From bf4d84df078cb19f1702f42a94c873026aa72e1d Mon Sep 17 00:00:00 2001 From: Sona Sarmadi Date: Tue, 29 Aug 2017 10:31:20 +0200 Subject: freetype: fix for CVE-2017-8105 FreeType 2 before 2017-03-24 has an out-of-bounds write caused by a heap-based buffer overflow related to the t1_decoder_parse_charstrings function in psaux/t1decode.c. References: ========== https://security-tracker.debian.org/tracker/CVE-2017-8105 Upstream patch: https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Signed-off-by: Sona Sarmadi Signed-off-by: Adrian Dudau --- .../freetype/freetype/CVE-2017-8105.patch | 77 ++++++++++++++++++++++ recipes-graphics/freetype/freetype_%.bbappend | 5 ++ 2 files changed, 82 insertions(+) create mode 100644 recipes-graphics/freetype/freetype/CVE-2017-8105.patch create mode 100644 recipes-graphics/freetype/freetype_%.bbappend (limited to 'recipes-graphics') diff --git a/recipes-graphics/freetype/freetype/CVE-2017-8105.patch b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch new file mode 100644 index 0000000..00c1d9d --- /dev/null +++ b/recipes-graphics/freetype/freetype/CVE-2017-8105.patch @@ -0,0 +1,77 @@ +From 239ef121fed25aa478b740bf52dce4db1a00ba59 Mon Sep 17 00:00:00 2001 +From: Sona Sarmadi +Date: Mon, 28 Aug 2017 14:12:29 +0200 +Subject: [PATCH] freetype: fix for CVE-2017-8105 + +[psaux] Better protect `flex' handling. + +Reported as + + https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 + +* src/psaux/t1decode.c (t1_decoder_parse_charstrings) +: Since there is not a single flex operator but a +series of subroutine calls, malformed fonts can call arbitrary other +operators after the start of a flex, possibly adding points. For +this reason we have to check the available number of points before +inserting a point. + +CVE: CVE-2017-8105 +Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee431bef8d4d466b40c9cb2d4dbcb7791] + +Signed-off-by: Sona Sarmadi +--- + ChangeLog | 15 +++++++++++++++ + src/psaux/t1decode.c | 9 +++++++++ + 2 files changed, 24 insertions(+) + +diff --git a/ChangeLog b/ChangeLog +index 23f5748..2f89909 100644 +--- a/ChangeLog ++++ b/ChangeLog +@@ -1,3 +1,18 @@ ++2017-03-23 Werner Lemberg ++ ++ [psaux] Better protect `flex' handling. ++ ++ Reported as ++ ++ https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935 ++ ++ * src/psaux/t1decode.c (t1_decoder_parse_charstrings) ++ : Since there is not a single flex operator but a ++ series of subroutine calls, malformed fonts can call arbitrary other ++ operators after the start of a flex, possibly adding points. For ++ this reason we have to check the available number of points before ++ inserting a point. ++ + 2016-09-08 Werner Lemberg + + * Version 2.7.1 released. +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index 1cd9d73..bc5e3d2 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + +-- +1.9.1 + diff --git a/recipes-graphics/freetype/freetype_%.bbappend b/recipes-graphics/freetype/freetype_%.bbappend new file mode 100644 index 0000000..cd1be4b --- /dev/null +++ b/recipes-graphics/freetype/freetype_%.bbappend @@ -0,0 +1,5 @@ +# look for files in the layer first +FILESEXTRAPATHS_prepend := "${THISDIR}/${PN}:" + +SRC_URI += "file://CVE-2017-8105.patch \ + " -- cgit v1.2.3-54-g00ecf