2 files changed, 31 insertions, 1 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch b/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch
new file mode 100644
index 0000000000..0b5b3c625f
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch
@@ -0,0 +1,28 @@
+freetype-2.9: Fix potential numeric overflow
+[No upstream tracking] -- https://savannah.nongnu.org/bugs/index.php?54023
+ttcmap: (tt_cmap2_validate): Fix potential numeric overflow
+The dead loop appears in the function tt_cmap2_char_next()
+in "src\sfnt\ttcmap.c" in version 2.9 when "charcode == 256".
+According to the notes, is seems that "subheader" should
+not be NULL when "charcode == 256".
+Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/sfnt/ttcmap.c?id=5bd76524ef786d942b28dc52618aeda3aebfa3d6]
+bug: 54023
+Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 5afa6ae..8fb9542 100644
+--- a/src/sfnt/ttcmap.c
+++ b/src/sfnt/ttcmap.c
+@@ -358,7 +358,7 @@
+       /* check range within 0..255 */
+       if ( valid->level >= FT_VALIDATE_PARANOID )
+       {
+-        if ( first_code >= 256 || first_code + code_count > 256 )
+        if ( first_code >= 256 || code_count > 256 - first_code )
+           FT_INVALID_DATA;
+       }
+ 
diff --git a/meta/recipes-graphics/freetype/freetype_2.9.bb b/meta/recipes-graphics/freetype/freetype_2.9.bb
index da05916b36..216ecf31d1 100644
--- a/meta/recipes-graphics/freetype/freetype_2.9.bb
+++ b/meta/recipes-graphics/freetype/freetype_2.9.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
                    file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec"
 SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \
-           file://use-right-libtool.patch"
+           file://use-right-libtool.patch \
+           file://fix-potential-numeric-overflow.patch \
+          "
 UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/freetype/files/freetype2/"
 UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"

diff --git a/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch b/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch new file mode 100644 index 0000000000..0b5b3c625f --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/fix-potential-numeric-overflow.patch
@@ -0,0 +1,28 @@
		1	freetype-2.9: Fix potential numeric overflow
		2
		3	[No upstream tracking] -- https://savannah.nongnu.org/bugs/index.php?54023
		4
		5	ttcmap: (tt_cmap2_validate): Fix potential numeric overflow
		6
		7	The dead loop appears in the function tt_cmap2_char_next()
		8	in "src\sfnt\ttcmap.c" in version 2.9 when "charcode == 256".
		9	According to the notes, is seems that "subheader" should
		10	not be NULL when "charcode == 256".
		11
		12	Upstream-Status: Backport [http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/sfnt/ttcmap.c?id=5bd76524ef786d942b28dc52618aeda3aebfa3d6]
		13	bug: 54023
		14	Signed-off-by: Andrej Valek <andrej.valek@siemens.com>
		15
		16	diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
		17	index 5afa6ae..8fb9542 100644
		18	--- a/src/sfnt/ttcmap.c
		19	+++ b/src/sfnt/ttcmap.c
		20	@@ -358,7 +358,7 @@
		21	/* check range within 0..255 */
		22	if ( valid->level >= FT_VALIDATE_PARANOID )
		23	{
		24	- if ( first_code >= 256 \|\| first_code + code_count > 256 )
		25	+ if ( first_code >= 256 \|\| code_count > 256 - first_code )
		26	FT_INVALID_DATA;
		27	}
		28


diff --git a/meta/recipes-graphics/freetype/freetype_2.9.bb b/meta/recipes-graphics/freetype/freetype_2.9.bb index da05916b36..216ecf31d1 100644 --- a/meta/recipes-graphics/freetype/freetype_2.9.bb +++ b/meta/recipes-graphics/freetype/freetype_2.9.bb
@@ -13,7 +13,9 @@ LIC_FILES_CHKSUM = "file://docs/LICENSE.TXT;md5=4af6221506f202774ef74f64932878a1
13	file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec"	13	file://docs/GPLv2.TXT;md5=8ef380476f642c20ebf40fecb0add2ec"
14		14
15	SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \	15	SRC_URI = "${SOURCEFORGE_MIRROR}/freetype/freetype-${PV}.tar.bz2 \
16	file://use-right-libtool.patch"	16	file://use-right-libtool.patch \
		17	file://fix-potential-numeric-overflow.patch \
		18	"
17		19
18	UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/freetype/files/freetype2/"	20	UPSTREAM_CHECK_URI = "http://sourceforge.net/projects/freetype/files/freetype2/"
19	UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"	21	UPSTREAM_CHECK_REGEX = "freetype-(?P<pver>\d+(\.\d+)+)"