From 08853ad5af3ae0b4fadbf8992c41368795b58afbde802f72d5dd493af74463e3 Mon Sep 17 00:00:00 2001 From: Fridrich Strba Date: Tue, 19 Apr 2022 15:30:30 +0000 Subject: [PATCH] Accepting request 970867 from home:dirkmueller:Factory - add revert-ft212-subpixel-hinting-change.patch (bsc#1198536) - add 079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch to avoid an integer overflow occuring during fuzzing OBS-URL: https://build.opensuse.org/request/show/970867 OBS-URL: https://build.opensuse.org/package/show/M17N/freetype2?expand=0&rev=174 --- ...22da037835daf5be2bd9eccf7bc1eaa2e783.patch | 31 ++++++++ freetype2.changes | 7 ++ freetype2.spec | 2 + revert-ft212-subpixel-hinting-change.patch | 74 +++++++++++++++++++ 4 files changed, 114 insertions(+) create mode 100644 079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch create mode 100644 revert-ft212-subpixel-hinting-change.patch diff --git a/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch b/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch new file mode 100644 index 0000000..6afd603 --- /dev/null +++ b/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch @@ -0,0 +1,31 @@ +From 079a22da037835daf5be2bd9eccf7bc1eaa2e783 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Tue, 19 Apr 2022 09:28:21 +0200 +Subject: [PATCH] * src/truetype/ttgload.c (TT_Process_Simple_Glyph): Integer + overflow. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=46792 +--- + src/truetype/ttgload.c | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c +index 0ecde22b7..2ca63d65a 100644 +--- a/src/truetype/ttgload.c ++++ b/src/truetype/ttgload.c +@@ -1104,8 +1104,8 @@ + + for ( ; vec < limit; vec++, u++ ) + { +- vec->x = ( FT_MulFix( u->x, x_scale ) + 32 ) >> 6; +- vec->y = ( FT_MulFix( u->y, y_scale ) + 32 ) >> 6; ++ vec->x = ADD_LONG( FT_MulFix( u->x, x_scale ), 32 ) >> 6; ++ vec->y = ADD_LONG( FT_MulFix( u->y, y_scale ), 32 ) >> 6; + } + } + else +-- +GitLab + diff --git a/freetype2.changes b/freetype2.changes index d90bf0c..aff43cd 100644 --- a/freetype2.changes +++ b/freetype2.changes @@ -1,3 +1,10 @@ +------------------------------------------------------------------- +Tue Apr 19 09:52:21 UTC 2022 - Dirk Müller + +- add revert-ft212-subpixel-hinting-change.patch (bsc#1198536) +- add 079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch to avoid + an integer overflow occuring during fuzzing + ------------------------------------------------------------------- Fri Apr 15 17:07:44 UTC 2022 - Andreas Stieger diff --git a/freetype2.spec b/freetype2.spec index cac2977..b8c97c4 100644 --- a/freetype2.spec +++ b/freetype2.spec @@ -38,6 +38,8 @@ Patch2: enable-long-family-names-by-default.patch Patch3: enable-subpixel-rendering.patch Patch4: enable-infinality-subpixel-hinting.patch Patch5: freetype-2.12.0-cff_slot_load-segfault.patch +Patch6: https://gitlab.freedesktop.org/freetype/freetype/-/commit/079a22da037835daf5be2bd9eccf7bc1eaa2e783.patch +Patch7: revert-ft212-subpixel-hinting-change.patch BuildRequires: gawk BuildRequires: libbz2-devel BuildRequires: libpng-devel diff --git a/revert-ft212-subpixel-hinting-change.patch b/revert-ft212-subpixel-hinting-change.patch new file mode 100644 index 0000000..ab01e45 --- /dev/null +++ b/revert-ft212-subpixel-hinting-change.patch @@ -0,0 +1,74 @@ +temporary revert of + +https://gitlab.freedesktop.org/freetype/freetype/-/commit/7809007a5b88b15207d6c6680cd8a979b122eafa.patch +due to https://gitlab.freedesktop.org/freetype/freetype/-/issues/1148 + +--- freetype-2.12.0/src/truetype/ttgload.c 2022-03-30 13:17:39.000000000 +0200 ++++ freetype-2.12.0/src/truetype/ttgload.c 2022-04-19 11:48:18.687226973 +0200 +@@ -2691,28 +2691,6 @@ + exec->ignore_x_mode = FALSE; + #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ + +-#ifdef TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL +- /* +- * Toggle backward compatibility according to what font wants, except +- * when +- * +- * 1) we have a `tricky' font that heavily relies on the interpreter to +- * render glyphs correctly, for example DFKai-SB, or +- * 2) FT_RENDER_MODE_MONO (i.e, monochome rendering) is requested. +- * +- * In those cases, backward compatibility needs to be turned off to get +- * correct rendering. The rendering is then completely up to the +- * font's programming. +- * +- */ +- if ( driver->interpreter_version == TT_INTERPRETER_VERSION_40 && +- subpixel_hinting_lean && +- !FT_IS_TRICKY( glyph->face ) ) +- exec->backward_compatibility = !( exec->GS.instruct_control & 4 ); +- else +- exec->backward_compatibility = FALSE; +-#endif /* TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL */ +- + exec->pedantic_hinting = FT_BOOL( load_flags & FT_LOAD_PEDANTIC ); + loader->exec = exec; + loader->instructions = exec->glyphIns; +--- freetype-2.12.0/src/truetype/ttinterp.c 2022-01-27 08:43:19.000000000 +0100 ++++ freetype-2.12.0/src/truetype/ttinterp.c 2022-04-19 11:46:46.185783645 +0200 +@@ -7770,6 +7770,35 @@ + #endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ + + ++#ifdef TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY ++ exc->iup_called = FALSE; ++#endif /* TT_SUPPORT_SUBPIXEL_HINTING_INFINALITY */ ++ ++#ifdef TT_SUPPORT_SUBPIXEL_HINTING_MINIMAL ++ /* ++ * Toggle backward compatibility according to what font wants, except ++ * when ++ * ++ * 1) we have a `tricky' font that heavily relies on the interpreter to ++ * render glyphs correctly, for example DFKai-SB, or ++ * 2) FT_RENDER_MODE_MONO (i.e, monochome rendering) is requested. ++ * ++ * In those cases, backward compatibility needs to be turned off to get ++ * correct rendering. The rendering is then completely up to the ++ * font's programming. ++ * ++ */ ++ if ( SUBPIXEL_HINTING_MINIMAL && ++ exc->subpixel_hinting_lean && ++ !FT_IS_TRICKY( &exc->face->root ) ) ++ exc->backward_compatibility = !( exc->GS.instruct_control & 4 ); ++ else ++ exc->backward_compatibility = FALSE; ++ ++ exc->iupx_called = FALSE; ++ exc->iupy_called = FALSE; ++#endif ++ + /* We restrict the number of twilight points to a reasonable, */ + /* heuristic value to avoid slow execution of malformed bytecode. */ + num_twilight_points = FT_MAX( 30,