->out_string = separate_out ? (hb_internal_glyph_info_t *)
buffer->positions : buffer->in_string;
+ if (HB_LIKELY (!buffer->in_error))
+ buffer->allocated = new_allocated;
}
+
+ return HB_LIKELY (!buffer->in_error);
}

void
@@ -158,7 +167,7 @@ hb_buffer_add_glyph (hb_buffer_t *buffer,
{
hb_internal_glyph_info_t *glyph;

- hb_buffer_ensure (buffer, buffer->in_length + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->in_length + 1))) return;

glyph = &buffer->in_string[buffer->in_length];
glyph->codepoint = codepoint;
@@ -213,6 +222,8 @@ _hb_buffer_swap (hb_buffer_t *buffer)

assert (buffer->have_output);

+ if (HB_UNLIKELY (buffer->in_error)) return;
+
if (buffer->out_string != buffer->in_string)
{
hb_internal_glyph_info_t *tmp_string;
@@ -265,7 +276,8 @@ _hb_buffer_add_output_glyphs (hb_buffer_t *buffer,
if (buffer->out_string != buffer->in_string ||
buffer->out_pos + num_out > buffer->in_pos + num_in)
{
- hb_buffer_ensure_separate (buffer, buffer->out_pos + num_out);
+ if (HB_UNLIKELY (!hb_buffer_ensure_separate (buffer, buffer->out_pos +
num_out)))
+ return;
}

mask = buffer->in_string[buffer->in_pos].mask;
@@ -302,7 +314,7 @@ _hb_buffer_add_output_glyph (hb_buffer_t *buffer,

if (buffer->out_string != buffer->in_string)
{
- hb_buffer_ensure (buffer, buffer->out_pos + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
}
else if (buffer->out_pos != buffer->in_pos)
@@ -332,7 +344,7 @@ _hb_buffer_next_glyph (hb_buffer_t *buffer)

if (buffer->out_string != buffer->in_string)
{
- hb_buffer_ensure (buffer, buffer->out_pos + 1);
+ if (HB_UNLIKELY (!hb_buffer_ensure (buffer, buffer->out_pos + 1))) return;
buffer->out_string[buffer->out_pos] = buffer->in_string[buffer->in_pos];
}
else if (buffer->out_pos != buffer->in_pos)
diff --git a/pango/opentype/hb-buffer.h b/pango/opentype/hb-buffer.h
index b030ba9..aaf6694 100644
--- a/pango/opentype/hb-buffer.h
+++ b/pango/opentype/hb-buffer.h
@@ -94,7 +94,7 @@ hb_buffer_clear (hb_buffer_t *buffer);
void
hb_buffer_clear_positions (hb_buffer_t *buffer);

-void
+hb_bool_t
hb_buffer_ensure (hb_buffer_t *buffer,
unsigned int size);

--
1.7.2.2

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++



Remember to have fun...

--
To unsubscribe, e-mail: opensuse-commit+unsubscribe@xxxxxxxxxxxx
For additional commands, e-mail: opensuse-commit+help@xxxxxxxxxxxx

< Previous Next >
This Thread
  • No further messages