Accepting request 76760 from home:keichwa:branches:M17N

bnc704612_othersubr OBS-URL: https://build.opensuse.org/request/show/76760 OBS-URL: https://build.opensuse.org/package/show/M17N/freetype2?expand=0&rev=48
2011-07-23 14:32:06 +00:00 · 2011-07-23 14:32:06 +00:00 · f2264bc497
commit f2264bc497
parent 1a464d6189
5 changed files with 113 additions and 0 deletions
--- a/bnc704612_othersubr.diff
+++ b/bnc704612_othersubr.diff
@ -0,0 +1,99 @@
+--- freetype-2.4.4/src/psaux/t1decode.c.orig	2011-07-21 16:44:40.000000000 +0000
+++ freetype-2.4.4/src/psaux/t1decode.c	2011-07-21 17:00:05.000000000 +0000
+@@ -28,6 +28,8 @@
+ 
+ #include "psauxerr.h"
+ 
+/* ensure proper sign extension */
+#define Fix2Int( f )  ( (FT_Int)(FT_Short)( (f) >> 16 ) )
+ 
+   /*************************************************************************/
+   /*                                                                       */
+@@ -662,7 +664,7 @@
+         if ( large_int )
+           FT_TRACE4(( " %ld", value ));
+         else
+-          FT_TRACE4(( " %ld", (FT_Int32)( value >> 16 ) ));
+          FT_TRACE4(( " %ld", Fix2Int( value ) ));
+ #endif
+ 
+         *top++       = value;
+@@ -684,8 +686,8 @@
+ 
+         top -= 2;
+ 
+-        subr_no = (FT_Int)( top[1] >> 16 );
+-        arg_cnt = (FT_Int)( top[0] >> 16 );
+        subr_no = Fix2Int( top[1] );
+        arg_cnt = Fix2Int( top[0] );
+ 
+         /***********************************************************/
+         /*                                                         */
+@@ -862,7 +864,7 @@
+             if ( arg_cnt != 1 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
+ 
+             if ( idx < 0                                           ||
+                  idx + blend->num_designs > decoder->len_buildchar )
+@@ -930,7 +932,7 @@
+             if ( arg_cnt != 2 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[1] >> 16 );
+            idx = Fix2Int( top[1] );
+ 
+             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+               goto Unexpected_OtherSubr;
+@@ -951,7 +953,7 @@
+             if ( arg_cnt != 1 || blend == NULL )
+               goto Unexpected_OtherSubr;
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
+ 
+             if ( idx < 0 || (FT_UInt) idx >= decoder->len_buildchar )
+               goto Unexpected_OtherSubr;
+@@ -1009,11 +1011,15 @@
+           break;
+ 
+         default:
+-          FT_ERROR(( "t1_decoder_parse_charstrings:"
+-                     " unknown othersubr [%d %d], wish me luck\n",
+-                     arg_cnt, subr_no ));
+-          unknown_othersubr_result_cnt = arg_cnt;
+-          break;
+          if ( arg_cnt >= 0 && subr_no >= 0 )
+          {
+            FT_ERROR(( "t1_decoder_parse_charstrings:"
+                       " unknown othersubr [%d %d], wish me luck\n",
+                       arg_cnt, subr_no ));
+            unknown_othersubr_result_cnt = arg_cnt;
+            break;
+          }
+          /* fall through */
+ 
+         Unexpected_OtherSubr:
+           FT_ERROR(( "t1_decoder_parse_charstrings:"
+@@ -1139,8 +1145,8 @@
+                                   top[0],
+                                   top[1],
+                                   top[2],
+-                                  (FT_Int)( top[3] >> 16 ),
+-                                  (FT_Int)( top[4] >> 16 ) );
+                                  Fix2Int( top[3] ),
+                                  Fix2Int( top[4] ) );
+ 
+         case op_sbw:
+           FT_TRACE4(( " sbw" ));
+@@ -1324,7 +1330,7 @@
+ 
+             FT_TRACE4(( " callsubr" ));
+ 
+-            idx = (FT_Int)( top[0] >> 16 );
+            idx = Fix2Int( top[0] );
+             if ( idx < 0 || idx >= (FT_Int)decoder->num_subrs )
+             {
+               FT_ERROR(( "t1_decoder_parse_charstrings:"
--- a/freetype2.changes
+++ b/freetype2.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 13:41:02 CEST 2011 - ke@suse.de
+
+- added bnc704612_othersubr.diff, CVE-2011-0226, bnc#704612.
+
 -------------------------------------------------------------------
 Thu Jul  7 13:16:05 UTC 2011 - idonmez@novell.com

--- a/freetype2.spec
+++ b/freetype2.spec
@ -39,6 +39,7 @@ Patch9:         fix-build.patch
 Patch10:        freetype2-no_rpath.patch
 Patch308961:    bugzilla-308961-cmex-workaround.patch
 Patch200:       freetype2-subpixel.patch
+Patch1018:      bnc704612_othersubr.diff
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

 %description
@ -86,6 +87,7 @@ It also contains a small tutorial for using that library.
 %if %{enable_subpixel_rendering}
 %patch200 -p 1 -b .subpixel
 %endif
+%patch1018 -p 1 -b .othersubr

 rm docs/reference/.gitignore

--- a/ft2demos.changes
+++ b/ft2demos.changes
@ -1,3 +1,8 @@
+-------------------------------------------------------------------
+Fri Jul 22 13:41:52 CEST 2011 - ke@suse.de
+
+- added bnc704612_othersubr.diff, CVE-2011-0226, bnc#704612.
+
 -------------------------------------------------------------------
 Thu Jul  7 13:20:45 UTC 2011 - idonmez@novell.com

--- a/ft2demos.spec
+++ b/ft2demos.spec
@ -39,6 +39,7 @@ Source1004:     bnc629447_sigsegv31.ttf
 Source1013:     bnc633938_badbdf.0
 Source1015:     bug-641580_CVE-2010-3311.cff
 Source1016:     bug-647375_tt2.ttf
+Patch1018:      bnc704612_othersubr.diff

 BuildRoot:      %{_tmppath}/%{name}-%{version}-build

@ -56,6 +57,7 @@ popd
 %if %{enable_subpixel_rendering}
 %patch200 -p 1 -b .subpixel
 %endif
+%patch1018 -p 1 -b .othersubr

 %build
 %configure --without-bzip2