gnu: t1lib: Fix CVE-2010-2642, CVE-2011-{0764, 1552, 1553, 1554}.
* gnu/packages/fontutils.scm (t1lib)[source]: Add patches. * gnu/packages/patches/t1lib-CVE-2010-2642.patch, gnu/packages/patches/t1lib-CVE-2011-0764.patch, gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: New variables. * gnu/local.mk (dist_patch_DATA): Add them.
This commit is contained in:
parent
321dc4dfe4
commit
4f3e02f198
|
@ -741,6 +741,9 @@ dist_patch_DATA = \
|
|||
%D%/packages/patches/sudo-CVE-2015-5602.patch \
|
||||
%D%/packages/patches/superlu-dist-scotchmetis.patch \
|
||||
%D%/packages/patches/synfig-build-fix.patch \
|
||||
%D%/packages/patches/t1lib-CVE-2010-2642.patch \
|
||||
%D%/packages/patches/t1lib-CVE-2011-0764.patch \
|
||||
%D%/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch \
|
||||
%D%/packages/patches/tar-d_ino_in_dirent-fix.patch \
|
||||
%D%/packages/patches/tar-skip-unreliable-tests.patch \
|
||||
%D%/packages/patches/tcl-mkindex-deterministic.patch \
|
||||
|
|
|
@ -286,7 +286,11 @@ high quality, anti-aliased and subpixel rendered text on a display.")
|
|||
(string-append "https://fossies.org/linux/misc/old/"
|
||||
name "-" version ".tar.gz")))
|
||||
(sha256 (base32
|
||||
"0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2"))))
|
||||
"0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2"))
|
||||
(patches (search-patches
|
||||
"t1lib-CVE-2010-2642.patch"
|
||||
"t1lib-CVE-2011-0764.patch"
|
||||
"t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch"))))
|
||||
(build-system gnu-build-system)
|
||||
(arguments
|
||||
;; Making the documentation requires latex, but t1lib is also an input
|
||||
|
|
|
@ -0,0 +1,24 @@
|
|||
diff --git a/lib/t1lib/parseAFM.c b/lib/t1lib/parseAFM.c
|
||||
index 6a31d7f..ba64541 100644
|
||||
--- a/lib/t1lib/parseAFM.c
|
||||
+++ b/lib/t1lib/parseAFM.c
|
||||
@@ -199,7 +199,9 @@ static char *token(stream)
|
||||
idx = 0;
|
||||
|
||||
while (ch != EOF && ch != ' ' && ch != CR && ch != LF &&
|
||||
- ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'){
|
||||
+ ch != CTRL_Z && ch != '\t' && ch != ':' && ch != ';'
|
||||
+ && idx < (MAX_NAME -1))
|
||||
+ {
|
||||
ident[idx++] = ch;
|
||||
ch = fgetc(stream);
|
||||
} /* while */
|
||||
@@ -235,7 +237,7 @@ static char *linetoken(stream)
|
||||
while ((ch = fgetc(stream)) == ' ' || ch == '\t' );
|
||||
|
||||
idx = 0;
|
||||
- while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z)
|
||||
+ while (ch != EOF && ch != CR && ch != LF && ch != CTRL_Z && idx < (MAX_NAME - 1))
|
||||
{
|
||||
ident[idx++] = ch;
|
||||
ch = fgetc(stream);
|
|
@ -0,0 +1,32 @@
|
|||
Description: Don't lookup previous point if there isn't any
|
||||
Author: Marc Deslauriers <marc.deslauriers@canonical.com>
|
||||
Forwarded: no
|
||||
|
||||
Index: t1lib-5.1.2/lib/type1/type1.c
|
||||
===================================================================
|
||||
--- t1lib-5.1.2.orig/lib/type1/type1.c 2011-12-13 14:24:14.280965637 -0600
|
||||
+++ t1lib-5.1.2/lib/type1/type1.c 2011-12-13 14:25:25.893320747 -0600
|
||||
@@ -1700,6 +1700,7 @@
|
||||
long pindex = 0;
|
||||
|
||||
/* compute hinting for previous segment! */
|
||||
+ if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
|
||||
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
|
||||
|
||||
/* Allocate a new path point and pre-setup data */
|
||||
@@ -1728,6 +1729,7 @@
|
||||
long pindex = 0;
|
||||
|
||||
/* compute hinting for previous point! */
|
||||
+ if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
|
||||
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
|
||||
|
||||
/* Allocate three new path points and pre-setup data */
|
||||
@@ -1903,6 +1905,7 @@
|
||||
FindStems( currx, curry, 0, 0, dx, dy);
|
||||
}
|
||||
else {
|
||||
+ if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
|
||||
FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
|
||||
}
|
||||
|
|
@ -0,0 +1,133 @@
|
|||
Author: Jaroslav Škarvada <jskarvad@redhat.com>
|
||||
Description: Fix more crashes on oversized fonts
|
||||
Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909
|
||||
Index: t1lib-5.1.2/lib/type1/lines.c
|
||||
===================================================================
|
||||
--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600
|
||||
+++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600
|
||||
@@ -67,6 +67,10 @@
|
||||
None.
|
||||
*/
|
||||
|
||||
+#define BITS (sizeof(LONG)*8)
|
||||
+#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */
|
||||
+#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy))
|
||||
+
|
||||
/*
|
||||
:h2.StepLine() - Produces Run Ends for a Line After Checks
|
||||
|
||||
@@ -84,6 +88,9 @@
|
||||
IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n",
|
||||
x1, y1, x2, y2);
|
||||
|
||||
+ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2))
|
||||
+ abort("Lines this big not supported", 49);
|
||||
+
|
||||
dy = y2 - y1;
|
||||
|
||||
/*
|
||||
Index: t1lib-5.1.2/lib/type1/objects.c
|
||||
===================================================================
|
||||
--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600
|
||||
+++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600
|
||||
@@ -1137,12 +1137,13 @@
|
||||
"Context: out of them", /* 46 */
|
||||
"MatrixInvert: can't", /* 47 */
|
||||
"xiStub called", /* 48 */
|
||||
- "Illegal access type1 abort() message" /* 49 */
|
||||
+ "Lines this big not supported", /* 49 */
|
||||
+ "Illegal access type1 abort() message" /* 50 */
|
||||
};
|
||||
|
||||
- /* no is valid from 1 to 48 */
|
||||
- if ( (number<1)||(number>48))
|
||||
- number=49;
|
||||
+ /* no is valid from 1 to 49 */
|
||||
+ if ( (number<1)||(number>49))
|
||||
+ number=50;
|
||||
return( err_msgs[number-1]);
|
||||
|
||||
}
|
||||
Index: t1lib-5.1.2/lib/type1/type1.c
|
||||
===================================================================
|
||||
--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600
|
||||
+++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600
|
||||
@@ -1012,6 +1012,7 @@
|
||||
double nextdtana = 0.0; /* tangent of post-delta against horizontal line */
|
||||
double nextdtanb = 0.0; /* tangent of post-delta against vertical line */
|
||||
|
||||
+ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n");
|
||||
|
||||
/* setup default hinted position */
|
||||
ppoints[numppoints-1].ax = ppoints[numppoints-1].x;
|
||||
@@ -1289,7 +1290,7 @@
|
||||
static int DoRead(CodeP)
|
||||
int *CodeP;
|
||||
{
|
||||
- if (strindex >= CharStringP->len) return(FALSE); /* end of string */
|
||||
+ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */
|
||||
/* We handle the non-documented Adobe convention to use lenIV=-1 to
|
||||
suppress charstring encryption. */
|
||||
if (blues->lenIV==-1) {
|
||||
@@ -1700,7 +1701,7 @@
|
||||
long pindex = 0;
|
||||
|
||||
/* compute hinting for previous segment! */
|
||||
- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n");
|
||||
+ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n");
|
||||
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy);
|
||||
|
||||
/* Allocate a new path point and pre-setup data */
|
||||
@@ -1729,7 +1730,7 @@
|
||||
long pindex = 0;
|
||||
|
||||
/* compute hinting for previous point! */
|
||||
- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n");
|
||||
+ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n");
|
||||
FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1);
|
||||
|
||||
/* Allocate three new path points and pre-setup data */
|
||||
@@ -1788,7 +1789,9 @@
|
||||
long tmpind;
|
||||
double deltax = 0.0;
|
||||
double deltay = 0.0;
|
||||
-
|
||||
+
|
||||
+ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!");
|
||||
+
|
||||
/* If this ClosePath command together with the starting point of this
|
||||
path completes to a segment aligned to a stem, we would miss
|
||||
hinting for this point. --> Check and explicitly care for this! */
|
||||
@@ -1803,6 +1806,7 @@
|
||||
deltax = ppoints[i].x - ppoints[numppoints-1].x;
|
||||
deltay = ppoints[i].y - ppoints[numppoints-1].y;
|
||||
|
||||
+ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!");
|
||||
/* save nummppoints and reset to move point */
|
||||
tmpind = numppoints;
|
||||
numppoints = i + 1;
|
||||
@@ -1905,7 +1909,7 @@
|
||||
FindStems( currx, curry, 0, 0, dx, dy);
|
||||
}
|
||||
else {
|
||||
- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n");
|
||||
+ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n");
|
||||
FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy);
|
||||
}
|
||||
|
||||
@@ -2155,6 +2159,7 @@
|
||||
DOUBLE cx, cy;
|
||||
DOUBLE ex, ey;
|
||||
|
||||
+ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!");
|
||||
|
||||
/* Our PPOINT list now contains 7 moveto commands which
|
||||
are about to be consumed by the Flex mechanism. --> Remove these
|
||||
@@ -2324,6 +2329,7 @@
|
||||
/* Returns currentpoint on stack */
|
||||
static void FlxProc2()
|
||||
{
|
||||
+ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!");
|
||||
/* Push CurrentPoint on fake PostScript stack */
|
||||
PSFakePush( ppoints[numppoints-1].x);
|
||||
PSFakePush( ppoints[numppoints-1].y);
|
Loading…
Reference in New Issue