summaryrefslogtreecommitdiffstats
path: root/recipes-graphics
diff options
context:
space:
mode:
Diffstat (limited to 'recipes-graphics')
-rw-r--r--recipes-graphics/freetype/freetype/CVE-2017-8105.patch77
-rw-r--r--recipes-graphics/freetype/freetype_%.bbappend5
2 files changed, 0 insertions, 82 deletions
diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch
deleted file mode 100644
index 00c1d9d..0000000
--- a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch
+++ /dev/null
@@ -1,77 +0,0 @@
1From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001
2From: Sona Sarmadi <sona.sarmadi@enea.com>
3Date: Mon, 28 Aug 2017 14:12:29 +0200
4Subject: [PATCH] freetype: fix for CVE-2017-8105
5
6[psaux] Better protect `flex' handling.
7
8Reported as
9
10 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
11
12* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
13<callothersubr>: Since there is not a single flex operator but a
14series of subroutine calls, malformed fonts can call arbitrary other
15operators after the start of a flex, possibly adding points. For
16this reason we have to check the available number of points before
17inserting a point.
18
19CVE: CVE-2017-8105
20Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791]
21
22Signed-off-by: Sona Sarmadi <sona.sarmadi@enea.com>
23---
24 ChangeLog | 15 +++++++++++++++
25 src/psaux/t1decode.c | 9 +++++++++
26 2 files changed, 24 insertions(+)
27
28diff --git a/ChangeLog b/ChangeLog
29index 23f5748..2f89909 100644
30--- a/ChangeLog
31+++ b/ChangeLog
32@@ -1,3 +1,18 @@
33+2017-03-23 Werner Lemberg <wl@gnu.org>
34+
35+ [psaux] Better protect `flex' handling.
36+
37+ Reported as
38+
39+ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
40+
41+ * src/psaux/t1decode.c (t1_decoder_parse_charstrings)
42+ <callothersubr>: Since there is not a single flex operator but a
43+ series of subroutine calls, malformed fonts can call arbitrary other
44+ operators after the start of a flex, possibly adding points. For
45+ this reason we have to check the available number of points before
46+ inserting a point.
47+
48 2016-09-08 Werner Lemberg <wl@gnu.org>
49
50 * Version 2.7.1 released.
51diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
52index 1cd9d73..bc5e3d2 100644
53--- a/src/psaux/t1decode.c
54+++ b/src/psaux/t1decode.c
55@@ -780,10 +780,19 @@
56 /* point without adding any point to the outline */
57 idx = decoder->num_flex_vectors++;
58 if ( idx > 0 && idx < 7 )
59+ {
60+ /* in malformed fonts it is possible to have other */
61+ /* opcodes in the middle of a flex (which don't */
62+ /* increase `num_flex_vectors'); we thus have to */
63+ /* check whether we can add a point */
64+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
65+ goto Syntax_Error;
66+
67 t1_builder_add_point( builder,
68 x,
69 y,
70 (FT_Byte)( idx == 3 || idx == 6 ) );
71+ }
72 }
73 break;
74
75--
761.9.1
77
diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend
deleted file mode 100644
index cd1be4b..0000000
--- a/recipes-graphics/freetype/freetype_%.bbappend
+++ /dev/null
@@ -1,5 +0,0 @@
1# look for files in the layer first
2FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:"
3
4SRC_URI += "file://CVE-2017-8105.patch \
5 "