Your message dated Thu, 5 Mar 2015 12:04:42 +0100 with message-id <20150305110442.GA1940@betterave.cristau.org> and subject line Re: Bug#779656: unblock: freetype/2.5.2-3 has caused the Debian Bug report #779656, regarding unblock: freetype/2.5.2-3 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 779656: http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=779656 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: unblock: freetype/2.5.2-3
- From: Moritz Muehlenhoff <jmm@debian.org>
- Date: Tue, 03 Mar 2015 18:11:19 +0100
- Message-id: <[🔎] 20150303171119.6276.9382.reportbug@pisco.westfalen.local>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock Please unblock package freetype. It fixes multiple security issues. unblock freetype/2.5.2-3 Debdiff: diff -u freetype-2.5.2/debian/changelog freetype-2.5.2/debian/changelog --- freetype-2.5.2/debian/changelog +++ freetype-2.5.2/debian/changelog @@ -1,3 +1,40 @@ +freetype (2.5.2-3) unstable; urgency=medium + + * Fix Savannah bug #43535. CVE-2014-9675 + * [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1 + * src/base/ftobj.c (Mac_Read_POST_Resource): Additional overflow check + in the summation of POST fragment lengths. CVE-2014-0674-part-2 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments and fold + too long tracing messages. CVS-2014-9674-fixup-2 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long variables to read the lengths in POST fragments. CVE-2014-9674-fixup-1 + * Fix Savannah bug #43538. CVE-2014-9674-part-1 + * Fix Savannah bug #43539. CVE-2014-9673 + * src/base/ftobjs.c (Mac_Read_POST_Resource): Avoid memory leak by + a broken POST table in resource-fork. CVE-2014-9673-fixup + * Fix Savannah bug #43540. CVE-2014-9672 + * Fix Savannah bug #43547. CVE-2014-9671 + * Fix Savannah bug #43548. CVE-2014-9670 + * [sfnt] Fix Savannah bug #43588. CVE-2014-9669 + * [sfnt] Fix Savannah bug #43589. CVE-2014-9668 + * [sfnt] Fix Savannah bug #43590. CVE-2014-9667 + * [sfnt] Fix Savannah bug #43591. CVE-2014-9666 + * Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665 + * Fix uninitialized variable warning. CVE-2014-9665-fixup-2 + * Make `FT_Bitmap_Convert' correctly handle negative `pitch' values. + CVE-2014-9665-fixup + * [type1, type42] Fix Savannah bug #43655. CVE-2014-9664 + * [sfnt] Fix Savannah bug #43656. CVE-2014-9663 + * [cff] Fix Savannah bug #43658. CVE-2014-9662 + * [type42] Allow only embedded TrueType fonts. CVE-2014-9661 + * [bdf] Fix Savannah bug #43660. CVE-2014-9660 + * [cff] Fix Savannah bug #43661. CVE-2014-9659 + * [sfnt] Fix Savannah bug #43672. CVE-2014-9658 + * [truetype] Fix Savannah bug #43679. CVE-2014-9657 + * [sfnt] Fix Savannah bug #43680. CVE-2014-9656 + * All CVEs patched. Closes: #777656. + + -- Keith Packard <keithp@keithp.com> Mon, 23 Feb 2015 22:04:36 -0800 + freetype (2.5.2-2) unstable; urgency=medium * Acknowledge security NMU; thanks to Michael Gilbert. diff -u freetype-2.5.2/debian/patches-freetype/series freetype-2.5.2/debian/patches-freetype/series --- freetype-2.5.2/debian/patches-freetype/series +++ freetype-2.5.2/debian/patches-freetype/series @@ -10,0 +11,27 @@ +0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch +0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch +0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch +0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch +0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch +0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch +0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch +0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch +0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch +0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch +0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch +0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch +0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch +0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch +0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch +0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch +0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch +0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch +0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch +0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch +0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch +0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch +0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch +0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch +0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch +0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch +0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch +++ freetype-2.5.2/debian/patches-freetype/0003-sfnt-Fix-Savannah-bug-43680.-CVE-2014-9656.patch @@ -0,0 +1,33 @@ +From 6de5eb9ffbbad7065ce34b3c267f2f95e4f45ea1 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 24 Nov 2014 10:51:21 +0100 +Subject: [sfnt] Fix Savannah bug #43680. CVE-2014-9656 + +This adds an additional constraint to make the fix from 2013-01-25 +really work. + +* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) <index_format==4>: +Check `p' before `num_glyphs'. + +(cherry picked from commit f0292bb9920aa1dbfed5f53861e7c7a89b35833a) +--- + freetype-2.5.2/src/sfnt/ttsbit.c | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c +index 7469ff1..38c680e 100644 +--- freetype-2.5.2/src/sfnt/ttsbit.c ++++ freetype-2.5.2/src/sfnt/ttsbit.c +@@ -1143,7 +1143,8 @@ + num_glyphs = FT_NEXT_ULONG( p ); + + /* overflow check for p + ( num_glyphs + 1 ) * 4 */ +- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) ++ if ( p + 4 > p_limit || ++ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + goto NoBitmap; + + for ( mm = 0; mm < num_glyphs; mm++ ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch +++ freetype-2.5.2/debian/patches-freetype/0004-truetype-Fix-Savannah-bug-43679.-CVE-2014-9657.patch @@ -0,0 +1,46 @@ +From aa9ce85c823ad7e26db3106df0a1bfa4cfd03b01 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 24 Nov 2014 10:22:08 +0100 +Subject: [truetype] Fix Savannah bug #43679. CVE-2014-9657 + +* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of +`record_size'. + +(cherry picked from commit eca0f067068020870a429fe91f6329e499390d55) +--- + freetype-2.5.2/src/truetype/ttpload.c | 12 +++++++----- + 1 file changed, 7 insertions(+), 5 deletions(-) + +diff --git freetype-2.5.2/src/truetype/ttpload.c freetype-2.5.2/src/truetype/ttpload.c +index 9723a51..9991925 100644 +--- freetype-2.5.2/src/truetype/ttpload.c ++++ freetype-2.5.2/src/truetype/ttpload.c +@@ -508,9 +508,9 @@ + record_size = FT_NEXT_ULONG( p ); + + /* The maximum number of bytes in an hdmx device record is the */ +- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ +- /* the reason why `record_size' is a long (which we read as */ +- /* unsigned long for convenience). In practice, two bytes */ ++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ ++ /* explaining why `record_size' is a long (which we read as */ ++ /* unsigned long for convenience). In practice, two bytes are */ + /* sufficient to hold the size value. */ + /* */ + /* There are at least two fonts, HANNOM-A and HANNOM-B version */ +@@ -522,8 +522,10 @@ + record_size &= 0xFFFFU; + + /* The limit for `num_records' is a heuristic value. */ +- +- if ( version != 0 || num_records > 255 || record_size > 0x10001L ) ++ if ( version != 0 || ++ num_records > 255 || ++ record_size > 0x10001L || ++ record_size < 4 ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch +++ freetype-2.5.2/debian/patches-freetype/0005-sfnt-Fix-Savannah-bug-43672.-CVE-2014-9658.patch @@ -0,0 +1,29 @@ +From 19389867e134b069bb4462c0a930461a3dc6c2b9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Mon, 24 Nov 2014 09:31:32 +0100 +Subject: [sfnt] Fix Savannah bug #43672. CVE-2014-9658 + +* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for +minimum table length test. + +(cherry picked from commit f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c) +--- + freetype-2.5.2/src/sfnt/ttkern.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/sfnt/ttkern.c freetype-2.5.2/src/sfnt/ttkern.c +index 32c4008..455e7b5 100644 +--- freetype-2.5.2/src/sfnt/ttkern.c ++++ freetype-2.5.2/src/sfnt/ttkern.c +@@ -99,7 +99,7 @@ + length = FT_NEXT_USHORT( p ); + coverage = FT_NEXT_USHORT( p ); + +- if ( length <= 6 ) ++ if ( length <= 6 + 8 ) + break; + + p_next += length; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch +++ freetype-2.5.2/debian/patches-freetype/0006-cff-Fix-Savannah-bug-43661.-CVE-2014-9659.patch @@ -0,0 +1,99 @@ +From 2c67877c034f28520d4daabf2d24ac94b2d47df0 Mon Sep 17 00:00:00 2001 +From: Dave Arnold <darnold@adobe.com> +Date: Thu, 4 Dec 2014 06:10:16 +0100 +Subject: [cff] Fix Savannah bug #43661. CVE-2014-9659 + +* src/cff/cf2intrp.c (cf2_interpT2CharString) <cf2_cmdHSTEM, +cf2_cmdVSTEM, cf2_cmdHINTMASK>: Don't append to stem arrays after +hintmask is constructed. + +* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to +avoid reading past end of hintmask. + +(cherry picked from commit 2cdc4562f873237f1c77d43540537c7a721d3fd8) +--- + freetype-2.5.2/src/cff/cf2hints.c | 5 ++++- + freetype-2.5.2/src/cff/cf2intrp.c | 21 ++++++++++++++------- + 2 files changed, 18 insertions(+), 8 deletions(-) + +diff --git freetype-2.5.2/src/cff/cf2hints.c freetype-2.5.2/src/cff/cf2hints.c +index 5f44161..ba28e0c 100644 +--- freetype-2.5.2/src/cff/cf2hints.c ++++ freetype-2.5.2/src/cff/cf2hints.c +@@ -792,9 +792,12 @@ + maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask ); + + /* use the hStem hints only, which are first in the mask */ +- /* TODO: compare this to cffhintmaskGetBitCount */ + bitCount = cf2_arrstack_size( hStemHintArray ); + ++ /* Defense-in-depth. Should never return here. */ ++ if ( bitCount > hintMask->bitCount ) ++ return; ++ + /* synthetic embox hints get highest priority */ + if ( font->blues.doEmBoxHints ) + { +diff --git freetype-2.5.2/src/cff/cf2intrp.c freetype-2.5.2/src/cff/cf2intrp.c +index 5610917..a269606 100644 +--- freetype-2.5.2/src/cff/cf2intrp.c ++++ freetype-2.5.2/src/cff/cf2intrp.c +@@ -4,7 +4,7 @@ + /* */ + /* Adobe's CFF Interpreter (body). */ + /* */ +-/* Copyright 2007-2013 Adobe Systems Incorporated. */ ++/* Copyright 2007-2014 Adobe Systems Incorporated. */ + /* */ + /* This software, and all works of authorship, whether in source or */ + /* object code form as indicated by the copyright notice(s) included */ +@@ -593,8 +593,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid horizontal hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -614,8 +617,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid vertical hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -1141,15 +1147,16 @@ + /* `cf2_hintmask_read' (which also traces the mask bytes) */ + FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" )); + +- /* if there are arguments on the stack, there this is an */ +- /* implied cf2_cmdVSTEMHM */ +- if ( cf2_stack_count( opStack ) != 0 ) ++ /* never add hints after the mask is computed */ ++ if ( cf2_stack_count( opStack ) > 1 && ++ cf2_hintmask_isValid( &hintMask ) ) + { +- /* never add hints after the mask is computed */ +- if ( cf2_hintmask_isValid( &hintMask ) ) +- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ break; + } + ++ /* if there are arguments on the stack, there this is an */ ++ /* implied cf2_cmdVSTEMHM */ + cf2_doStems( font, + opStack, + &vStemHintArray, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch +++ freetype-2.5.2/debian/patches-freetype/0007-bdf-Fix-Savannah-bug-43660.-CVE-2014-9660.patch @@ -0,0 +1,35 @@ +From beec79fa289f8cd246b985d9925dd60964ae5491 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 22 Nov 2014 13:29:10 +0100 +Subject: [bdf] Fix Savannah bug #43660. CVE-2014-9660 + +* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check +`_BDF_GLYPH_BITS'. + +(cherry picked from commit af8346172a7b573715134f7a51e6c5c60fa7f2ab) +--- + freetype-2.5.2/src/bdf/bdflib.c | 8 ++++++++ + 1 file changed, 8 insertions(+) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index 0b8412d..d613159 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -1544,6 +1544,14 @@ + /* Check for the ENDFONT field. */ + if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) + { ++ if ( p->flags & _BDF_GLYPH_BITS ) ++ { ++ /* Missing ENDCHAR field. */ ++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); ++ error = FT_THROW( Corrupted_Font_Glyphs ); ++ goto Exit; ++ } ++ + /* Sort the glyphs by encoding. */ + ft_qsort( (char *)font->glyphs, + font->glyphs_used, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch +++ freetype-2.5.2/debian/patches-freetype/0008-type42-Allow-only-embedded-TrueType-fonts.-CVE-2014-.patch @@ -0,0 +1,34 @@ +From f81e0823c5bbf7692b20819328a2dd78bfa196b8 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 22 Nov 2014 12:44:33 +0100 +Subject: [type42] Allow only embedded TrueType fonts. CVE-2014-9661 + +This is a follow-up to Savannah bug #43659. + +* src/type42/t42objs.c (T42_Face_Init): Exclusively use the +`truetype' font driver for loading the font contained in the `sfnts' +array. + +(cherry picked from commit 42fcd6693ec7bd6ffc65ddc63e74287a65dda669) +--- + freetype-2.5.2/src/type42/t42objs.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/type42/t42objs.c freetype-2.5.2/src/type42/t42objs.c +index f5aa2ca..af64bf7 100644 +--- freetype-2.5.2/src/type42/t42objs.c ++++ freetype-2.5.2/src/type42/t42objs.c +@@ -286,7 +286,9 @@ + FT_Open_Args args; + + +- args.flags = FT_OPEN_MEMORY; ++ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; ++ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), ++ "truetype" ); + args.memory_base = face->ttf_data; + args.memory_size = face->ttf_size; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch +++ freetype-2.5.2/debian/patches-freetype/0009-cff-Fix-Savannah-bug-43658.-CVE-2014-9662.patch @@ -0,0 +1,102 @@ +From 5b1379de7cd336cde51a3fc45cfe5da8f70ebe89 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 22 Nov 2014 09:16:39 +0100 +Subject: [cff] Fix Savannah bug #43658. CVE-2014-9662 + +* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle +return values of point allocation routines. + +(cherry picked from commit 5f201ab5c24cb69bc96b724fd66e739928d6c5e2) +--- + freetype-2.5.2/src/cff/cf2ft.c | 48 +++++++++++++++++++++++++++++++++--------- + 1 file changed, 38 insertions(+), 10 deletions(-) + +diff --git freetype-2.5.2/src/cff/cf2ft.c freetype-2.5.2/src/cff/cf2ft.c +index 4abbc9d..f8bf1b4 100644 +--- freetype-2.5.2/src/cff/cf2ft.c ++++ freetype-2.5.2/src/cff/cf2ft.c +@@ -140,6 +140,8 @@ + cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -154,15 +156,27 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* `cff_builder_add_point1' includes a check_points call for one point */ +- cff_builder_add_point1( builder, +- params->pt1.x, +- params->pt1.y ); ++ error = cff_builder_add_point1( builder, ++ params->pt1.x, ++ params->pt1.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + +@@ -170,6 +184,8 @@ + cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -184,13 +200,25 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* prepare room for 3 points: 2 off-curve, 1 on-curve */ +- cff_check_points( builder, 3 ); ++ error = cff_check_points( builder, 3 ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + + cff_builder_add_point( builder, + params->pt1.x, +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch +++ freetype-2.5.2/debian/patches-freetype/0010-sfnt-Fix-Savannah-bug-43656.-CVE-2014-9663.patch @@ -0,0 +1,40 @@ +From 82c605d68a03166c21a974b58155f78bce031cd1 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Sat, 22 Nov 2014 06:24:45 +0100 +Subject: [sfnt] Fix Savannah bug #43656. CVE-2014-9663 + +* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity +tests. + +(cherry picked from commit 9bd20b7304aae61de5d50ac359cf27132bafd4c1) +--- + freetype-2.5.2/src/sfnt/ttcmap.c | 6 +++--- + 1 file changed, 3 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c +index 9b7856b..c6ed872 100644 +--- freetype-2.5.2/src/sfnt/ttcmap.c ++++ freetype-2.5.2/src/sfnt/ttcmap.c +@@ -825,9 +825,6 @@ + FT_Error error = FT_Err_Ok; + + +- if ( length < 16 ) +- FT_INVALID_TOO_SHORT; +- + /* in certain fonts, the `length' field is invalid and goes */ + /* out of bound. We try to correct this here... */ + if ( table + length > valid->limit ) +@@ -838,6 +835,9 @@ + length = (FT_UInt)( valid->limit - table ); + } + ++ if ( length < 16 ) ++ FT_INVALID_TOO_SHORT; ++ + p = table + 6; + num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch +++ freetype-2.5.2/debian/patches-freetype/0011-type1-type42-Fix-Savannah-bug-43655.-CVE-2014-9664.patch @@ -0,0 +1,43 @@ +From 31fddea8aa48f4c3fed12ff985da0a24b5561f46 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Fri, 21 Nov 2014 22:19:28 +0100 +Subject: [type1, type42] Fix Savannah bug #43655. CVE-2014-9664 + +* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c +(t42_parse_charstrings): Fix boundary testing. + +(cherry picked from commit dd89710f0f643eb0f99a3830e0712d26c7642acd) +--- + freetype-2.5.2/src/type1/t1load.c | 2 +- + freetype-2.5.2/src/type42/t42parse.c | 2 +- + 2 files changed, 2 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/type1/t1load.c freetype-2.5.2/src/type1/t1load.c +index 4b5026b..fca3279 100644 +--- freetype-2.5.2/src/type1/t1load.c ++++ freetype-2.5.2/src/type1/t1load.c +@@ -1599,7 +1599,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +diff --git freetype-2.5.2/src/type42/t42parse.c freetype-2.5.2/src/type42/t42parse.c +index 3cdd8a1..0b3e0c6 100644 +--- freetype-2.5.2/src/type42/t42parse.c ++++ freetype-2.5.2/src/type42/t42parse.c +@@ -832,7 +832,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch +++ freetype-2.5.2/debian/patches-freetype/0012-Make-FT_Bitmap_Convert-correctly-handle-negative-pit.patch @@ -0,0 +1,169 @@ +From 91c554119a126f4476b2675a3729e8890a2b2e4a Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 19 Nov 2014 21:21:23 +0100 +Subject: Make `FT_Bitmap_Convert' correctly handle negative `pitch' values. + CVE-2014-9665-fixup + +* src/base/ftbitmap.c (FT_Bitmap_Convert): Always use positive value +for the pitch while copying data. +Correctly set pitch sign in target bitmap. + +(cherry picked from commit df485774fbbc7fd7dc9d3b278846f454654ad5df) +--- + freetype-2.5.2/src/base/ftbitmap.c | 63 +++++++++++++++++++++----------------- + 1 file changed, 35 insertions(+), 28 deletions(-) + +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index 182b1cc..9223007 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -443,6 +443,8 @@ + FT_Error error = FT_Err_Ok; + FT_Memory memory; + ++ FT_Int source_pitch, target_pitch; ++ + + if ( !library ) + return FT_THROW( Invalid_Library_Handle ); +@@ -459,13 +461,15 @@ + case FT_PIXEL_MODE_LCD_V: + case FT_PIXEL_MODE_BGRA: + { +- FT_Int pad; ++ FT_Int pad, old_target_pitch; + FT_Long old_size; + + +- old_size = target->rows * target->pitch; +- if ( old_size < 0 ) +- old_size = -old_size; ++ old_target_pitch = target->pitch; ++ if ( old_target_pitch < 0 ) ++ old_target_pitch = -old_target_pitch; ++ ++ old_size = target->rows * old_target_pitch; + + target->pixel_mode = FT_PIXEL_MODE_GRAY; + target->rows = source->rows; +@@ -479,16 +483,18 @@ + pad = alignment - pad; + } + +- target->pitch = source->width + pad; ++ target_pitch = source->width + pad; + +- if ( target->pitch > 0 && +- (FT_ULong)target->rows > FT_ULONG_MAX / target->pitch ) ++ if ( target_pitch > 0 && ++ (FT_ULong)target->rows > FT_ULONG_MAX / target_pitch ) + return FT_THROW( Invalid_Argument ); + +- if ( target->rows * target->pitch > old_size && ++ if ( target->rows * target_pitch > old_size && + FT_QREALLOC( target->buffer, +- old_size, target->rows * target->pitch ) ) ++ old_size, target->rows * target_pitch ) ) + return error; ++ ++ target->pitch = target->pitch < 0 ? -target_pitch : target_pitch; + } + break; + +@@ -496,6 +502,10 @@ + error = FT_THROW( Invalid_Argument ); + } + ++ source_pitch = source->pitch; ++ if ( source_pitch < 0 ) ++ source_pitch = -source_pitch; ++ + switch ( source->pixel_mode ) + { + case FT_PIXEL_MODE_MONO: +@@ -548,8 +558,8 @@ + } + } + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -559,11 +569,9 @@ + case FT_PIXEL_MODE_LCD: + case FT_PIXEL_MODE_LCD_V: + { +- FT_Int width = source->width; +- FT_Byte* s = source->buffer; +- FT_Byte* t = target->buffer; +- FT_Int s_pitch = source->pitch; +- FT_Int t_pitch = target->pitch; ++ FT_Int width = source->width; ++ FT_Byte* s = source->buffer; ++ FT_Byte* t = target->buffer; + FT_Int i; + + +@@ -573,8 +581,8 @@ + { + FT_ARRAY_COPY( t, s, width ); + +- s += s_pitch; +- t += t_pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -625,8 +633,8 @@ + } + } + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +@@ -664,18 +672,17 @@ + if ( source->width & 1 ) + tt[0] = (FT_Byte)( ( ss[0] & 0xF0 ) >> 4 ); + +- s += source->pitch; +- t += target->pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; + ++ + case FT_PIXEL_MODE_BGRA: + { +- FT_Byte* s = source->buffer; +- FT_Byte* t = target->buffer; +- FT_Int s_pitch = source->pitch; +- FT_Int t_pitch = target->pitch; ++ FT_Byte* s = source->buffer; ++ FT_Byte* t = target->buffer; + FT_Int i; + + +@@ -696,8 +703,8 @@ + tt += 1; + } + +- s += s_pitch; +- t += t_pitch; ++ s += source_pitch; ++ t += target_pitch; + } + } + break; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch +++ freetype-2.5.2/debian/patches-freetype/0013-Fix-uninitialized-variable-warning.-CVE-2014-9665-fi.patch @@ -0,0 +1,31 @@ +From 3c8cb26b672f02272604a66fd5af0f53cab1c872 Mon Sep 17 00:00:00 2001 +From: Keith Packard <keithp@keithp.com> +Date: Mon, 23 Feb 2015 20:47:24 -0800 +Subject: Fix uninitialized variable warning. CVE-2014-9665-fixup-2 + +The 'target_pitch' value is computed in one switch and used in +another; every use case is covered by the computation above, but the +compiler can't figure that out, leaving a warning which we turn into +an error. + +Signed-off-by: Keith Packard <keithp@keithp.com> +--- + freetype-2.5.2/src/base/ftbitmap.c | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index 9223007..b9c2ef4 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -443,7 +443,7 @@ + FT_Error error = FT_Err_Ok; + FT_Memory memory; + +- FT_Int source_pitch, target_pitch; ++ FT_Int source_pitch, target_pitch = 0; + + + if ( !library ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch +++ freetype-2.5.2/debian/patches-freetype/0014-Change-some-fields-in-FT_Bitmap-to-unsigned-type.-CV.patch @@ -0,0 +1,237 @@ +From 6dfb8afb2f8e7018ab20ad4ec001633edda3a96c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 19 Nov 2014 21:28:21 +0100 +Subject: Change some fields in `FT_Bitmap' to unsigned type. CVE-2014-9665 + +This doesn't break ABI. + +* include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays', +`pixel_mode', and `palette_mode' unsigned types. + +* src/base/ftbitmap.c: Updated. +(FT_Bitmap_Copy): Fix casts. + +* src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c: +Updated. + +(cherry picked from commit b3500af717010137046ec4076d1e1c0641e33727) +--- + freetype-2.5.2/include/ftimage.h | 10 +++++----- + freetype-2.5.2/src/base/ftbitmap.c | 25 +++++++++++++------------ + freetype-2.5.2/src/cache/ftcsbits.c | 8 ++++---- + freetype-2.5.2/src/raster/ftraster.c | 12 ++++++------ + freetype-2.5.2/src/sfnt/pngshim.c | 10 +++++----- + 5 files changed, 33 insertions(+), 32 deletions(-) + +diff --git freetype-2.5.2/include/ftimage.h freetype-2.5.2/include/ftimage.h +index ea71a78..b66f036 100644 +--- freetype-2.5.2/include/ftimage.h ++++ freetype-2.5.2/include/ftimage.h +@@ -318,13 +318,13 @@ FT_BEGIN_HEADER + /* */ + typedef struct FT_Bitmap_ + { +- int rows; +- int width; ++ unsigned int rows; ++ unsigned int width; + int pitch; + unsigned char* buffer; +- short num_grays; +- char pixel_mode; +- char palette_mode; ++ unsigned short num_grays; ++ unsigned char pixel_mode; ++ unsigned char palette_mode; + void* palette; + + } FT_Bitmap; +diff --git freetype-2.5.2/src/base/ftbitmap.c freetype-2.5.2/src/base/ftbitmap.c +index b9c2ef4..127bfc5 100644 +--- freetype-2.5.2/src/base/ftbitmap.c ++++ freetype-2.5.2/src/base/ftbitmap.c +@@ -62,7 +62,7 @@ + + if ( pitch < 0 ) + pitch = -pitch; +- size = (FT_ULong)( pitch * source->rows ); ++ size = (FT_ULong)pitch * source->rows; + + if ( target->buffer ) + { +@@ -72,7 +72,7 @@ + + if ( target_pitch < 0 ) + target_pitch = -target_pitch; +- target_size = (FT_ULong)( target_pitch * target->rows ); ++ target_size = (FT_ULong)target_pitch * target->rows; + + if ( target_size != size ) + (void)FT_QREALLOC( target->buffer, target_size, size ); +@@ -106,7 +106,7 @@ + int pitch; + int new_pitch; + FT_UInt bpp; +- FT_Int i, width, height; ++ FT_UInt i, width, height; + unsigned char* buffer = NULL; + + +@@ -144,17 +144,17 @@ + if ( ypixels == 0 && new_pitch <= pitch ) + { + /* zero the padding */ +- FT_Int bit_width = pitch * 8; +- FT_Int bit_last = ( width + xpixels ) * bpp; ++ FT_UInt bit_width = pitch * 8; ++ FT_UInt bit_last = ( width + xpixels ) * bpp; + + + if ( bit_last < bit_width ) + { + FT_Byte* line = bitmap->buffer + ( bit_last >> 3 ); + FT_Byte* end = bitmap->buffer + pitch; +- FT_Int shift = bit_last & 7; ++ FT_UInt shift = bit_last & 7; + FT_UInt mask = 0xFF00U >> shift; +- FT_Int count = height; ++ FT_UInt count = height; + + + for ( ; count > 0; count--, line += pitch, end += pitch ) +@@ -180,7 +180,7 @@ + + if ( bitmap->pitch > 0 ) + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -189,7 +189,7 @@ + } + else + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -220,7 +220,8 @@ + { + FT_Error error; + unsigned char* p; +- FT_Int i, x, y, pitch; ++ FT_Int i, x, pitch; ++ FT_UInt y; + FT_Int xstr, ystr; + + +@@ -461,8 +462,8 @@ + case FT_PIXEL_MODE_LCD_V: + case FT_PIXEL_MODE_BGRA: + { +- FT_Int pad, old_target_pitch; +- FT_Long old_size; ++ FT_Int pad, old_target_pitch; ++ FT_ULong old_size; + + + old_target_pitch = target->pitch; +diff --git freetype-2.5.2/src/cache/ftcsbits.c freetype-2.5.2/src/cache/ftcsbits.c +index 6df1c19..59727d1 100644 +--- freetype-2.5.2/src/cache/ftcsbits.c ++++ freetype-2.5.2/src/cache/ftcsbits.c +@@ -4,7 +4,7 @@ + /* */ + /* FreeType sbits manager (body). */ + /* */ +-/* Copyright 2000-2006, 2009-2011, 2013 by */ ++/* Copyright 2000-2006, 2009-2011, 2013, 2014 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -142,12 +142,12 @@ + goto BadGlyph; + } + +- /* Check that our values fit into 8-bit containers! */ ++ /* Check whether our values fit into 8-bit containers! */ + /* If this is not the case, our bitmap is too large */ + /* and we will leave it as `missing' with sbit.buffer = 0 */ + +-#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d ) +-#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d ) ++#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d ) ++#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d ) + + /* horizontal advance in pixels */ + xadvance = ( slot->advance.x + 32 ) >> 6; +diff --git freetype-2.5.2/src/raster/ftraster.c freetype-2.5.2/src/raster/ftraster.c +index 8aa1113..6415d66 100644 +--- freetype-2.5.2/src/raster/ftraster.c ++++ freetype-2.5.2/src/raster/ftraster.c +@@ -2550,7 +2550,7 @@ + + e1 = TRUNC( e1 ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + PByte p; + +@@ -2644,7 +2644,7 @@ + /* bounding box instead */ + if ( pxl < 0 ) + pxl = e1; +- else if ( TRUNC( pxl ) >= ras.target.rows ) ++ else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows ) + pxl = e2; + + /* check that the other pixel isn't set */ +@@ -2659,9 +2659,9 @@ + if ( ras.target.pitch > 0 ) + bits += ( ras.target.rows - 1 ) * ras.target.pitch; + +- if ( e1 >= 0 && +- e1 < ras.target.rows && +- *bits & f1 ) ++ if ( e1 >= 0 && ++ (ULong)e1 < ras.target.rows && ++ *bits & f1 ) + return; + } + else +@@ -2673,7 +2673,7 @@ + + e1 = TRUNC( pxl ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + bits -= e1 * ras.target.pitch; + if ( ras.target.pitch > 0 ) +diff --git freetype-2.5.2/src/sfnt/pngshim.c freetype-2.5.2/src/sfnt/pngshim.c +index 878de1f..79374b7 100644 +--- freetype-2.5.2/src/sfnt/pngshim.c ++++ freetype-2.5.2/src/sfnt/pngshim.c +@@ -205,11 +205,11 @@ + goto Exit; + } + +- if ( !populate_map_and_metrics && +- ( x_offset + metrics->width > map->width || +- y_offset + metrics->height > map->rows || +- pix_bits != 32 || +- map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) ++ if ( !populate_map_and_metrics && ++ ( (FT_UInt)x_offset + metrics->width > map->width || ++ (FT_UInt)y_offset + metrics->height > map->rows || ++ pix_bits != 32 || ++ map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) + { + error = FT_THROW( Invalid_Argument ); + goto Exit; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch +++ freetype-2.5.2/debian/patches-freetype/0015-sfnt-Fix-Savannah-bug-43591.-CVE-2014-9666.patch @@ -0,0 +1,35 @@ +From 4ebd46e114fb98084d937d09e003c9fd8f6f5939 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 12 Nov 2014 21:42:13 +0100 +Subject: [sfnt] Fix Savannah bug #43591. CVE-2014-9666 + +* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition +and multiplication overflow. + +(cherry picked from commit 257c270bd25e15890190a28a1456e7623bba4439) +--- + freetype-2.5.2/src/sfnt/ttsbit.c | 8 +++++--- + 1 file changed, 5 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttsbit.c freetype-2.5.2/src/sfnt/ttsbit.c +index 38c680e..f223c5a 100644 +--- freetype-2.5.2/src/sfnt/ttsbit.c ++++ freetype-2.5.2/src/sfnt/ttsbit.c +@@ -380,9 +380,11 @@ + p += 34; + decoder->bit_depth = *p; + +- if ( decoder->strike_index_array > face->sbit_table_size || +- decoder->strike_index_array + 8 * decoder->strike_index_count > +- face->sbit_table_size ) ++ /* decoder->strike_index_array + */ ++ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ ++ if ( decoder->strike_index_array > face->sbit_table_size || ++ decoder->strike_index_count > ++ ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) + error = FT_THROW( Invalid_File_Format ); + } + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch +++ freetype-2.5.2/debian/patches-freetype/0016-sfnt-Fix-Savannah-bug-43590.-CVE-2014-9667.patch @@ -0,0 +1,53 @@ +From f4e4eb6ba541c32bbad8a1d8db68e5a4cb9ba423 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 12 Nov 2014 21:26:44 +0100 +Subject: [sfnt] Fix Savannah bug #43590. CVE-2014-9667 + +* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): +Protect against addition overflow. + +(cherry picked from commit 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891) +--- + freetype-2.5.2/src/sfnt/ttload.c | 12 +++++++++--- + 1 file changed, 9 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttload.c freetype-2.5.2/src/sfnt/ttload.c +index 0a3cd29..8338150 100644 +--- freetype-2.5.2/src/sfnt/ttload.c ++++ freetype-2.5.2/src/sfnt/ttload.c +@@ -5,7 +5,7 @@ + /* Load the basic TrueType tables, i.e., tables that can be either in */ + /* TTF or OTF fonts (body). */ + /* */ +-/* Copyright 1996-2010, 2012, 2013 by */ ++/* Copyright 1996-2010, 2012-2014 by */ + /* David Turner, Robert Wilhelm, and Werner Lemberg. */ + /* */ + /* This file is part of the FreeType project, and may only be used, */ +@@ -207,7 +207,10 @@ + } + + /* we ignore invalid tables */ +- if ( table.Offset + table.Length > stream->size ) ++ ++ /* table.Offset + table.Length > stream->size ? */ ++ if ( table.Length > stream->size || ++ table.Offset > stream->size - table.Length ) + { + FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); + continue; +@@ -395,7 +398,10 @@ + entry->Length = FT_GET_ULONG(); + + /* ignore invalid tables */ +- if ( entry->Offset + entry->Length > stream->size ) ++ ++ /* entry->Offset + entry->Length > stream->size ? */ ++ if ( entry->Length > stream->size || ++ entry->Offset > stream->size - entry->Length ) + continue; + else + { +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch +++ freetype-2.5.2/debian/patches-freetype/0017-sfnt-Fix-Savannah-bug-43589.-CVE-2014-9668.patch @@ -0,0 +1,33 @@ +From eae341fbe8a57e4d30050b71f2956f1da053eb4b Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 12 Nov 2014 21:06:08 +0100 +Subject: [sfnt] Fix Savannah bug #43589. CVE-2014-9668 + +* src/sfnt/sfobjs.c (woff_open_font): Protect against addition +overflow. + +(cherry picked from commit f46add13895337ece929b18bb8f036431b3fb538) +--- + freetype-2.5.2/src/sfnt/sfobjs.c | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/sfobjs.c freetype-2.5.2/src/sfnt/sfobjs.c +index a31c77c..d202ca0 100644 +--- freetype-2.5.2/src/sfnt/sfobjs.c ++++ freetype-2.5.2/src/sfnt/sfobjs.c +@@ -574,8 +574,10 @@ + + + if ( table->Offset != woff_offset || +- table->Offset + table->CompLength > woff.length || +- sfnt_offset + table->OrigLength > woff.totalSfntSize || ++ table->CompLength > woff.length || ++ table->Offset > woff.length - table->CompLength || ++ table->OrigLength > woff.totalSfntSize || ++ sfnt_offset > woff.totalSfntSize - table->OrigLength || + table->CompLength > table->OrigLength ) + { + error = FT_THROW( Invalid_Table ); +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch +++ freetype-2.5.2/debian/patches-freetype/0018-sfnt-Fix-Savannah-bug-43588.-CVE-2014-9669.patch @@ -0,0 +1,123 @@ +From 3cba76af29963f3fd1925ed6128cdf95bf8d4823 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 12 Nov 2014 20:51:20 +0100 +Subject: [sfnt] Fix Savannah bug #43588. CVE-2014-9669 + +* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, +tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect +against overflow in additions and multiplications. + +(cherry picked from commit 602040b1112c9f94d68e200be59ea7ac3d104565) +--- + freetype-2.5.2/src/sfnt/ttcmap.c | 39 ++++++++++++++++++++++++++++++--------- + 1 file changed, 30 insertions(+), 9 deletions(-) + +diff --git freetype-2.5.2/src/sfnt/ttcmap.c freetype-2.5.2/src/sfnt/ttcmap.c +index c6ed872..9050ebf 100644 +--- freetype-2.5.2/src/sfnt/ttcmap.c ++++ freetype-2.5.2/src/sfnt/ttcmap.c +@@ -1649,7 +1649,8 @@ + p = is32 + 8192; /* skip `is32' array */ + num_groups = TT_NEXT_ULONG( p ); + +- if ( p + num_groups * 12 > valid->limit ) ++ /* p + num_groups * 12 > valid->limit ? */ ++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -1674,7 +1675,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + + count = (FT_UInt32)( end - start + 1 ); +@@ -1872,7 +1878,9 @@ + count = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 20 + count * 2 ) ++ /* length < 20 + count * 2 ? */ ++ length < 20 || ++ ( length - 20 ) / 2 < count ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2059,7 +2067,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2081,7 +2091,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + } + +@@ -2383,7 +2398,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2764,7 +2781,9 @@ + + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 10 + 11 * num_selectors ) ++ /* length < 10 + 11 * num_selectors ? */ ++ length < 10 || ++ ( length - 10 ) / 11 < num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2800,7 +2819,8 @@ + FT_ULong lastBase = 0; + + +- if ( defp + numRanges * 4 > valid->limit ) ++ /* defp + numRanges * 4 > valid->limit ? */ ++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numRanges; ++i ) +@@ -2827,7 +2847,8 @@ + FT_ULong i, lastUni = 0; + + +- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) ++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ ++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch +++ freetype-2.5.2/debian/patches-freetype/0019-Fix-Savannah-bug-43548.-CVE-2014-9670.patch @@ -0,0 +1,36 @@ +From e92ff3eeb7981a88a85f2c0a7f1f4be9a28c57d9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Thu, 6 Nov 2014 23:25:05 +0100 +Subject: Fix Savannah bug #43548. CVE-2014-9670 + +* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and +column values. + +(cherry picked from commit ef1eba75187adfac750f326b563fe543dd5ff4e6) +--- + freetype-2.5.2/src/pcf/pcfread.c | 9 +++++++++ + 1 file changed, 9 insertions(+) + +diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c +index ee41c5d..c7d38e1 100644 +--- freetype-2.5.2/src/pcf/pcfread.c ++++ freetype-2.5.2/src/pcf/pcfread.c +@@ -812,6 +812,15 @@ THE SOFTWARE. + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) + return FT_THROW( Invalid_File_Format ); + ++ /* sanity checks */ ++ if ( firstCol < 0 || ++ firstCol > lastCol || ++ lastCol > 0xFF || ++ firstRow < 0 || ++ firstRow > lastRow || ++ lastRow > 0xFF ) ++ return FT_THROW( Invalid_Table ); ++ + FT_TRACE4(( "pdf_get_encodings:\n" )); + + FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch +++ freetype-2.5.2/debian/patches-freetype/0020-Fix-Savannah-bug-43547.-CVE-2014-9671.patch @@ -0,0 +1,42 @@ +From 8d2acf52b8f956338f7b381817d3fdb06b64f756 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Thu, 6 Nov 2014 22:32:46 +0100 +Subject: Fix Savannah bug #43547. CVE-2014-9671 + +* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' +values. + +(cherry picked from commit 0e2f5d518c60e2978f26400d110eff178fa7e3c3) +--- + freetype-2.5.2/src/pcf/pcfread.c | 15 +++++++++++++++ + 1 file changed, 15 insertions(+) + +diff --git freetype-2.5.2/src/pcf/pcfread.c freetype-2.5.2/src/pcf/pcfread.c +index c7d38e1..f487faa 100644 +--- freetype-2.5.2/src/pcf/pcfread.c ++++ freetype-2.5.2/src/pcf/pcfread.c +@@ -151,6 +151,21 @@ THE SOFTWARE. + break; + } + ++ /* we now check whether the `size' and `offset' values are reasonable: */ ++ /* `offset' + `size' must not exceed the stream size */ ++ tables = face->toc.tables; ++ for ( n = 0; n < toc->count; n++ ) ++ { ++ /* we need two checks to avoid overflow */ ++ if ( ( tables->size > stream->size ) || ++ ( tables->offset > stream->size - tables->size ) ) ++ { ++ error = FT_THROW( Invalid_Table ); ++ goto Exit; ++ } ++ tables++; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + + { +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch +++ freetype-2.5.2/debian/patches-freetype/0021-Fix-Savannah-bug-43540.-CVE-2014-9672.patch @@ -0,0 +1,42 @@ +From fd240e4f474a3d1006b3467fb9a891d94770fdf4 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 16:11:38 +0900 +Subject: Fix Savannah bug #43540. CVE-2014-9672 + +* src/base/ftmac.c (parse_fond): Prevent a buffer overrun +caused by a font including too many (> 63) strings to store +names[] table. + +(cherry picked from commit 18a8f0d9943369449bc4de92d411c78fb08d616c) +--- + freetype-2.5.2/src/base/ftmac.c | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/base/ftmac.c freetype-2.5.2/src/base/ftmac.c +index 9b49da8..184a2e1 100644 +--- freetype-2.5.2/src/base/ftmac.c ++++ freetype-2.5.2/src/base/ftmac.c +@@ -440,9 +440,10 @@ + style = (StyleTable*)p; + p += sizeof ( StyleTable ); + string_count = EndianS16_BtoN( *(short*)(p) ); ++ string_count = FT_MIN( 64, string_count ); + p += sizeof ( short ); + +- for ( i = 0; i < string_count && i < 64; i++ ) ++ for ( i = 0; i < string_count; i++ ) + { + names[i] = p; + p += names[i][0]; +@@ -459,7 +460,7 @@ + ps_name[ps_name_len] = 0; + } + if ( style->indexes[face_index] > 1 && +- style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) ++ style->indexes[face_index] <= string_count ) + { + unsigned char* suffixes = names[style->indexes[face_index] - 1]; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch +++ freetype-2.5.2/debian/patches-freetype/0022-src-base-ftobjs.c-Mac_Read_POST_Resource-Avoid-memor.patch @@ -0,0 +1,33 @@ +From 9c29f8a914862850a8e5c9fdf35d226ac7be30b8 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 14:36:12 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Avoid=20memory=20leak=20CVE-2014-9673-fixup=0Aby=20a=20broke?= + =?UTF-8?q?n=20POST=20table=20in=20resource-fork.=20=20Return=20after=20fr?= + =?UTF-8?q?eeing=0Athe=20buffered=20POST=20table=20when=20it=20is=20found?= + =?UTF-8?q?=20to=20be=20broken.?= + +(cherry picked from commit 5aff85301bdce7677766fa1367c82ff41a739637) +--- + freetype-2.5.2/src/base/ftobjs.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index bd0c66e..6014a93 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1626,9 +1626,9 @@ + if ( error ) + goto Exit2; + if ( FT_READ_LONG( rlen ) ) +- goto Exit; ++ goto Exit2; + if ( FT_READ_USHORT( flags ) ) +- goto Exit; ++ goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch +++ freetype-2.5.2/debian/patches-freetype/0023-Fix-Savannah-bug-43539.-CVE-2014-9673.patch @@ -0,0 +1,59 @@ +From 9dab65dee316318b89f3dd83515509b64bb3f17d Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 15:52:23 +0900 +Subject: Fix Savannah bug #43539. CVE-2014-9673 + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. + +(cherry picked from commit 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415) +--- + freetype-2.5.2/src/base/ftobjs.c | 17 +++++++++++++++++ + 1 file changed, 17 insertions(+) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 6014a93..e860413 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1627,6 +1627,11 @@ + goto Exit2; + if ( FT_READ_LONG( rlen ) ) + goto Exit2; ++ if ( rlen < 0 ) ++ { ++ error = FT_THROW( Invalid_Offset ); ++ goto Exit2; ++ } + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", +@@ -1644,7 +1649,14 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) ++ { ++ if ( 0x7FFFFFFFL - rlen < len ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + len += rlen; ++ } + else + { + if ( pfb_lenpos + 3 > pfb_len + 2 ) +@@ -1673,6 +1685,11 @@ + } + + error = FT_ERR( Cannot_Open_Resource ); ++ if ( rlen > 0x7FFFFFFFL - pfb_pos ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch +++ freetype-2.5.2/debian/patches-freetype/0024-Fix-Savannah-bug-43538.-CVE-2014-9674-part-1.patch @@ -0,0 +1,45 @@ +From 6dc3fe8132e53773c2d48c7c07caf65bc020aa3d Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 15:43:29 +0900 +Subject: Fix Savannah bug #43538. CVE-2014-9674-part-1 + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. + +(cherry picked from commit 240c94a185cd8dae7d03059abec8a5662c35ecd3) +--- + freetype-2.5.2/src/base/ftobjs.c | 15 ++++++++++++++- + 1 file changed, 14 insertions(+), 1 deletion(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index e860413..6be07ca 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1603,10 +1603,23 @@ + goto Exit; + if ( FT_READ_LONG( temp ) ) + goto Exit; ++ if ( 0 > temp ) ++ error = FT_THROW( Invalid_Offset ); ++ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) ++ error = FT_THROW( Array_Too_Large ); ++ ++ if ( error ) ++ goto Exit; ++ + pfb_len += temp + 6; + } + +- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) ++ if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ error = FT_THROW( Array_Too_Large ); ++ else ++ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); ++ ++ if ( error ) + goto Exit; + + pfb_data[0] = 0x80; +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch +++ freetype-2.5.2/debian/patches-freetype/0025-src-base-ftobjs.c-Mac_Read_POST_Resource-Use-unsigne.patch @@ -0,0 +1,165 @@ +From f50779191264fd754d76fbf9b0703a930902ae50 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 16:02:17 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Use=20unsigned=20long=20CVE-2014-9674-fixup-1=0Avariables=20?= + =?UTF-8?q?to=20read=20the=20lengths=20in=20POST=20fragments.=20=20Suggest?= + =?UTF-8?q?ed=20by=0AMateusz=20Jurczyk=20<mjurczyk@google.com>.?= + +(cherry picked from commit 453316792fee912cfced48e9e270e9eb19892e64) +--- + freetype-2.5.2/src/base/ftobjs.c | 63 ++++++++++++++++++++++------------------ + 1 file changed, 34 insertions(+), 29 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 6be07ca..2ec2ed8 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1583,9 +1583,9 @@ + FT_Memory memory = library->memory; + FT_Byte* pfb_data = NULL; + int i, type, flags; +- FT_Long len; +- FT_Long pfb_len, pfb_pos, pfb_lenpos; +- FT_Long rlen, temp; ++ FT_ULong len; ++ FT_ULong pfb_len, pfb_pos, pfb_lenpos; ++ FT_ULong rlen, temp; + + + if ( face_index == -1 ) +@@ -1601,25 +1601,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit; +- if ( FT_READ_LONG( temp ) ) ++ if ( FT_READ_ULONG( temp ) ) + goto Exit; +- if ( 0 > temp ) ++#if 0 ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ if ( 0x7FFFFFFFUL < temp ) ++ { + error = FT_THROW( Invalid_Offset ); +- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) +- error = FT_THROW( Array_Too_Large ); +- +- if ( error ) + goto Exit; ++ } ++#endif + + pfb_len += temp + 6; + } + +- if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ resource_cnt, pfb_len + 2)); ++ if ( pfb_len + 2 < 6 ) { + error = FT_THROW( Array_Too_Large ); +- else +- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); +- +- if ( error ) ++ goto Exit; ++ } ++ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + goto Exit; + + pfb_data[0] = 0x80; +@@ -1638,21 +1640,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit2; +- if ( FT_READ_LONG( rlen ) ) ++ if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +- if ( rlen < 0 ) ++#if 0 ++ if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } ++#endif + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + ++ error = FT_ERR( Array_Too_Large ); + /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ ++ { ++ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); + continue; ++ } + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ +@@ -1662,16 +1670,10 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) +- { +- if ( 0x7FFFFFFFL - rlen < len ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + len += rlen; +- } + else + { ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1682,6 +1684,7 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1697,21 +1700,17 @@ + pfb_data[pfb_pos++] = 0; + } + +- error = FT_ERR( Cannot_Open_Resource ); +- if ( rlen > 0x7FFFFFFFL - pfb_pos ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; + pfb_pos += rlen; + } + ++ error = FT_ERR( Array_Too_Large ); + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1732,6 +1731,12 @@ + aface ); + + Exit2: ++ if ( error == FT_ERR( Array_Too_Large ) ) ++ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ else if ( error == FT_ERR( Invalid_Offset ) ) ++ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); ++ if ( error ) ++ error = FT_ERR( Cannot_Open_Resource ); + FT_FREE( pfb_data ); + + Exit: +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch +++ freetype-2.5.2/debian/patches-freetype/0026-src-base-ftobjs.c-Mac_Read_POST_Resource-Insert-comm.patch @@ -0,0 +1,111 @@ +From 02dd014303d7a151398321cfc7001426306b6e3b Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Wed, 26 Nov 2014 16:39:00 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobjs.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Insert=20comments=20CVS-2014-9674-fixup-2=0Aand=20fold=20too?= + =?UTF-8?q?=20long=20tracing=20messages.?= + +(cherry picked from commit 1720e81e3ecc7c266e54fe40175cc39c47117bf5) +--- + freetype-2.5.2/src/base/ftobjs.c | 34 ++++++++++++++++++++++++---------- + 1 file changed, 24 insertions(+), 10 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 2ec2ed8..4a9eb7f 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1603,21 +1603,28 @@ + goto Exit; + if ( FT_READ_ULONG( temp ) ) + goto Exit; +-#if 0 +- FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large value causing overflow should be checked ++ */ ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", ++ i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +-#endif + + pfb_len += temp + 6; + } + +- FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ FT_TRACE2(( " total buffer size to concatenate %d" ++ " POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: 0x%08x\n", ++ pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } +@@ -1642,13 +1649,16 @@ + goto Exit2; + if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +-#if 0 ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large fragment length causing overflow should be checked ++ */ + if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } +-#endif ++ + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", +@@ -1673,7 +1683,8 @@ + len += rlen; + else + { +- FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1684,7 +1695,8 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + +- FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1703,7 +1715,8 @@ + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + +- FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer" ++ " 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; +@@ -1732,7 +1745,8 @@ + + Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) +- FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ FT_TRACE2(( " Abort due to too-short buffer to store" ++ " all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch +++ freetype-2.5.2/debian/patches-freetype/0027-src-base-ftobj.c-Mac_Read_POST_Resource-Additional-C.patch @@ -0,0 +1,42 @@ +From 227701e7a216e77f97fc170702d70f9c1a84992a Mon Sep 17 00:00:00 2001 +From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp> +Date: Thu, 27 Nov 2014 00:20:48 +0900 +Subject: =?UTF-8?q?*=20src/base/ftobj.c=20(Mac=5FRead=5FPOST=5FResource):?= + =?UTF-8?q?=20Additional=20CVE-2014-0674-part-2=0Aoverflow=20check=20in=20?= + =?UTF-8?q?the=20summation=20of=20POST=20fragment=20lengths,=0Asuggested?= + =?UTF-8?q?=20by=20Mateusz=20Jurczyk=20<mjurczyk@google.com>.?= + +(cherry picked from commit cd4a5a26e591d01494567df9dec7f72d59551f6e) +--- + freetype-2.5.2/src/base/ftobjs.c | 7 ++++--- + 1 file changed, 4 insertions(+), 3 deletions(-) + +diff --git freetype-2.5.2/src/base/ftobjs.c freetype-2.5.2/src/base/ftobjs.c +index 4a9eb7f..038a0f8 100644 +--- freetype-2.5.2/src/base/ftobjs.c ++++ freetype-2.5.2/src/base/ftobjs.c +@@ -1609,8 +1609,10 @@ + */ + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", + i, temp)); +- if ( 0x7FFFFFFFUL < temp ) ++ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) + { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: temp=0x%08x\n", temp )); + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +@@ -1623,8 +1625,7 @@ + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { + FT_TRACE2(( " too long fragment length makes" +- " pfb_len confused: 0x%08x\n", +- pfb_len )); ++ " pfb_len confused: pfb_len=0x%08x\n", pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch +++ freetype-2.5.2/debian/patches-freetype/0028-bdf-Fix-Savannah-bug-41692.-CVE-2014-9675-fixup-1.patch @@ -0,0 +1,235 @@ +From 37be20dfb7ceec9bb2c10ac19f339043a8e20229 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Wed, 26 Feb 2014 13:08:07 +0100 +Subject: [bdf] Fix Savannah bug #41692. CVE-2014-9675-fixup-1 + +bdflib puts data from the input stream into a buffer in chunks of +1024 bytes. The data itself gets then parsed line by line, simply +increasing the current pointer into the buffer; if the search for +the final newline character exceeds the buffer size, more data gets +read. + +However, in case the current line's end is very near to the buffer +end, and the keyword to compare with is longer than the current +line's length, an out-of-bounds read might happen since `memcmp' +doesn't stop properly at the string end. + +* src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons +stop at string ends. + +(cherry picked from commit 9a56764037dfc01a89fe61f5c67971bf50343d00) +--- + freetype-2.5.2/src/bdf/bdflib.c | 50 ++++++++++++++++++++--------------------- + 1 file changed, 25 insertions(+), 25 deletions(-) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index d613159..4192139 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -1409,7 +1409,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 ) ++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1427,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 ) ++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1491,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1508,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_memcmp( line, "CHARS", 5 ) != 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1542,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1564,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1580,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1614,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 ) ++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1800,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1816,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1844,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_memcmp( line, "BBX", 3 ) == 0 ) ++ if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1912,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) ++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1987,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2028,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2097,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2123,7 @@ + { + memory = p->memory; + +- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2171,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2200,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2231,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_memcmp( line, "FONT", 4 ) == 0 ) ++ if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2266,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_memcmp( line, "SIZE", 4 ) == 0 ) ++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2320,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_memcmp( line, "CHARS", 5 ) == 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; + +-- +2.1.4 + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch +++ freetype-2.5.2/debian/patches-freetype/0029-Fix-Savannah-bug-43535.-CVE-2014-9675.patch @@ -0,0 +1,244 @@ +From d9ed3044b65fb901c6c3a36b815a40932b450c1c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg <wl@gnu.org> +Date: Fri, 7 Nov 2014 07:42:33 +0100 +Subject: Fix Savannah bug #43535. CVE-2014-9675 + +* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one +character more than `strncmp'. +s/ft_strncmp/_bdf_strncmp/ everywhere. + +(cherry picked from commit 2c4832d30939b45c05757f0a05128ce64c4cacc7) +--- + freetype-2.5.2/src/bdf/bdflib.c | 62 ++++++++++++++++++++++++----------------- + 1 file changed, 37 insertions(+), 25 deletions(-) + +diff --git freetype-2.5.2/src/bdf/bdflib.c freetype-2.5.2/src/bdf/bdflib.c +index 4192139..42de23d 100644 +--- freetype-2.5.2/src/bdf/bdflib.c ++++ freetype-2.5.2/src/bdf/bdflib.c +@@ -169,6 +169,18 @@ + sizeof ( _bdf_properties[0] ); + + ++ /* An auxiliary macro to parse properties, to be used in conditionals. */ ++ /* It behaves like `strncmp' but also tests the following character */ ++ /* whether it is a whitespace or NULL. */ ++ /* `property' is a constant string of length `n' to compare with. */ ++#define _bdf_strncmp( name, property, n ) \ ++ ( ft_strncmp( name, property, n ) || \ ++ !( name[n] == ' ' || \ ++ name[n] == '\0' || \ ++ name[n] == '\n' || \ ++ name[n] == '\r' || \ ++ name[n] == '\t' ) ) ++ + /* Auto correction messages. */ + #define ACMSG1 "FONT_ASCENT property missing. " \ + "Added `FONT_ASCENT %hd'.\n" +@@ -1409,7 +1421,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) ++ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1439,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) ++ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1503,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1520,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1554,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1576,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1592,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1626,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1812,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1828,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1856,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_strncmp( line, "BBX", 3 ) == 0 ) ++ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1924,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1999,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2040,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2109,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2135,7 @@ + { + memory = p->memory; + +- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2183,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2212,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2243,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_strncmp( line, "FONT", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2278,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2332,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; + +-- +2.1.4 + -- System Information: Debian Release: 8.0 APT prefers unstable APT policy: (500, 'unstable') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores) Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system)
--- End Message ---
--- Begin Message ---
- To: Cyril Brulebois <kibi@debian.org>, 779656-done@bugs.debian.org
- Cc: Moritz Muehlenhoff <jmm@debian.org>
- Subject: Re: Bug#779656: unblock: freetype/2.5.2-3
- From: Julien Cristau <jcristau@debian.org>
- Date: Thu, 5 Mar 2015 12:04:42 +0100
- Message-id: <20150305110442.GA1940@betterave.cristau.org>
- In-reply-to: <[🔎] 20150305035912.GT14036@mraw.org>
- References: <[🔎] 20150303171119.6276.9382.reportbug@pisco.westfalen.local> <[🔎] 20150303202310.GY1940@betterave.cristau.org> <[🔎] 20150305035912.GT14036@mraw.org>
On Thu, Mar 5, 2015 at 04:59:12 +0100, Cyril Brulebois wrote: > Control: tag -1 confirmed > > Julien Cristau <jcristau@debian.org> (2015-03-03): > > Control: tag -1 + kibi > > Control: tag -1 + d-i > > Unfunny BTS is no fun :( > > > On Tue, Mar 3, 2015 at 18:11:19 +0100, Moritz Muehlenhoff wrote: > > > > > Package: release.debian.org > > > Severity: normal > > > User: release.debian.org@packages.debian.org > > > Usertags: unblock > > > > > > Please unblock package freetype. It fixes multiple security issues. > > > > > > unblock freetype/2.5.2-3 > > > > > unblocked, but needs kibi-ack for the udeb. > > I haven't anything any obvious regressions while toying around with > various languages/fonts within d-i, so no objections. > added unblock-udeb Cheers, JulienAttachment: signature.asc
Description: Digital signature
--- End Message ---