summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorGyorgy Sarvari <skandigraun@gmail.com>2025-11-30 20:44:13 +0100
committerGyorgy Sarvari <skandigraun@gmail.com>2025-11-30 20:48:07 +0100
commit2491ea2ffb7d1b8f5025b41b949b7d7bce02ab81 (patch)
tree821bf9ab68a54db27f65b07bf59d2d8486a71997
parent48d2305f488b9613707ef830beca9d1760a394e5 (diff)
downloadmeta-openembedded-2491ea2ffb7d1b8f5025b41b949b7d7bce02ab81.tar.gz
fontforge: patch CVE-2020-5395, CVE-2020-25690 and CVE-2020-5496
Details: https://nvd.nist.gov/vuln/detail/CVE-2020-5395 https://nvd.nist.gov/vuln/detail/CVE-2020-25690 https://nvd.nist.gov/vuln/detail/CVE-2020-5496 The same patch fixes all three. The patch for CVE-2020-25690 is mentioned in the RedHat bug, which is referenced in the nvd report. The patch for CVE-2020-5395 is mentioned in the Github issue that is referenced in the nvd report. The patch for CVE-2020-5496 is mentioned in the comments of the issue that is linked in the nvd report. Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
-rw-r--r--meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch81
-rw-r--r--meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch32
-rw-r--r--meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb4
3 files changed, 116 insertions, 1 deletions
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch
new file mode 100644
index 0000000000..b41bc1088a
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-1.patch
@@ -0,0 +1,81 @@
1From 169bfc28246c10493ac085c9e9ed5b0ab58ac979 Mon Sep 17 00:00:00 2001
2From: Skef Iterum <unknown>
3Date: Mon, 6 Jan 2020 03:05:06 -0800
4Subject: [PATCH] Fix for #4084 Use-after-free (heap) in the
5 SFD_GetFontMetaData() function Fix for #4086 NULL pointer dereference in the
6 SFDGetSpiros() function Fix for #4088 NULL pointer dereference in the
7 SFD_AssignLookups() function Add empty sf->fontname string if it isn't set,
8 fixing #4089 #4090 and many other potential issues (many downstream calls to
9 strlen() on the value).
10
11CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
12Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/048a91e2682c1a8936ae34dbc7bd70291ec05410]
13Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
14---
15 fontforge/sfd.c | 19 ++++++++++++++-----
16 fontforge/sfd1.c | 2 +-
17 2 files changed, 15 insertions(+), 6 deletions(-)
18
19diff --git a/fontforge/sfd.c b/fontforge/sfd.c
20index 214163343..cdce0b08a 100644
21--- a/fontforge/sfd.c
22+++ b/fontforge/sfd.c
23@@ -4032,13 +4032,16 @@ static void SFDGetSpiros(FILE *sfd,SplineSet *cur) {
24 while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) {
25 if ( cur!=NULL ) {
26 if ( cur->spiro_cnt>=cur->spiro_max )
27- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp));
28+ cur->spiros = realloc(cur->spiros,
29+ (cur->spiro_max+=10)*sizeof(spiro_cp));
30 cur->spiros[cur->spiro_cnt++] = cp;
31 }
32 }
33- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
34+ if ( cur!=NULL && cur->spiro_cnt>0
35+ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) {
36 if ( cur->spiro_cnt>=cur->spiro_max )
37- cur->spiros = realloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp));
38+ cur->spiros = realloc(cur->spiros,
39+ (cur->spiro_max+=1)*sizeof(spiro_cp));
40 memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp));
41 cur->spiros[cur->spiro_cnt++].ty = SPIRO_END;
42 }
43@@ -7992,10 +7995,12 @@ bool SFD_GetFontMetaData( FILE *sfd,
44 else if ( strmatch(tok,"LayerCount:")==0 )
45 {
46 d->had_layer_cnt = true;
47- getint(sfd,&sf->layer_cnt);
48- if ( sf->layer_cnt>2 ) {
49+ int layer_cnt_tmp;
50+ getint(sfd,&layer_cnt_tmp);
51+ if ( layer_cnt_tmp>2 ) {
52 sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
53 memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
54+ sf->layer_cnt = layer_cnt_tmp;
55 }
56 }
57 else if ( strmatch(tok,"Layer:")==0 )
58@@ -8948,6 +8953,10 @@ exit( 1 );
59 }
60 }
61
62+ // Many downstream functions assume this isn't NULL (use strlen, etc.)
63+ if ( sf->fontname==NULL)
64+ sf->fontname = copy("");
65+
66 if ( fromdir )
67 sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt);
68 else if ( sf->subfontcnt!=0 ) {
69diff --git a/fontforge/sfd1.c b/fontforge/sfd1.c
70index cf931059d..b42f83267 100644
71--- a/fontforge/sfd1.c
72+++ b/fontforge/sfd1.c
73@@ -674,7 +674,7 @@ void SFD_AssignLookups(SplineFont1 *sf) {
74
75 /* Fix up some gunk from really old versions of the sfd format */
76 SFDCleanupAnchorClasses(&sf->sf);
77- if ( sf->sf.uni_interp==ui_unset )
78+ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL )
79 sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none);
80
81 /* Fixup for an old bug */
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch
new file mode 100644
index 0000000000..bbd3854eee
--- /dev/null
+++ b/meta-oe/recipes-graphics/fontforge/fontforge/CVE-2020-25690-2.patch
@@ -0,0 +1,32 @@
1From c169022972d82ee0da4812e77aa8f560d173fcd7 Mon Sep 17 00:00:00 2001
2From: Fredrick Brennan <copypaste@kittens.ph>
3Date: Tue, 21 Jan 2020 15:16:00 +0800
4Subject: [PATCH] Fix crash on exit introduced in previous commit
5
6When the number of layers is greater than 2, as in Chomsky.sfd and most
7of my other fonts, FontForge will crash on exiting.
8
9This is just a simple mistake @skef made.
10
11CVE: CVE-2020-25690 CVE-2020-5395 CVE-2020-5496
12Upstream-Status: Backport [https://github.com/fontforge/fontforge/commit/b96273acc691ac8a36c6a8dd4de8e6edd7eaae59]
13Signed-off-by: Gyorgy Sarvari <skandigraun@gmail.com>
14---
15 fontforge/sfd.c | 2 +-
16 1 file changed, 1 insertion(+), 1 deletion(-)
17
18diff --git a/fontforge/sfd.c b/fontforge/sfd.c
19index cdce0b08a..132f9fa0c 100644
20--- a/fontforge/sfd.c
21+++ b/fontforge/sfd.c
22@@ -7998,9 +7998,9 @@ bool SFD_GetFontMetaData( FILE *sfd,
23 int layer_cnt_tmp;
24 getint(sfd,&layer_cnt_tmp);
25 if ( layer_cnt_tmp>2 ) {
26+ sf->layer_cnt = layer_cnt_tmp;
27 sf->layers = realloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo));
28 memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo));
29- sf->layer_cnt = layer_cnt_tmp;
30 }
31 }
32 else if ( strmatch(tok,"Layer:")==0 )
diff --git a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
index 84644f2560..7686b04fb3 100644
--- a/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
+++ b/meta-oe/recipes-graphics/fontforge/fontforge_20190801.bb
@@ -17,7 +17,9 @@ REQUIRED_DISTRO_FEATURES:append:class-target = " x11"
17SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e" 17SRCREV = "ac635b818e38ddb8e7e2e1057330a32b4e25476e"
18SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \ 18SRC_URI = "git://github.com/${BPN}/${BPN}.git;branch=master;protocol=https \
19 file://0001-include-sys-select-on-non-glibc-platforms.patch \ 19 file://0001-include-sys-select-on-non-glibc-platforms.patch \
20" 20 file://CVE-2020-25690-1.patch \
21 file://CVE-2020-25690-2.patch \
22 "
21S = "${WORKDIR}/git" 23S = "${WORKDIR}/git"
22 24
23EXTRA_OECONF += "--without-libuninameslist --enable-python-scripting --enable-python-extension" 25EXTRA_OECONF += "--without-libuninameslist --enable-python-scripting --enable-python-extension"