freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c

Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c (From OE-Core rev: 6a07e1524746bd3cfa5aec090a882f4a7f954dad) Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> Signed-off-by: Steve Sakoman <steve@sakoman.com>
author: Vivek Kumbhar <vkumbhar@mvista.com> 2023-04-29 11:06:24 +0530
committer: Steve Sakoman <steve@sakoman.com> 2023-05-10 04:19:56 -1000
commit: f90eb43a15929b7fe42eaff160bf674b7d117e76 (patch)
tree: fc0245577a3920e0230c3e83452ba9439014d000 /meta/recipes-graphics
parent: 7aac01a2a723e3093744ab598296395e78296f5e (diff)
download: poky-f90eb43a15929b7fe42eaff160bf674b7d117e76.tar.gz
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..f600309d3e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,41 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+Reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 7f2db0c..8968111 100644
+--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include <freetype/internal/ftdebug.h>
+ #include FT_CONFIG_CONFIG_H
+#include <freetype/internal/ftcalc.h>
+ #include <freetype/internal/ftstream.h>
+ #include <freetype/internal/sfnt.h>
+ #include <freetype/tttags.h>
+@@ -1147,7 +1148,7 @@
+                 delta == 1 ? "" : "s",
+                 vertical ? "VVAR" : "HVAR" ));
+ 
+-    *avalue += delta;
+    *avalue = ADD_INT( *avalue, delta );
+ 
+   Exit:
+     return error;
+-- 
+2.25.1
diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
index d425e162bc..29f4d8dfb7 100644
--- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \
           file://CVE-2022-27404.patch \
           file://CVE-2022-27405.patch \
           file://CVE-2022-27406.patch \
+           file://CVE-2023-2004.patch \
           "
 SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"
author	Vivek Kumbhar <vkumbhar@mvista.com>	2023-04-29 11:06:24 +0530
committer	Steve Sakoman <steve@sakoman.com>	2023-05-10 04:19:56 -1000
commit	f90eb43a15929b7fe42eaff160bf674b7d117e76 (patch)
tree	fc0245577a3920e0230c3e83452ba9439014d000 /meta/recipes-graphics
parent	7aac01a2a723e3093744ab598296395e78296f5e (diff)
download	poky-f90eb43a15929b7fe42eaff160bf674b7d117e76.tar.gz

diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..f600309d3e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,41 @@
		1	From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Mon, 14 Nov 2022 19:18:19 +0100
		4	Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
		5	overflow.
		6
		7	Reported as
		8
		9	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
		10
		11	Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
		12	CVE: CVE-2023-2004
		13	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		14	---
		15	src/truetype/ttgxvar.c \| 3 ++-
		16	1 file changed, 2 insertions(+), 1 deletion(-)
		17
		18	diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
		19	index 7f2db0c..8968111 100644
		20	--- a/src/truetype/ttgxvar.c
		21	+++ b/src/truetype/ttgxvar.c
		22	@@ -42,6 +42,7 @@
		23	#include <ft2build.h>
		24	#include <freetype/internal/ftdebug.h>
		25	#include FT_CONFIG_CONFIG_H
		26	+#include <freetype/internal/ftcalc.h>
		27	#include <freetype/internal/ftstream.h>
		28	#include <freetype/internal/sfnt.h>
		29	#include <freetype/tttags.h>
		30	@@ -1147,7 +1148,7 @@
		31	delta == 1 ? "" : "s",
		32	vertical ? "VVAR" : "HVAR" ));
		33
		34	- *avalue += delta;
		35	+ avalue = ADD_INT( avalue, delta );
		36
		37	Exit:
		38	return error;
		39	--
		40	2.25.1
		41


diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb index d425e162bc..29f4d8dfb7 100644 --- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb
@@ -16,6 +16,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \
16	file://CVE-2022-27404.patch \	16	file://CVE-2022-27404.patch \
17	file://CVE-2022-27405.patch \	17	file://CVE-2022-27405.patch \
18	file://CVE-2022-27406.patch \	18	file://CVE-2022-27406.patch \
		19	file://CVE-2023-2004.patch \
19	"	20	"
20	SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"	21	SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8"
21		22