diff options
| author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-04-29 11:06:24 +0530 |
|---|---|---|
| committer | Steve Sakoman <steve@sakoman.com> | 2023-05-10 04:19:56 -1000 |
| commit | f90eb43a15929b7fe42eaff160bf674b7d117e76 (patch) | |
| tree | fc0245577a3920e0230c3e83452ba9439014d000 /meta | |
| parent | 7aac01a2a723e3093744ab598296395e78296f5e (diff) | |
| download | poky-f90eb43a15929b7fe42eaff160bf674b7d117e76.tar.gz | |
freetype: fix CVE-2023-2004 integer overflowin in tt_hvadvance_adjust() in src/truetype/ttgxvar.c
Fix An integer overflow vulnerability was discovered in Freetype in tt_hvadvance_adjust() function in src/truetype/ttgxvar.c
(From OE-Core rev: 6a07e1524746bd3cfa5aec090a882f4a7f954dad)
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Steve Sakoman <steve@sakoman.com>
Diffstat (limited to 'meta')
| -rw-r--r-- | meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | 41 | ||||
| -rw-r--r-- | meta/recipes-graphics/freetype/freetype_2.11.1.bb | 1 |
2 files changed, 42 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..f600309d3e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | |||
| @@ -0,0 +1,41 @@ | |||
| 1 | From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 | ||
| 2 | From: Werner Lemberg <wl@gnu.org> | ||
| 3 | Date: Mon, 14 Nov 2022 19:18:19 +0100 | ||
| 4 | Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer | ||
| 5 | overflow. | ||
| 6 | |||
| 7 | Reported as | ||
| 8 | |||
| 9 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 | ||
| 10 | |||
| 11 | Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] | ||
| 12 | CVE: CVE-2023-2004 | ||
| 13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
| 14 | --- | ||
| 15 | src/truetype/ttgxvar.c | 3 ++- | ||
| 16 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
| 17 | |||
| 18 | diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c | ||
| 19 | index 7f2db0c..8968111 100644 | ||
| 20 | --- a/src/truetype/ttgxvar.c | ||
| 21 | +++ b/src/truetype/ttgxvar.c | ||
| 22 | @@ -42,6 +42,7 @@ | ||
| 23 | #include <ft2build.h> | ||
| 24 | #include <freetype/internal/ftdebug.h> | ||
| 25 | #include FT_CONFIG_CONFIG_H | ||
| 26 | +#include <freetype/internal/ftcalc.h> | ||
| 27 | #include <freetype/internal/ftstream.h> | ||
| 28 | #include <freetype/internal/sfnt.h> | ||
| 29 | #include <freetype/tttags.h> | ||
| 30 | @@ -1147,7 +1148,7 @@ | ||
| 31 | delta == 1 ? "" : "s", | ||
| 32 | vertical ? "VVAR" : "HVAR" )); | ||
| 33 | |||
| 34 | - *avalue += delta; | ||
| 35 | + *avalue = ADD_INT( *avalue, delta ); | ||
| 36 | |||
| 37 | Exit: | ||
| 38 | return error; | ||
| 39 | -- | ||
| 40 | 2.25.1 | ||
| 41 | |||
diff --git a/meta/recipes-graphics/freetype/freetype_2.11.1.bb b/meta/recipes-graphics/freetype/freetype_2.11.1.bb index d425e162bc..29f4d8dfb7 100644 --- a/meta/recipes-graphics/freetype/freetype_2.11.1.bb +++ b/meta/recipes-graphics/freetype/freetype_2.11.1.bb | |||
| @@ -16,6 +16,7 @@ SRC_URI = "${SAVANNAH_GNU_MIRROR}/${BPN}/${BP}.tar.xz \ | |||
| 16 | file://CVE-2022-27404.patch \ | 16 | file://CVE-2022-27404.patch \ |
| 17 | file://CVE-2022-27405.patch \ | 17 | file://CVE-2022-27405.patch \ |
| 18 | file://CVE-2022-27406.patch \ | 18 | file://CVE-2022-27406.patch \ |
| 19 | file://CVE-2023-2004.patch \ | ||
| 19 | " | 20 | " |
| 20 | SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8" | 21 | SRC_URI[sha256sum] = "3333ae7cfda88429c97a7ae63b7d01ab398076c3b67182e960e5684050f2c5c8" |
| 21 | 22 | ||