Accepting request 970868 from M17N

OBS-URL: https://build.opensuse.org/request/show/970868 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/freetype2?expand=0&rev=94
2022-04-22 19:52:56 +00:00 · 2022-04-22 19:52:56 +00:00 · 337445f45e
commit 337445f45e
parent aa543e5883 08853ad5af
4 changed files with 114 additions and 0 deletions
--- a/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch
+++ b/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch
@ -0,0 +1,31 @@
+From 079a22da037835daf5be2bd9eccf7bc1eaa2e783 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Tue, 19 Apr 2022 09:28:21 +0200
+Subject: [PATCH] * src/truetype/ttgload.c (TT_Process_Simple_Glyph): Integer
+ overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46792
+---
+ src/truetype/ttgload.c | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
+index 0ecde22b7..2ca63d65a 100644
+--- a/src/truetype/ttgload.c
+++ b/src/truetype/ttgload.c
+@@ -1104,8 +1104,8 @@
+ 
+           for ( ; vec < limit; vec++, u++ )
+           {
+-            vec->x = ( FT_MulFix( u->x, x_scale ) + 32 ) >> 6;
+-            vec->y = ( FT_MulFix( u->y, y_scale ) + 32 ) >> 6;
+            vec->x = ADD_LONG( FT_MulFix( u->x, x_scale ), 32 ) >> 6;
+            vec->y = ADD_LONG( FT_MulFix( u->y, y_scale ), 32 ) >> 6;
+           }
+         }
+         else
+-- 
+GitLab
+
--- a/freetype2.changes
+++ b/freetype2.changes
@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Tue Apr 19 09:52:21 UTC 2022 - Dirk Müller <dmueller@suse.com>
+
+- add revert-ft212-subpixel-hinting-change.patch (bsc#1198536)
+- add 079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch to avoid
+  an integer overflow occuring during fuzzing
+
 -------------------------------------------------------------------
 Fri Apr 15 17:07:44 UTC 2022 - Andreas Stieger <andreas.stieger@gmx.de>

--- a/freetype2.spec
+++ b/freetype2.spec
@ -38,6 +38,8 @@ Patch2:         enable-long-family-names-by-default.patch
 Patch3:         enable-subpixel-rendering.patch
 Patch4:         enable-infinality-subpixel-hinting.patch
 Patch5:         freetype-2.12.0-cff_slot_load-segfault.patch
+Patch6:         https://gitlab.freedesktop.org/freetype/freetype/-/commit/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch
+Patch7:         revert-ft212-subpixel-hinting-change.patch
 BuildRequires:  gawk
 BuildRequires:  libbz2-devel
 BuildRequires:  libpng-devel
--- a/revert-ft212-subpixel-hinting-change.patch
+++ b/revert-ft212-subpixel-hinting-change.patch
@ -0,0 +1,74 @@
+temporary revert of 
+
+https://gitlab.freedesktop.org/freetype/freetype/-/commit/7809007a5b88b15207d6c6680cd8a979b122eafa.patch
+due to https://gitlab.freedesktop.org/freetype/freetype/-/issues/1148
+
+--- freetype-2.12.0/src/truetype/ttgload.c	2022-03-30 13:17:39.000000000 +0200
+++ freetype-2.12.0/src/truetype/ttgload.c	2022-04-19 11:48:18.687226973 +0200
+@@ -2691,28 +2691,6 @@
+         exec->ignore_x_mode = FALSE;
+ #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
+ 
+-#ifdef TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL
+-      /*
+-       * Toggle backward compatibility according to what font wants, except
+-       * when
+-       *
+-       * 1) we have a `tricky' font that heavily relies on the interpreter to
+-       *    render glyphs correctly, for example DFKai-SB, or
+-       * 2) FT_RENDER_MODE_MONO (i.e, monochome rendering) is requested.
+-       *
+-       * In those cases, backward compatibility needs to be turned off to get
+-       * correct rendering.  The rendering is then completely up to the
+-       * font's programming.
+-       *
+-       */
+-      if ( driver->interpreter_version == TT_INTERPRETER_VERSION_40 &&
+-           subpixel_hinting_lean                                    &&
+-           !FT_IS_TRICKY( glyph->face )                             )
+-        exec->backward_compatibility = !( exec->GS.instruct_control & 4 );
+-      else
+-        exec->backward_compatibility = FALSE;
+-#endif /* TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL */
+-
+       exec->pedantic_hinting = FT_BOOL( load_flags & FT_LOAD_PEDANTIC );
+       loader->exec = exec;
+       loader->instructions = exec->glyphIns;
+--- freetype-2.12.0/src/truetype/ttinterp.c	2022-01-27 08:43:19.000000000 +0100
+++ freetype-2.12.0/src/truetype/ttinterp.c	2022-04-19 11:46:46.185783645 +0200
+@@ -7770,6 +7770,35 @@
+ #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
+ 
+ 
+#ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY
+    exc->iup_called = FALSE;
+#endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */
+
+#ifdef TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL
+    /*
+     * Toggle backward compatibility according to what font wants, except
+     * when
+     *
+     * 1) we have a `tricky' font that heavily relies on the interpreter to
+     *    render glyphs correctly, for example DFKai-SB, or
+     * 2) FT_RENDER_MODE_MONO (i.e, monochome rendering) is requested.
+     *
+     * In those cases, backward compatibility needs to be turned off to get
+     * correct rendering.  The rendering is then completely up to the
+     * font's programming.
+     *
+     */
+    if ( SUBPIXEL_HINTING_MINIMAL          &&
+         exc->subpixel_hinting_lean        &&
+         !FT_IS_TRICKY( &exc->face->root ) )
+      exc->backward_compatibility = !( exc->GS.instruct_control & 4 );
+    else
+      exc->backward_compatibility = FALSE;
+
+    exc->iupx_called = FALSE;
+    exc->iupy_called = FALSE;
+#endif
+
+     /* We restrict the number of twilight points to a reasonable,     */
+     /* heuristic value to avoid slow execution of malformed bytecode. */
+     num_twilight_points = FT_MAX( 30,