freetype: fix for CVE-2017-8105

FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. References: ========== https://security-tracker.debian.org/tracker/CVE-2017-8105 Upstream patch: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com> Signed-off-by: Adrian Dudau <adrian.dudau@enea.com>
author: Sona Sarmadi <sona.sarmadi@enea.com> 2017-08-29 10:31:20 +0200
committer: Adrian Dudau <adrian.dudau@enea.com> 2017-08-29 13:46:30 +0200
commit: bf4d84df078cb19f1702f42a94c873026aa72e1d (patch)
tree: 82302440f550519538e8f0ab87f814f4089c7a07
parent: e3f32e1fc30aa34b0bfa73fc53231396220beb5b (diff)
download: meta-el-common-bf4d84df078cb19f1702f42a94c873026aa72e1d.tar.gz
2 files changed, 82 insertions, 0 deletions
diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch
new file mode 100644
index 0000000..00c1d9d
--- /dev/null
+++ b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch
@@ -0,0 +1,77 @@
+From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001
+From: Sona Sarmadi <sona.sarmadi@enea.com>
+Date: Mon, 28 Aug 2017 14:12:29 +0200
+Subject: [PATCH] freetype: fix for CVE-2017-8105
+[psaux] Better protect `flex' handling.
+Reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+<callothersubr>: Since there is not a single flex operator but a
+series of subroutine calls, malformed fonts can call arbitrary other
+operators after the start of a flex, possibly adding points.  For
+this reason we have to check the available number of points before
+inserting a point.
+CVE: CVE-2017-8105
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791]
+Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
+---
+ ChangeLog            | 15 +++++++++++++++
+ src/psaux/t1decode.c |  9 +++++++++
+ 2 files changed, 24 insertions(+)
+diff --git a/ChangeLog b/ChangeLog
+index 23f5748..2f89909 100644
+--- a/ChangeLog
+++ b/ChangeLog
+@@ -1,3 +1,18 @@
+2017-03-23  Werner Lemberg  <wl@gnu.org>
+
+       [psaux] Better protect `flex' handling.
+
+       Reported as
+
+       https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
+
+       * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
+       <callothersubr>: Since there is not a single flex operator but a
+       series of subroutine calls, malformed fonts can call arbitrary other
+       operators after the start of a flex, possibly adding points.  For
+       this reason we have to check the available number of points before
+       inserting a point.
+
+ 2016-09-08  Werner Lemberg  <wl@gnu.org>
+ 
+        * Version 2.7.1 released.
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index 1cd9d73..bc5e3d2 100644
+--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
+            {
+              /* in malformed fonts it is possible to have other */
+              /* opcodes in the middle of a flex (which don't    */
+              /* increase `num_flex_vectors'); we thus have to   */
+              /* check whether we can add a point                */
+              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+                goto Syntax_Error;
+
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
+            }
+           }
+           break;
+ 
+-- 
+1.9.1
diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend
new file mode 100644
index 0000000..cd1be4b
--- /dev/null
+++ b/recipes-graphics/freetype/freetype_%.bbappend
@@ -0,0 +1,5 @@
+# look for files in the layer first
+FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
+SRC_URI += "file://CVE-2017-8105.patch \
+           "
author	Sona Sarmadi <sona.sarmadi@enea.com>	2017-08-29 10:31:20 +0200
committer	Adrian Dudau <adrian.dudau@enea.com>	2017-08-29 13:46:30 +0200
commit	bf4d84df078cb19f1702f42a94c873026aa72e1d (patch)
tree	82302440f550519538e8f0ab87f814f4089c7a07
parent	e3f32e1fc30aa34b0bfa73fc53231396220beb5b (diff)
download	meta-el-common-bf4d84df078cb19f1702f42a94c873026aa72e1d.tar.gz

diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch new file mode 100644 index 0000000..00c1d9d --- /dev/null +++ b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch
@@ -0,0 +1,77 @@
	1	From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001
	2	From: Sona Sarmadi <sona.sarmadi@enea.com>
	3	Date: Mon, 28 Aug 2017 14:12:29 +0200
	4	Subject: [PATCH] freetype: fix for CVE-2017-8105
	5
	6	[psaux] Better protect `flex' handling.
	7
	8	Reported as
	9
	10	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
	11
	12	* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
	13	<callothersubr>: Since there is not a single flex operator but a
	14	series of subroutine calls, malformed fonts can call arbitrary other
	15	operators after the start of a flex, possibly adding points. For
	16	this reason we have to check the available number of points before
	17	inserting a point.
	18
	19	CVE: CVE-2017-8105
	20	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791]
	21
	22	Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
	23	---
	24	ChangeLog \| 15 +++++++++++++++
	25	src/psaux/t1decode.c \| 9 +++++++++
	26	2 files changed, 24 insertions(+)
	27
	28	diff --git a/ChangeLog b/ChangeLog
	29	index 23f5748..2f89909 100644
	30	--- a/ChangeLog
	31	+++ b/ChangeLog
	32	@@ -1,3 +1,18 @@
	33	+2017-03-23 Werner Lemberg <wl@gnu.org>
	34	+
	35	+ [psaux] Better protect `flex' handling.
	36	+
	37	+ Reported as
	38	+
	39	+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
	40	+
	41	+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
	42	+ <callothersubr>: Since there is not a single flex operator but a
	43	+ series of subroutine calls, malformed fonts can call arbitrary other
	44	+ operators after the start of a flex, possibly adding points. For
	45	+ this reason we have to check the available number of points before
	46	+ inserting a point.
	47	+
	48	2016-09-08 Werner Lemberg <wl@gnu.org>
	49
	50	* Version 2.7.1 released.
	51	diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
	52	index 1cd9d73..bc5e3d2 100644
	53	--- a/src/psaux/t1decode.c
	54	+++ b/src/psaux/t1decode.c
	55	@@ -780,10 +780,19 @@
	56	/* point without adding any point to the outline */
	57	idx = decoder->num_flex_vectors++;
	58	if ( idx > 0 && idx < 7 )
	59	+ {
	60	+ /* in malformed fonts it is possible to have other */
	61	+ /* opcodes in the middle of a flex (which don't */
	62	+ /* increase `num_flex_vectors'); we thus have to */
	63	+ /* check whether we can add a point */
	64	+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
	65	+ goto Syntax_Error;
	66	+
	67	t1_builder_add_point( builder,
	68	x,
	69	y,
	70	(FT_Byte)( idx == 3 \|\| idx == 6 ) );
	71	+ }
	72	}
	73	break;
	74
	75	--
	76	1.9.1
	77


diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend new file mode 100644 index 0000000..cd1be4b --- /dev/null +++ b/recipes-graphics/freetype/freetype_%.bbappend
@@ -0,0 +1,5 @@
	1	# look for files in the layer first
	2	FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
	3
	4	SRC_URI += "file://CVE-2017-8105.patch \
	5	"