5 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
index fa8a29b798..31f9e32dc2 100644
--- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
+++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
 This is CVE-2020-15999.
 * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+CVE: CVE-2020-15999
 Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
 Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
+Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
+Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
 ---
 src/sfnt/pngshim.c | 14 +++++++-------
 1 file changed, 7 insertions(+), 7 deletions(-)
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
new file mode 100644
index 0000000000..e66400ddb1
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+Fixes #1138.
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+CVE: CVE-2022-27404
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
+Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
+    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+     if ( face_index >= face->ttc_header.count )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
new file mode 100644
index 0000000000..08fccd5a3b
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+Fixes #1139.
+CVE: CVE-2022-27405
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
+    /* only use lower 31 bits together with sign bit */
+    if ( face_index > 0 )
+      face_index &= 0x7FFFFFFFL;
+    else
+    {
+      face_index &= 0x7FFFFFFFL;
+      face_index  = -face_index;
+    }
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
new file mode 100644
index 0000000000..4b5e629f30
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+Fixes #1140.
+CVE: CVE-2022-27406
+Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
+Comment: No Change in any hunk
+Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
+    if ( !face->size )
+      return FT_THROW( Invalid_Size_Handle );
+
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
new file mode 100644
index 0000000000..800d77579e
--- /dev/null
+++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,40 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+Reported as
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
+CVE: CVE-2023-2004
+Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 78d87dc..258d701 100644
+--- a/src/truetype/ttgxvar.c
+++ b/src/truetype/ttgxvar.c
+@@ -43,6 +43,7 @@
+ #include FT_INTERNAL_DEBUG_H
+ #include FT_CONFIG_CONFIG_H
+ #include FT_INTERNAL_STREAM_H
+#include <freetype/internal/ftcalc.h>
+ #include FT_INTERNAL_SFNT_H
+ #include FT_TRUETYPE_TAGS_H
+ #include FT_TRUETYPE_IDS_H
+@@ -1065,7 +1066,7 @@
+                 delta == 1 ? "" : "s",
+                 vertical ? "VVAR" : "HVAR" ));
+-    *avalue += delta;
+    *avalue = ADD_INT( *avalue, delta );
+   Exit:
+     return error;
+--
+2.17.1

diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch index fa8a29b798..31f9e32dc2 100644 --- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch +++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308).
6	This is CVE-2020-15999.	6	This is CVE-2020-15999.
7		7
8	* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.	8	* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
		9	CVE: CVE-2020-15999
9		10
10	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]	11	Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd]
11		12
12	Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>	13	Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com>
		14	Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com>
		15	Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com>
13	---	16	---
14	src/sfnt/pngshim.c \| 14 +++++++-------	17	src/sfnt/pngshim.c \| 14 +++++++-------
15	1 file changed, 7 insertions(+), 7 deletions(-)	18	1 file changed, 7 insertions(+), 7 deletions(-)


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch new file mode 100644 index 0000000000..e66400ddb1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch
@@ -0,0 +1,33 @@
		1	From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Thu, 17 Mar 2022 19:24:16 +0100
		4	Subject: [PATCH] [sfnt] Avoid invalid face index.
		5
		6	Fixes #1138.
		7
		8	* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
		9	Check `face_index` before decrementing.
		10
		11	CVE: CVE-2022-27404
		12	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch]
		13	Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code
		14	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		15	---
		16	src/sfnt/sfobjs.c \| 2 +-
		17	1 file changed, 1 insertion(+), 1 deletion(-)
		18
		19	diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
		20	index f9d4d3858..9771c35df 100644
		21	--- a/src/sfnt/sfobjs.c
		22	+++ b/src/sfnt/sfobjs.c
		23	@@ -566,7 +566,7 @@
		24	face_index = FT_ABS( face_instance_index ) & 0xFFFF;
		25
		26	/* value -(N+1) requests information on index N */
		27	- if ( face_instance_index < 0 )
		28	+ if ( face_instance_index < 0 && face_index > 0 )
		29	face_index--;
		30
		31	if ( face_index >= face->ttc_header.count )
		32	--
		33	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch new file mode 100644 index 0000000000..08fccd5a3b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch
@@ -0,0 +1,38 @@
		1	From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Sat, 19 Mar 2022 06:40:17 +0100
		4	Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
		5	`face_index`.
		6	We must ensure that the cast to `FT_Int` doesn't change the sign.
		7	Fixes #1139.
		8
		9	CVE: CVE-2022-27405
		10	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5]
		11	Comment: No Change in any hunk
		12	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		13	---
		14	src/base/ftobjs.c \| 9 +++++++++
		15	1 file changed, 9 insertions(+)
		16
		17	diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
		18	index 2c0f0e6c9..10952a6c6 100644
		19	--- a/src/base/ftobjs.c
		20	+++ b/src/base/ftobjs.c
		21	@@ -2527,6 +2527,15 @@
		22	#endif
		23
		24
		25	+ /* only use lower 31 bits together with sign bit */
		26	+ if ( face_index > 0 )
		27	+ face_index &= 0x7FFFFFFFL;
		28	+ else
		29	+ {
		30	+ face_index &= 0x7FFFFFFFL;
		31	+ face_index = -face_index;
		32	+ }
		33	+
		34	#ifdef FT_DEBUG_LEVEL_TRACE
		35	FT_TRACE3(( "FT_Open_Face: " ));
		36	if ( face_index < 0 )
		37	--
		38	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch new file mode 100644 index 0000000000..4b5e629f30 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch
@@ -0,0 +1,31 @@
		1	From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Sat, 19 Mar 2022 09:37:28 +0100
		4	Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
		5
		6	Fixes #1140.
		7
		8	CVE: CVE-2022-27406
		9	Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2]
		10	Comment: No Change in any hunk
		11	Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com>
		12	---
		13	src/base/ftobjs.c \| 3 +++
		14	1 file changed, 3 insertions(+)
		15
		16	diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
		17	index 6492a1517..282c9121a 100644
		18	--- a/src/base/ftobjs.c
		19	+++ b/src/base/ftobjs.c
		20	@@ -3409,6 +3409,9 @@
		21	if ( !face )
		22	return FT_THROW( Invalid_Face_Handle );
		23
		24	+ if ( !face->size )
		25	+ return FT_THROW( Invalid_Size_Handle );
		26	+
		27	if ( !req \|\| req->width < 0 \|\| req->height < 0 \|\|
		28	req->type >= FT_SIZE_REQUEST_TYPE_MAX )
		29	return FT_THROW( Invalid_Argument );
		30	--
		31	GitLab


diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch
@@ -0,0 +1,40 @@
		1	From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
		2	From: Werner Lemberg <wl@gnu.org>
		3	Date: Mon, 14 Nov 2022 19:18:19 +0100
		4	Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
		5	overflow.
		6
		7	Reported as
		8
		9	https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
		10
		11	Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611]
		12	CVE: CVE-2023-2004
		13	Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
		14	---
		15	src/truetype/ttgxvar.c \| 3 ++-
		16	1 file changed, 2 insertions(+), 1 deletion(-)
		17
		18	diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
		19	index 78d87dc..258d701 100644
		20	--- a/src/truetype/ttgxvar.c
		21	+++ b/src/truetype/ttgxvar.c
		22	@@ -43,6 +43,7 @@
		23	#include FT_INTERNAL_DEBUG_H
		24	#include FT_CONFIG_CONFIG_H
		25	#include FT_INTERNAL_STREAM_H
		26	+#include <freetype/internal/ftcalc.h>
		27	#include FT_INTERNAL_SFNT_H
		28	#include FT_TRUETYPE_TAGS_H
		29	#include FT_TRUETYPE_IDS_H
		30	@@ -1065,7 +1066,7 @@
		31	delta == 1 ? "" : "s",
		32	vertical ? "VVAR" : "HVAR" ));
		33
		34	- *avalue += delta;
		35	+ avalue = ADD_INT( avalue, delta );
		36
		37	Exit:
		38	return error;
		39	--
		40	2.17.1