summaryrefslogtreecommitdiff
path: root/gnu/packages/patches/freetype-CVE-2017-8105.patch
diff options
context:
space:
mode:
authorLeo Famulari <leo@famulari.name>2017-04-29 11:55:33 -0400
committerLeo Famulari <leo@famulari.name>2017-04-29 12:14:03 -0400
commit86f48a8dbff4528d1351676f429fa6a3d0afefd5 (patch)
treeac666c84c45aac84390df9dcd1444af40e4e8513 /gnu/packages/patches/freetype-CVE-2017-8105.patch
parente24d52713140f339e3ac366f31d27dd413edd557 (diff)
gnu: freetype: Fix CVE-2017-{8105,8287}.
* gnu/packages/patches/freetype-CVE-2017-8105.patch, gnu/packages/patches/freetype-CVE-2017-8287.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. * gnu/packages/fontutils.scm (freetype)[replacement]: New field. (freetype/fixed): New variable.
Diffstat (limited to 'gnu/packages/patches/freetype-CVE-2017-8105.patch')
-rw-r--r--gnu/packages/patches/freetype-CVE-2017-8105.patch56
1 files changed, 56 insertions, 0 deletions
diff --git a/gnu/packages/patches/freetype-CVE-2017-8105.patch b/gnu/packages/patches/freetype-CVE-2017-8105.patch
new file mode 100644
index 0000000000..1891c4ab5f
--- /dev/null
+++ b/gnu/packages/patches/freetype-CVE-2017-8105.patch
@@ -0,0 +1,56 @@
+Fix CVE-2017-8105:
+
+https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2017-8105
+https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+Patch copied from upstream source repository:
+
+https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791
+
+From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 24 Mar 2017 09:15:10 +0100
+Subject: [PATCH] [psaux] Better protect `flex' handling.
+
+Reported as
+
+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points. For
+this reason we have to check the available number of points before
+inserting a point.
+---
+ ChangeLog | 15 +++++++++++++++
+ src/psaux/t1decode.c | 9 +++++++++
+ 2 files changed, 24 insertions(+)
+
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465e..7dd45135 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+ /* point without adding any point to the outline */
+ idx = decoder->num_flex_vectors++;
+ if ( idx > 0 && idx < 7 )
++ {
++ /* in malformed fonts it is possible to have other */
++ /* opcodes in the middle of a flex (which don't */
++ /* increase `num_flex_vectors'); we thus have to */
++ /* check whether we can add a point */
++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++ goto Syntax_Error;
++
+ t1_builder_add_point( builder,
+ x,
+ y,
+ (FT_Byte)( idx == 3 || idx == 6 ) );
++ }
+ }
+ break;
+
+--
+2.12.2
+