Hello community, here is the log from the commit of package freetype2 checked in at Fri Jun 2 01:50:25 CEST 2006. -------- --- freetype2/freetype2.changes 2006-03-21 14:04:21.000000000 +0100 +++ freetype2/freetype2.changes 2006-06-01 13:03:42.000000000 +0200 @@ -1,0 +2,11 @@ +Thu Jun 01 13:02:51 CEST 2006 - mfabian@suse.de + +- Bugzilla #154928: fix several integer overflows. + +------------------------------------------------------------------- +Mon Apr 24 17:27:36 CEST 2006 - mfabian@suse.de + +- Bugzilla #133086: enable kerning, see + http://lists.nongnu.org/archive/html/freetype-devel/2005-09/msg00027.html + +------------------------------------------------------------------- ft2demos.changes: same change New: ---- bugzilla-133086-enable-kerning.patch bugzilla-154928-integer-overflows.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ freetype2.spec ++++++ --- /var/tmp/diff_new_pack.e3cmgU/_old 2006-06-02 01:45:47.000000000 +0200 +++ /var/tmp/diff_new_pack.e3cmgU/_new 2006-06-02 01:45:47.000000000 +0200 @@ -15,7 +15,7 @@ Group: System/Libraries Autoreqprov: on Version: 2.1.10 -Release: 11 +Release: 18 URL: http://www.freetype.org Summary: A TrueType Font Library Source0: http://savannah.nongnu.org/download/freetype/freetype-2.1.10.tar.bz2 @@ -29,6 +29,8 @@ Patch6: bugzilla-158156-memory-leak.patch Patch7: bugzilla-158573-fix-orientation-detection.patch Patch8: bugzilla-159166-reduce-embolden-distance.patch +Patch9: bugzilla-133086-enable-kerning.patch +Patch10: bugzilla-154928-integer-overflows.patch Patch100: freetype2-bc.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -71,6 +73,8 @@ %patch6 -p 1 %patch7 -p 1 %patch8 -p 1 +%patch9 -p 1 +%patch10 -p 1 # The byte code interpreter is compiled in by default # because of the following patch ('%patch100'). # For most fonts it is disabled again by default in the @@ -118,6 +122,11 @@ /usr/share/aclocal/* %changelog -n freetype2 +* Thu Jun 01 2006 - mfabian@suse.de +- Bugzilla #154928: fix several integer overflows. +* Mon Apr 24 2006 - mfabian@suse.de +- Bugzilla #133086: enable kerning, see + http://lists.nongnu.org/archive/html/freetype-devel/2005-09/msg00027.html * Tue Mar 21 2006 - dmueller@suse.de - build parallel * Mon Mar 20 2006 - zsu@suse.de ++++++ ft2demos.spec ++++++ --- /var/tmp/diff_new_pack.e3cmgU/_old 2006-06-02 01:45:47.000000000 +0200 +++ /var/tmp/diff_new_pack.e3cmgU/_new 2006-06-02 01:45:47.000000000 +0200 @@ -16,7 +16,7 @@ Group: Productivity/Publishing/Other Autoreqprov: on Version: 2.1.10 -Release: 12 +Release: 19 %define freetype_version 2.1.10 URL: http://www.freetype.org Summary: Freetype2 Utilities and Demo Programs @@ -32,6 +32,8 @@ Patch6: bugzilla-158156-memory-leak.patch Patch7: bugzilla-158573-fix-orientation-detection.patch Patch8: bugzilla-159166-reduce-embolden-distance.patch +Patch9: bugzilla-133086-enable-kerning.patch +Patch10: bugzilla-154928-integer-overflows.patch Patch50: bugzilla-159304-fix-ftview-glyph-index.patch Patch100: freetype2-bc.patch BuildRoot: %{_tmppath}/%{name}-%{version}-build @@ -57,6 +59,8 @@ %patch6 -p 1 %patch7 -p 1 %patch8 -p 1 +%patch9 -p 1 +%patch10 -p 1 pushd ../ft2demos-%{version} %patch50 -p 1 popd @@ -102,6 +106,11 @@ %{_bindir}/testname %changelog -n ft2demos +* Thu Jun 01 2006 - mfabian@suse.de +- Bugzilla #154928: fix several integer overflows. +* Mon Apr 24 2006 - mfabian@suse.de +- Bugzilla #133086: enable kerning, see + http://lists.nongnu.org/archive/html/freetype-devel/2005-09/msg00027.html * Tue Mar 21 2006 - dmueller@suse.de - build parallel * Mon Mar 20 2006 - zsu@suse.de ++++++ bugzilla-133086-enable-kerning.patch ++++++ diff -ru freetype-2.1.10.orig/src/sfnt/sfobjs.c freetype-2.1.10/src/sfnt/sfobjs.c --- freetype-2.1.10.orig/src/sfnt/sfobjs.c 2005-05-21 19:22:28.000000000 +0200 +++ freetype-2.1.10/src/sfnt/sfobjs.c 2006-04-24 17:24:53.000000000 +0200 @@ -555,7 +555,7 @@ if ( face->vertical_info ) flags |= FT_FACE_FLAG_VERTICAL; -#if 0 +#if 1 /* kerning available ? */ if ( TT_FACE_HAS_KERNING( face ) ) flags |= FT_FACE_FLAG_KERNING; ++++++ bugzilla-154928-integer-overflows.patch ++++++ diff -ru freetype-2.1.10.orig/include/freetype/fterrdef.h freetype-2.1.10/include/freetype/fterrdef.h --- freetype-2.1.10.orig/include/freetype/fterrdef.h 2004-02-12 09:33:20.000000000 +0100 +++ freetype-2.1.10/include/freetype/fterrdef.h 2006-05-31 13:14:36.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* FreeType error codes (specification). */ /* */ -/* Copyright 2002, 2004 by */ +/* Copyright 2002, 2004, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -226,6 +226,8 @@ "`ENCODING' field missing" ) FT_ERRORDEF_( Missing_Bbx_Field, 0xB6, \ "`BBX' field missing" ) + FT_ERRORDEF_( Bbx_Too_Big, 0xB7, \ + "`BBX' too big" ) /* END */ diff -ru freetype-2.1.10.orig/src/base/ftutil.c freetype-2.1.10/src/base/ftutil.c --- freetype-2.1.10.orig/src/base/ftutil.c 2005-03-03 23:59:06.000000000 +0100 +++ freetype-2.1.10/src/base/ftutil.c 2006-05-31 17:44:11.000000000 +0200 @@ -67,6 +67,14 @@ } FT_MEM_ZERO( *P, size ); } + else if ( size < 0 ) + { + /* may help catch/prevent security issues */ + FT_ERROR(( "FT_QAlloc:" )); + FT_ERROR(( " Negative size requested. (%ld requested)\n", + size )); + return FT_Err_Invalid_Argument; + } else *P = NULL; @@ -99,6 +107,14 @@ return FT_Err_Out_Of_Memory; } } + else if ( size < 0 ) + { + /* may help catch/prevent security issues */ + FT_ERROR(( "FT_QAlloc:" )); + FT_ERROR(( " Negative size requested. (%ld requested)\n", + size )); + return FT_Err_Invalid_Argument; + } else *P = NULL; @@ -128,7 +144,11 @@ return FT_Alloc( memory, size, P ); /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if ( size < 0 || current < 0 ) + { + return FT_Err_Invalid_Argument; + } + else if ( size == 0 ) { FT_Free( memory, P ); return FT_Err_Ok; @@ -170,7 +190,11 @@ return FT_QAlloc( memory, size, P ); /* if the new block if zero-sized, clear the current one */ - if ( size <= 0 ) + if ( size < 0 || current < 0 ) + { + return FT_Err_Invalid_Argument; + } + else if ( size == 0 ) { FT_Free( memory, P ); return FT_Err_Ok; diff -ru freetype-2.1.10.orig/src/bdf/bdflib.c freetype-2.1.10/src/bdf/bdflib.c --- freetype-2.1.10.orig/src/bdf/bdflib.c 2005-05-21 19:19:52.000000000 +0200 +++ freetype-2.1.10/src/bdf/bdflib.c 2006-05-31 13:14:36.000000000 +0200 @@ -1092,6 +1092,7 @@ #define ERRMSG1 "[line %ld] Missing \"%s\" line.\n" #define ERRMSG2 "[line %ld] Font header corrupted or missing fields.\n" #define ERRMSG3 "[line %ld] Font glyphs corrupted or missing fields.\n" +#define ERRMSG4 "[line %ld] BBX too big.\n" static FT_Error @@ -1805,6 +1806,9 @@ /* And finally, gather up the bitmap. */ if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) { + unsigned long bitmap_size; + + if ( !( p->flags & _BDF_BBX ) ) { /* Missing BBX field. */ @@ -1815,7 +1819,16 @@ /* Allocate enough space for the bitmap. */ glyph->bpr = ( glyph->bbx.width * p->font->bpp + 7 ) >> 3; - glyph->bytes = (unsigned short)( glyph->bpr * glyph->bbx.height ); + + bitmap_size = glyph->bpr * glyph->bbx.height; + if ( bitmap_size > 0xFFFFU ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG4, lineno )); + error = BDF_Err_Bbx_Too_Big; + goto Exit; + } + else + glyph->bytes = (unsigned short)bitmap_size; if ( FT_NEW_ARRAY( glyph->bitmap, glyph->bytes ) ) goto Exit; freetype-2.1.10/src/bdfだけに発見: bdflib.c.orig diff -ru freetype-2.1.10.orig/src/cff/cffgload.c freetype-2.1.10/src/cff/cffgload.c --- freetype-2.1.10.orig/src/cff/cffgload.c 2005-04-18 06:53:05.000000000 +0200 +++ freetype-2.1.10/src/cff/cffgload.c 2006-05-31 13:16:29.000000000 +0200 @@ -2284,7 +2284,7 @@ FT_LOCAL_DEF( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ) { FT_Error error; @@ -2330,7 +2330,7 @@ error = sfnt->load_sbit_image( face, (FT_ULong)size->strike_index, - (FT_UInt)glyph_index, + glyph_index, (FT_Int)load_flags, stream, &glyph->root.bitmap, @@ -2393,7 +2393,12 @@ /* subsetted font, glyph_indices and CIDs are identical, though */ if ( cff->top_font.font_dict.cid_registry != 0xFFFFU && cff->charset.cids ) - glyph_index = cff->charset.cids[glyph_index]; + { + if ( glyph_index < cff->charset.max_cid ) + glyph_index = cff->charset.cids[glyph_index]; + else + glyph_index = 0; + } cff_decoder_init( &decoder, face, size, glyph, hinting, FT_LOAD_TARGET_MODE( load_flags ) ); diff -ru freetype-2.1.10.orig/src/cff/cffgload.h freetype-2.1.10/src/cff/cffgload.h --- freetype-2.1.10.orig/src/cff/cffgload.h 2004-05-13 23:59:17.000000000 +0200 +++ freetype-2.1.10/src/cff/cffgload.h 2006-05-31 13:14:36.000000000 +0200 @@ -4,7 +4,7 @@ /* */ /* OpenType Glyph Loader (specification). */ /* */ -/* Copyright 1996-2001, 2002, 2003, 2004 by */ +/* Copyright 1996-2001, 2002, 2003, 2004, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -196,7 +196,7 @@ FT_LOCAL( FT_Error ) cff_slot_load( CFF_GlyphSlot glyph, CFF_Size size, - FT_Int glyph_index, + FT_UInt glyph_index, FT_Int32 load_flags ); diff -ru freetype-2.1.10.orig/src/cff/cffload.c freetype-2.1.10/src/cff/cffload.c --- freetype-2.1.10.orig/src/cff/cffload.c 2005-05-06 07:49:46.000000000 +0200 +++ freetype-2.1.10/src/cff/cffload.c 2006-05-31 13:14:38.000000000 +0200 @@ -1235,7 +1235,7 @@ } /* access element */ - if ( off1 ) + if ( off1 && off2 > off1 ) { *pbyte_len = off2 - off1; @@ -1688,6 +1688,8 @@ for ( i = 0; i < num_glyphs; i++ ) charset->cids[charset->sids[i]] = (FT_UShort)i; + + charset->max_cid = max_cid; } Exit: @@ -2011,7 +2013,7 @@ if ( error ) goto Exit; - + /* if it is a CID font, we stop there */ if ( top->cid_registry != 0xFFFFU ) goto Exit; @@ -2040,6 +2042,9 @@ FT_FRAME_EXIT(); if ( error ) goto Exit; + + /* ensure that 'num_blue_values' is even */ + priv->num_blue_values &= ~1; } /* read the local subrs, if any */ freetype-2.1.10/src/cffだけに発見: cffload.c.orig diff -ru freetype-2.1.10.orig/src/cff/cfftypes.h freetype-2.1.10/src/cff/cfftypes.h --- freetype-2.1.10.orig/src/cff/cfftypes.h 2003-12-20 08:30:05.000000000 +0100 +++ freetype-2.1.10/src/cff/cfftypes.h 2006-05-31 13:14:36.000000000 +0200 @@ -5,7 +5,7 @@ /* Basic OpenType/CFF type definitions and interface (specification */ /* only). */ /* */ -/* Copyright 1996-2001, 2002, 2003 by */ +/* Copyright 1996-2001, 2002, 2003, 2006 by */ /* David Turner, Robert Wilhelm, and Werner Lemberg. */ /* */ /* This file is part of the FreeType project, and may only be used, */ @@ -84,6 +84,7 @@ FT_UShort* sids; FT_UShort* cids; /* the inverse mapping of `sids'; only needed */ /* for CID-keyed fonts */ + FT_UInt max_cid; } CFF_CharsetRec, *CFF_Charset; diff -ru freetype-2.1.10.orig/src/pshinter/pshglob.c freetype-2.1.10/src/pshinter/pshglob.c --- freetype-2.1.10.orig/src/pshinter/pshglob.c 2004-04-02 09:13:53.000000000 +0200 +++ freetype-2.1.10/src/pshinter/pshglob.c 2006-05-31 13:14:38.000000000 +0200 @@ -150,7 +150,7 @@ FT_UNUSED( target ); - for ( ; read_count > 0; read_count -= 2 ) + for ( ; read_count > 1; read_count -= 2 ) { FT_Int reference, delta; FT_UInt count; diff -ru freetype-2.1.10.orig/src/sfnt/ttcmap.c freetype-2.1.10/src/sfnt/ttcmap.c --- freetype-2.1.10.orig/src/sfnt/ttcmap.c 2005-05-11 16:37:40.000000000 +0200 +++ freetype-2.1.10/src/sfnt/ttcmap.c 2006-05-31 15:51:55.000000000 +0200 @@ -2145,13 +2145,12 @@ offset = TT_NEXT_ULONG( p ); if ( offset && - table + offset + 2 < limit && - table + offset >= table ) + offset <= face->cmap_size -2 ) { FT_Byte* cmap = table + offset; volatile FT_UInt format = TT_PEEK_USHORT( cmap ); const TT_CMap_Class* volatile pclazz = tt_cmap_classes; - TT_CMap_Class clazz; + TT_CMap_Class volatile clazz; for ( ; *pclazz; pclazz++ ) diff -ru freetype-2.1.10.orig/src/type1/t1load.c freetype-2.1.10/src/type1/t1load.c --- freetype-2.1.10.orig/src/type1/t1load.c 2005-04-14 13:39:28.000000000 +0200 +++ freetype-2.1.10/src/type1/t1load.c 2006-05-31 13:14:38.000000000 +0200 @@ -1989,6 +1989,9 @@ keyword_flags ); if ( error ) goto Exit; + + /* ensure even-ness of 'num_blue_values' */ + priv->num_blue_values &= ~1; #ifndef T1_CONFIG_OPTION_NO_MM_SUPPORT ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Remember to have fun... --------------------------------------------------------------------- To unsubscribe, e-mail: opensuse-commit-unsubscribe@opensuse.org For additional commands, e-mail: opensuse-commit-help@opensuse.org