From 77f1b641c02ba7233ad8825981a7384a4263d5da Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 04 2020 09:40:58 +0000 Subject: import freetype-2.8-14.el7_9.1 --- diff --git a/SOURCES/freetype-2.8-png-bitmap-size.patch b/SOURCES/freetype-2.8-png-bitmap-size.patch new file mode 100644 index 0000000..6a675c5 --- /dev/null +++ b/SOURCES/freetype-2.8-png-bitmap-size.patch @@ -0,0 +1,48 @@ +From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308). + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. +--- + ChangeLog | 8 ++++++++ + src/sfnt/pngshim.c | 14 +++++++------- + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e5846..f55016122 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x4FFF || imgWidth > 0x4FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x4FFF || map->width > 0x4FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +2.26.2 + diff --git a/SOURCES/freetype-2.8-png-memory-leak.patch b/SOURCES/freetype-2.8-png-memory-leak.patch new file mode 100644 index 0000000..66f962f --- /dev/null +++ b/SOURCES/freetype-2.8-png-memory-leak.patch @@ -0,0 +1,28 @@ +From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Fri, 23 Oct 2020 08:29:14 +0200 +Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak + (#59322). + +The issue is that `rows` is allocated but will not be freed in the +event that the call to `png_read_image` fails and calls `longjmp`. +--- + ChangeLog | 7 +++++++ + src/sfnt/pngshim.c | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index f55016122..d4e43a9f4 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -443,6 +443,7 @@ + png_read_end( png, info ); + + DestroyExit: ++ FT_FREE( rows ); + png_destroy_read_struct( &png, &info, NULL ); + FT_Stream_Close( &stream ); + +-- +2.26.2 + diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec index 3a027dc..444c1a1 100644 --- a/SPECS/freetype.spec +++ b/SPECS/freetype.spec @@ -7,7 +7,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.8 -Release: 14%{?dist} +Release: 14%{?dist}.1 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -50,6 +50,10 @@ Patch11: freetype-2.8-avar-table-load.patch Patch12: freetype-2.8-bw-rendering.patch Patch13: freetype-2.8-bw-hinting.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1890210 +Patch14: freetype-2.8-png-bitmap-size.patch +Patch15: freetype-2.8-png-memory-leak.patch + BuildRequires: libX11-devel BuildRequires: libpng-devel BuildRequires: zlib-devel @@ -119,6 +123,8 @@ popd %patch11 -p1 -b .avar-table-load %patch12 -p1 -b .bw-rendering %patch13 -p1 -b .bw-hinting +%patch14 -p1 -b .png-bitmap-size +%patch15 -p1 -b .png-memory-leak %build @@ -234,6 +240,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog +* Fri Oct 30 2020 Marek Kasik - 2.8-14.el7_9.1 +- Test bitmap size earlier for PNGs +- Fix memory leak in pngshim.c +- Resolves: #1891635 + * Mon Mar 11 2019 Marek Kasik - 2.8-14 - Fix rendering in monochrome mode - Resolves: #1657479