diff options
author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-05-03 07:40:24 +0530 |
---|---|---|
committer | Steve Sakoman <steve@sakoman.com> | 2023-05-16 06:18:21 -1000 |
commit | f668b3ab565180698bc9338baa246b3164ccf5af (patch) | |
tree | 440ffac60fcf921f6b9b8778778fe85e6ae014d3 /meta/recipes-graphics | |
parent | 79dcce4413fc4c785c7ed562dd2e7ca91fe9d68c (diff) | |
download | poky-f668b3ab565180698bc9338baa246b3164ccf5af.tar.gz |
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c
(From OE-Core rev: 24c87e674db9c1d4a8922c3af78a0004c061e70f)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta/recipes-graphics')
-rw-r--r-- | meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | 40 | ||||
-rw-r--r-- | meta/recipes-graphics/freetype/freetype_2.10.1.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Mon, 14 Nov 2022 19:18:19 +0100 | ||
4 | Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer | ||
5 | overflow. | ||
6 | |||
7 | Reported as | ||
8 | |||
9 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] | ||
12 | CVE: CVE-2023-2004 | ||
13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
14 | --- | ||
15 | src/truetype/ttgxvar.c | 3 ++- | ||
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c | ||
19 | index 78d87dc..258d701 100644 | ||
20 | --- a/src/truetype/ttgxvar.c | ||
21 | +++ b/src/truetype/ttgxvar.c | ||
22 | @@ -43,6 +43,7 @@ | ||
23 | #include FT_INTERNAL_DEBUG_H | ||
24 | #include FT_CONFIG_CONFIG_H | ||
25 | #include FT_INTERNAL_STREAM_H | ||
26 | +#include <freetype/internal/ftcalc.h> | ||
27 | #include FT_INTERNAL_SFNT_H | ||
28 | #include FT_TRUETYPE_TAGS_H | ||
29 | #include FT_TRUETYPE_IDS_H | ||
30 | @@ -1065,7 +1066,7 @@ | ||
31 | delta == 1 ? "" : "s", | ||
32 | vertical ? "VVAR" : "HVAR" )); | ||
33 | |||
34 | - *avalue += delta; | ||
35 | + *avalue = ADD_INT( *avalue, delta ); | ||
36 | |||
37 | Exit: | ||
38 | return error; | ||
39 | -- | ||
40 | 2.17.1 | ||
diff --git a/meta/recipes-graphics/freetype/freetype_2.10.1.bb b/meta/recipes-graphics/freetype/freetype_2.10.1.bb index 72001c529a..6af744b981 100644 --- a/meta/recipes-graphics/freetype/freetype_2.10.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.10.1.bb | |||
@@ -18,6 +18,7 @@ SRC_URI = "${SAVANNAH_NONGNU_MIRROR}/${BPN}/${BP}.tar.xz \ | |||
18 | file://CVE-2022-27404.patch \ | 18 | file://CVE-2022-27404.patch \ |
19 | file://CVE-2022-27405.patch \ | 19 | file://CVE-2022-27405.patch \ |
20 | file://CVE-2022-27406.patch \ | 20 | file://CVE-2022-27406.patch \ |
21 | file://CVE-2023-2004.patch \ | ||
21 | " | 22 | " |
22 | SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" | 23 | SRC_URI[md5sum] = "bd42e75127f8431923679480efb5ba8f" |
23 | SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" | 24 | SRC_URI[sha256sum] = "16dbfa488a21fe827dc27eaf708f42f7aa3bb997d745d31a19781628c36ba26f" |