diff options
Diffstat (limited to 'meta/recipes-graphics/freetype/freetype')
5 files changed, 145 insertions, 0 deletions
diff --git a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch index fa8a29b798..31f9e32dc2 100644 --- a/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch +++ b/meta/recipes-graphics/freetype/freetype/0001-sfnt-Fix-heap-buffer-overflow-59308.patch | |||
@@ -6,10 +6,13 @@ Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308). | |||
6 | This is CVE-2020-15999. | 6 | This is CVE-2020-15999. |
7 | 7 | ||
8 | * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. | 8 | * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. |
9 | CVE: CVE-2020-15999 | ||
9 | 10 | ||
10 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] | 11 | Upstream-Status: Backport [https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd] |
11 | 12 | ||
12 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> | 13 | Signed-off-by: Diego Santa Cruz <Diego.SantaCruz@spinetix.com> |
14 | Signed-off-by: Purushottam Choudhary <purushottam.choudhary@kpit.com> | ||
15 | Signed-off-by: Purushottam Choudhary <purushottamchoudhary29@gmail.com> | ||
13 | --- | 16 | --- |
14 | src/sfnt/pngshim.c | 14 +++++++------- | 17 | src/sfnt/pngshim.c | 14 +++++++------- |
15 | 1 file changed, 7 insertions(+), 7 deletions(-) | 18 | 1 file changed, 7 insertions(+), 7 deletions(-) |
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch new file mode 100644 index 0000000000..e66400ddb1 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27404.patch | |||
@@ -0,0 +1,33 @@ | |||
1 | From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Thu, 17 Mar 2022 19:24:16 +0100 | ||
4 | Subject: [PATCH] [sfnt] Avoid invalid face index. | ||
5 | |||
6 | Fixes #1138. | ||
7 | |||
8 | * src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font): | ||
9 | Check `face_index` before decrementing. | ||
10 | |||
11 | CVE: CVE-2022-27404 | ||
12 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db.patch] | ||
13 | Comment: Removed second hunk as sfwoff2.c file is not part of current v2.10.1 code | ||
14 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
15 | --- | ||
16 | src/sfnt/sfobjs.c | 2 +- | ||
17 | 1 file changed, 1 insertion(+), 1 deletion(-) | ||
18 | |||
19 | diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c | ||
20 | index f9d4d3858..9771c35df 100644 | ||
21 | --- a/src/sfnt/sfobjs.c | ||
22 | +++ b/src/sfnt/sfobjs.c | ||
23 | @@ -566,7 +566,7 @@ | ||
24 | face_index = FT_ABS( face_instance_index ) & 0xFFFF; | ||
25 | |||
26 | /* value -(N+1) requests information on index N */ | ||
27 | - if ( face_instance_index < 0 ) | ||
28 | + if ( face_instance_index < 0 && face_index > 0 ) | ||
29 | face_index--; | ||
30 | |||
31 | if ( face_index >= face->ttc_header.count ) | ||
32 | -- | ||
33 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch new file mode 100644 index 0000000000..08fccd5a3b --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27405.patch | |||
@@ -0,0 +1,38 @@ | |||
1 | From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Sat, 19 Mar 2022 06:40:17 +0100 | ||
4 | Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard | ||
5 | `face_index`. | ||
6 | We must ensure that the cast to `FT_Int` doesn't change the sign. | ||
7 | Fixes #1139. | ||
8 | |||
9 | CVE: CVE-2022-27405 | ||
10 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5] | ||
11 | Comment: No Change in any hunk | ||
12 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
13 | --- | ||
14 | src/base/ftobjs.c | 9 +++++++++ | ||
15 | 1 file changed, 9 insertions(+) | ||
16 | |||
17 | diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c | ||
18 | index 2c0f0e6c9..10952a6c6 100644 | ||
19 | --- a/src/base/ftobjs.c | ||
20 | +++ b/src/base/ftobjs.c | ||
21 | @@ -2527,6 +2527,15 @@ | ||
22 | #endif | ||
23 | |||
24 | |||
25 | + /* only use lower 31 bits together with sign bit */ | ||
26 | + if ( face_index > 0 ) | ||
27 | + face_index &= 0x7FFFFFFFL; | ||
28 | + else | ||
29 | + { | ||
30 | + face_index &= 0x7FFFFFFFL; | ||
31 | + face_index = -face_index; | ||
32 | + } | ||
33 | + | ||
34 | #ifdef FT_DEBUG_LEVEL_TRACE | ||
35 | FT_TRACE3(( "FT_Open_Face: " )); | ||
36 | if ( face_index < 0 ) | ||
37 | -- | ||
38 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch new file mode 100644 index 0000000000..4b5e629f30 --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2022-27406.patch | |||
@@ -0,0 +1,31 @@ | |||
1 | From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Sat, 19 Mar 2022 09:37:28 +0100 | ||
4 | Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`. | ||
5 | |||
6 | Fixes #1140. | ||
7 | |||
8 | CVE: CVE-2022-27406 | ||
9 | Upstream-Status: Backport [https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2] | ||
10 | Comment: No Change in any hunk | ||
11 | Signed-off-by: Ranjitsinh Rathod <ranjitsinh.rathod@kpit.com> | ||
12 | --- | ||
13 | src/base/ftobjs.c | 3 +++ | ||
14 | 1 file changed, 3 insertions(+) | ||
15 | |||
16 | diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c | ||
17 | index 6492a1517..282c9121a 100644 | ||
18 | --- a/src/base/ftobjs.c | ||
19 | +++ b/src/base/ftobjs.c | ||
20 | @@ -3409,6 +3409,9 @@ | ||
21 | if ( !face ) | ||
22 | return FT_THROW( Invalid_Face_Handle ); | ||
23 | |||
24 | + if ( !face->size ) | ||
25 | + return FT_THROW( Invalid_Size_Handle ); | ||
26 | + | ||
27 | if ( !req || req->width < 0 || req->height < 0 || | ||
28 | req->type >= FT_SIZE_REQUEST_TYPE_MAX ) | ||
29 | return FT_THROW( Invalid_Argument ); | ||
30 | -- | ||
31 | GitLab | ||
diff --git a/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch new file mode 100644 index 0000000000..800d77579e --- /dev/null +++ b/meta/recipes-graphics/freetype/freetype/CVE-2023-2004.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001 | ||
2 | From: Werner Lemberg <wl@gnu.org> | ||
3 | Date: Mon, 14 Nov 2022 19:18:19 +0100 | ||
4 | Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer | ||
5 | overflow. | ||
6 | |||
7 | Reported as | ||
8 | |||
9 | https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462 | ||
10 | |||
11 | Upstream-Status: Backport [https://github.com/freetype/freetype/commit/e6fda039ad638866b7a6a5d046f03278ba1b7611] | ||
12 | CVE: CVE-2023-2004 | ||
13 | Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> | ||
14 | --- | ||
15 | src/truetype/ttgxvar.c | 3 ++- | ||
16 | 1 file changed, 2 insertions(+), 1 deletion(-) | ||
17 | |||
18 | diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c | ||
19 | index 78d87dc..258d701 100644 | ||
20 | --- a/src/truetype/ttgxvar.c | ||
21 | +++ b/src/truetype/ttgxvar.c | ||
22 | @@ -43,6 +43,7 @@ | ||
23 | #include FT_INTERNAL_DEBUG_H | ||
24 | #include FT_CONFIG_CONFIG_H | ||
25 | #include FT_INTERNAL_STREAM_H | ||
26 | +#include <freetype/internal/ftcalc.h> | ||
27 | #include FT_INTERNAL_SFNT_H | ||
28 | #include FT_TRUETYPE_TAGS_H | ||
29 | #include FT_TRUETYPE_IDS_H | ||
30 | @@ -1065,7 +1066,7 @@ | ||
31 | delta == 1 ? "" : "s", | ||
32 | vertical ? "VVAR" : "HVAR" )); | ||
33 | |||
34 | - *avalue += delta; | ||
35 | + *avalue = ADD_INT( *avalue, delta ); | ||
36 | |||
37 | Exit: | ||
38 | return error; | ||
39 | -- | ||
40 | 2.17.1 | ||