CVE-2009-0946 (bug #263032).

(Portage version: 2.2_rc32/cvs/Linux x86_64)
author: Ryan Hill <dirtyepic@gentoo.org> 2009-05-03 18:37:40 +0000
committer: Ryan Hill <dirtyepic@gentoo.org> 2009-05-03 18:37:40 +0000
commit: aa761b6b4b166ceb52694fc4d7d1c6f298638265 (patch)
tree: 2e928271e0eb73edcb78e424f00185ab62232361 /media-libs/freetype
parent: Stable on alpha, bug #248905 (diff)
download: gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.tar.gz
gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.tar.bz2
gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.zip
3 files changed, 145 insertions, 2 deletions
diff --git a/media-libs/freetype/ChangeLog b/media-libs/freetype/ChangeLog
index 9fbbddf6092e..7205260b8d8b 100644
--- a/media-libs/freetype/ChangeLog
+++ b/media-libs/freetype/ChangeLog
@@ -1,6 +1,12 @@
 # ChangeLog for media-libs/freetype
 # Copyright 1999-2009 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/freetype/ChangeLog,v 1.224 2009/03/23 14:51:28 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/freetype/ChangeLog,v 1.225 2009/05/03 18:37:39 dirtyepic Exp $
+
+*freetype-2.3.9-r1 (03 May 2009)
+
+  03 May 2009; Ryan Hill <dirtyepic@gentoo.org> -freetype-2.3.9.ebuild,
+  +freetype-2.3.9-r1.ebuild, +files/freetype-2.3.9-CVE-2009-0946.patch:
+  CVE-2009-0946 (bug #263032).
 
   23 Mar 2009; Peter Volkov <pva@gentoo.org>
   +files/freetype-1.4_pre20080316-LDLFAGS.patch,
diff --git a/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch b/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch
new file mode 100644
index 000000000000..fac642547633
--- /dev/null
+++ b/media-libs/freetype/files/freetype-2.3.9-CVE-2009-0946.patch
@@ -0,0 +1,136 @@
+http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2009-0946
+https://bugzilla.redhat.com/show_bug.cgi?id=491384
+https://bugs.gentoo.org/show_bug.cgi?id=263032
+
+--- freetype-2.3.9-orig/src/cff/cffload.c
++++ freetype-2.3.9/src/cff/cffload.c
+@@ -842,7 +842,20 @@
+             goto Exit;
+ 
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+ 
+           FT_FRAME_EXIT();
+         }
+@@ -875,6 +888,20 @@
+                 goto Exit;
+             }
+ 
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification             */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;
+--- freetype-2.3.9-orig/src/lzw/ftzopen.c
++++ freetype-2.3.9/src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+ 
+           while ( code >= 256U )
+           {
++            if ( !state->prefix )
++              goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }
+--- freetype-2.3.9-orig/src/sfnt/ttcmap.c
++++ freetype-2.3.9/src/sfnt/ttcmap.c
+@@ -1635,7 +1635,7 @@
+       FT_INVALID_TOO_SHORT;
+ 
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+ 
+     is32       = table + 12;
+@@ -1863,7 +1863,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+ 
+ 
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+           FT_ULong  i, lastUni = 0;
+ 
+ 
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+ 
+           for ( i = 0; i < numMappings; ++i )
+--- freetype-2.3.9-orig/src/smooth/ftsmooth.c
++++ freetype-2.3.9/src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+ 
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ 
+ #endif
+ 
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;
diff --git a/media-libs/freetype/freetype-2.3.9.ebuild b/media-libs/freetype/freetype-2.3.9-r1.ebuild
index 13cb7749d316..73bef3019daf 100644
--- a/media-libs/freetype/freetype-2.3.9.ebuild
+++ b/media-libs/freetype/freetype-2.3.9-r1.ebuild
@@ -1,6 +1,6 @@
 # Copyright 1999-2009 Gentoo Foundation
 # Distributed under the terms of the GNU General Public License v2
-# $Header: /var/cvsroot/gentoo-x86/media-libs/freetype/freetype-2.3.9.ebuild,v 1.1 2009/03/13 18:33:06 pva Exp $
+# $Header: /var/cvsroot/gentoo-x86/media-libs/freetype/freetype-2.3.9-r1.ebuild,v 1.1 2009/05/03 18:37:39 dirtyepic Exp $
 
 inherit eutils flag-o-matic libtool
 
@@ -60,6 +60,7 @@ src_unpack() {
 	disable_option FT_CONFIG_OPTION_OLD_INTERNALS
 
 	epatch "${FILESDIR}"/${PN}-2.3.2-enable-valid.patch
+	epatch "${FILESDIR}"/${P}-CVE-2009-0946.patch            # 263032
 
 	if use utils; then
 		cd "${WORKDIR}"/ft2demos-${PV}
author	Ryan Hill <dirtyepic@gentoo.org>	2009-05-03 18:37:40 +0000
committer	Ryan Hill <dirtyepic@gentoo.org>	2009-05-03 18:37:40 +0000
commit	aa761b6b4b166ceb52694fc4d7d1c6f298638265 (patch)
tree	2e928271e0eb73edcb78e424f00185ab62232361 /media-libs/freetype
parent	Stable on alpha, bug #248905 (diff)
download	gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.tar.gz gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.tar.bz2 gentoo-2-aa761b6b4b166ceb52694fc4d7d1c6f298638265.zip