diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9657.patch b/SOURCES/freetype-2.4.11-CVE-2014-9657.patch
new file mode 100644
index 0000000..8954406
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9657.patch
@@ -0,0 +1,40 @@
+From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 09:22:08 +0000
+Subject: [truetype] Fix Savannah bug #43679.
+
+* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of
+`record_size'.
+---
+diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c
+index 9723a51..9991925 100644
+--- a/src/truetype/ttpload.c
++++ b/src/truetype/ttpload.c
+@@ -508,9 +508,9 @@
+ record_size = FT_NEXT_ULONG( p );
+
+ /* The maximum number of bytes in an hdmx device record is the */
+- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */
+- /* the reason why `record_size' is a long (which we read as */
+- /* unsigned long for convenience). In practice, two bytes */
++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */
++ /* explaining why `record_size' is a long (which we read as */
++ /* unsigned long for convenience). In practice, two bytes are */
+ /* sufficient to hold the size value. */
+ /* */
+ /* There are at least two fonts, HANNOM-A and HANNOM-B version */
+@@ -522,8 +522,10 @@
+ record_size &= 0xFFFFU;
+
+ /* The limit for `num_records' is a heuristic value. */
+-
+- if ( version != 0 || num_records > 255 || record_size > 0x10001L )
++ if ( version != 0 ||
++ num_records > 255 ||
++ record_size > 0x10001L ||
++ record_size < 4 )
+ {
+ error = TT_Err_Invalid_File_Format;
+ goto Fail;
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9658.patch b/SOURCES/freetype-2.4.11-CVE-2014-9658.patch
new file mode 100644
index 0000000..7aec5c8
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9658.patch
@@ -0,0 +1,23 @@
+From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 08:31:32 +0000
+Subject: [sfnt] Fix Savannah bug #43672.
+
+* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for
+minimum table length test.
+---
+diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c
+index 32c4008..455e7b5 100644
+--- a/src/sfnt/ttkern.c
++++ b/src/sfnt/ttkern.c
+@@ -99,7 +99,7 @@
+ length = FT_NEXT_USHORT( p );
+ coverage = FT_NEXT_USHORT( p );
+
+- if ( length <= 6 )
++ if ( length <= 6 + 8 )
+ break;
+
+ p_next += length;
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9660.patch b/SOURCES/freetype-2.4.11-CVE-2014-9660.patch
new file mode 100644
index 0000000..fc310f7
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9660.patch
@@ -0,0 +1,29 @@
+From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 12:29:10 +0000
+Subject: [bdf] Fix Savannah bug #43660.
+
+* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check
+`_BDF_GLYPH_BITS'.
+---
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index c128526..369c111 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1549,6 +1549,14 @@
+ /* Check for the ENDFONT field. */
+ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
++ if ( p->flags & _BDF_GLYPH_BITS )
++ {
++ /* Missing ENDCHAR field. */
++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" ));
++ error = BDF_Err_Corrupted_Font_Glyphs;
++ goto Exit;
++ }
++
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+ font->glyphs_used,
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9661a.patch b/SOURCES/freetype-2.4.11-CVE-2014-9661a.patch
new file mode 100644
index 0000000..e6cbe78
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9661a.patch
@@ -0,0 +1,108 @@
+From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 09:46:47 +0000
+Subject: [type42] Fix Savannah bug #43659.
+
+* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'.
+
+* src/type42/t42parse.c (t42_parse_sfnts): Always set
+`face->ttf_size' directly. This ensures a correct stream size in
+the call to `FT_Open_Face', which follows after parsing, even for
+buggy input data.
+Fix error messages.
+---
+diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
+index 798ebdb..7a9cb57 100644
+--- a/src/type42/t42objs.c
++++ b/src/type42/t42objs.c
+@@ -47,6 +47,12 @@
+ if ( FT_ALLOC( face->ttf_data, 12 ) )
+ goto Exit;
+
++ /* while parsing the font we always update `face->ttf_size' so that */
++ /* even in case of buggy data (which might lead to premature end of */
++ /* scanning without causing an error) the call to `FT_Open_Face' in */
++ /* `T42_Face_Init' passes the correct size */
++ face->ttf_size = 12;
++
+ error = t42_parser_init( parser,
+ face->root.stream,
+ memory,
+diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
+index a60e216..daf304d 100644
+--- a/src/type42/t42parse.c
++++ b/src/type42/t42parse.c
+@@ -498,7 +498,7 @@
+ FT_Byte* limit = parser->root.limit;
+ FT_Error error;
+ FT_Int num_tables = 0;
+- FT_ULong count, ttf_size = 0;
++ FT_ULong count;
+
+ FT_Long n, string_size, old_string_size, real_size;
+ FT_Byte* string_buf = NULL;
+@@ -591,7 +591,7 @@
+
+ if ( limit - parser->root.cursor < string_size )
+ {
+- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
++ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
+ error = T42_Err_Invalid_File_Format;
+ goto Fail;
+ }
+@@ -631,18 +631,18 @@
+ }
+ else
+ {
+- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
+- status = BEFORE_TABLE_DIR;
+- ttf_size = 12 + 16 * num_tables;
++ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5];
++ status = BEFORE_TABLE_DIR;
++ face->ttf_size = 12 + 16 * num_tables;
+
+- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) )
++ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) )
+ goto Fail;
+ }
+ /* fall through */
+
+ case BEFORE_TABLE_DIR:
+ /* the offset table is read; read the table directory */
+- if ( count < ttf_size )
++ if ( count < face->ttf_size )
+ {
+ face->ttf_data[count++] = string_buf[n];
+ continue;
+@@ -661,24 +661,23 @@
+ len = FT_PEEK_ULONG( p );
+
+ /* Pad to a 4-byte boundary length */
+- ttf_size += ( len + 3 ) & ~3;
++ face->ttf_size += ( len + 3 ) & ~3;
+ }
+
+- status = OTHER_TABLES;
+- face->ttf_size = ttf_size;
++ status = OTHER_TABLES;
+
+ /* there are no more than 256 tables, so no size check here */
+ if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables,
+- ttf_size + 1 ) )
++ face->ttf_size + 1 ) )
+ goto Fail;
+ }
+ /* fall through */
+
+ case OTHER_TABLES:
+ /* all other tables are just copied */
+- if ( count >= ttf_size )
++ if ( count >= face->ttf_size )
+ {
+- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" ));
++ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" ));
+ error = T42_Err_Invalid_File_Format;
+ goto Fail;
+ }
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9661b.patch b/SOURCES/freetype-2.4.11-CVE-2014-9661b.patch
new file mode 100644
index 0000000..0f62d7f
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9661b.patch
@@ -0,0 +1,28 @@
+From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 11:44:33 +0000
+Subject: [type42] Allow only embedded TrueType fonts.
+
+This is a follow-up to Savannah bug #43659.
+
+* src/type42/t42objs.c (T42_Face_Init): Exclusively use the
+`truetype' font driver for loading the font contained in the `sfnts'
+array.
+---
+diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c
+index 7a9cb57..915e81f 100644
+--- a/src/type42/t42objs.c
++++ b/src/type42/t42objs.c
+@@ -291,7 +291,9 @@
+ FT_Open_Args args;
+
+
+- args.flags = FT_OPEN_MEMORY;
++ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER;
++ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ),
++ "truetype" );
+ args.memory_base = face->ttf_data;
+ args.memory_size = face->ttf_size;
+
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9663.patch b/SOURCES/freetype-2.4.11-CVE-2014-9663.patch
new file mode 100644
index 0000000..9e2496a
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9663.patch
@@ -0,0 +1,34 @@
+From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 22 Nov 2014 05:24:45 +0000
+Subject: [sfnt] Fix Savannah bug #43656.
+
+* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity
+tests.
+---
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 712bd4f..fb863c3 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -823,9 +823,6 @@
+ FT_Error error = SFNT_Err_Ok;
+
+
+- if ( length < 16 )
+- FT_INVALID_TOO_SHORT;
+-
+ /* in certain fonts, the `length' field is invalid and goes */
+ /* out of bound. We try to correct this here... */
+ if ( table + length > valid->limit )
+@@ -836,6 +833,9 @@
+ length = (FT_UInt)( valid->limit - table );
+ }
+
++ if ( length < 16 )
++ FT_INVALID_TOO_SHORT;
++
+ p = table + 6;
+ num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */
+
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9664a.patch b/SOURCES/freetype-2.4.11-CVE-2014-9664a.patch
new file mode 100644
index 0000000..7753f3f
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9664a.patch
@@ -0,0 +1,43 @@
+From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 24 Nov 2014 06:30:05 +0000
+Subject: [type1, type42] Another fix for Savannah bug #43655.
+
+* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
+(t42_parse_charstrings): Add another boundary testing.
+---
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index caa75bd..24b14a8 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1589,6 +1589,11 @@
+ }
+
+ T1_Skip_PS_Token( parser );
++ if ( parser->root.cursor >= limit )
++ {
++ error = T1_Err_Invalid_File_Format;
++ goto Fail;
++ }
+ if ( parser->root.error )
+ return;
+
+diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
+index daf304d..d45c069 100644
+--- a/src/type42/t42parse.c
++++ b/src/type42/t42parse.c
+@@ -823,6 +823,12 @@
+ break;
+
+ T1_Skip_PS_Token( parser );
++ if ( parser->root.cursor >= limit )
++ {
++ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
++ error = T42_Err_Invalid_File_Format;
++ goto Fail;
++ }
+ if ( parser->root.error )
+ return;
+
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9664b.patch b/SOURCES/freetype-2.4.11-CVE-2014-9664b.patch
new file mode 100644
index 0000000..f594fe7
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9664b.patch
@@ -0,0 +1,36 @@
+From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Fri, 21 Nov 2014 21:19:28 +0000
+Subject: [type1, type42] Fix Savannah bug #43655.
+
+* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c
+(t42_parse_charstrings): Fix boundary testing.
+---
+diff --git a/src/type1/t1load.c b/src/type1/t1load.c
+index fd06432..caa75bd 100644
+--- a/src/type1/t1load.c
++++ b/src/type1/t1load.c
+@@ -1602,7 +1602,7 @@
+ FT_PtrDist len;
+
+
+- if ( cur + 1 >= limit )
++ if ( cur + 2 >= limit )
+ {
+ error = T1_Err_Invalid_File_Format;
+ goto Fail;
+diff --git a/src/type42/t42parse.c b/src/type42/t42parse.c
+index 9b66888..a60e216 100644
+--- a/src/type42/t42parse.c
++++ b/src/type42/t42parse.c
+@@ -837,7 +837,7 @@
+ FT_PtrDist len;
+
+
+- if ( cur + 1 >= limit )
++ if ( cur + 2 >= limit )
+ {
+ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" ));
+ error = T42_Err_Invalid_File_Format;
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9667.patch b/SOURCES/freetype-2.4.11-CVE-2014-9667.patch
new file mode 100644
index 0000000..1e34940
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9667.patch
@@ -0,0 +1,47 @@
+From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 20:26:44 +0000
+Subject: [sfnt] Fix Savannah bug #43590.
+
+* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir):
+Protect against addition overflow.
+---
+diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c
+index 0a3cd29..8338150 100644
+--- a/src/sfnt/ttload.c
++++ b/src/sfnt/ttload.c
+@@ -5,7 +5,7 @@
+ /* Load the basic TrueType tables, i.e., tables that can be either in */
+ /* TTF or OTF fonts (body). */
+ /* */
+-/* Copyright 1996-2010, 2012 by */
++/* Copyright 1996-2010, 2012-2014 by */
+ /* David Turner, Robert Wilhelm, and Werner Lemberg. */
+ /* */
+ /* This file is part of the FreeType project, and may only be used, */
+@@ -207,7 +207,10 @@
+ }
+
+ /* we ignore invalid tables */
+- if ( table.Offset + table.Length > stream->size )
++
++ /* table.Offset + table.Length > stream->size ? */
++ if ( table.Length > stream->size ||
++ table.Offset > stream->size - table.Length )
+ {
+ FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn ));
+ continue;
+@@ -398,7 +398,10 @@
+ entry->Length = FT_GET_LONG();
+
+ /* ignore invalid tables */
+- if ( entry->Offset + entry->Length > stream->size )
++
++ /* entry->Offset + entry->Length > stream->size ? */
++ if ( entry->Length > stream->size ||
++ entry->Offset > stream->size - entry->Length )
+ continue;
+ else
+ {
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9669.patch b/SOURCES/freetype-2.4.11-CVE-2014-9669.patch
new file mode 100644
index 0000000..59fe8c3
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9669.patch
@@ -0,0 +1,117 @@
+From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Wed, 12 Nov 2014 19:51:20 +0000
+Subject: [sfnt] Fix Savannah bug #43588.
+
+* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate,
+tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect
+against overflow in additions and multiplications.
+---
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index f9acf5d..712bd4f 100644
+--- a/src/sfnt/ttcmap.c
++++ b/src/sfnt/ttcmap.c
+@@ -1647,7 +1647,8 @@
+ p = is32 + 8192; /* skip `is32' array */
+ num_groups = TT_NEXT_ULONG( p );
+
+- if ( p + num_groups * 12 > valid->limit )
++ /* p + num_groups * 12 > valid->limit ? */
++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -1672,7 +1673,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+
+ count = (FT_UInt32)( end - start + 1 );
+@@ -1870,7 +1876,9 @@
+ count = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 20 + count * 2 )
++ /* length < 20 + count * 2 ? */
++ length < 20 ||
++ ( length - 20 ) / 2 < count )
+ FT_INVALID_TOO_SHORT;
+
+ /* check glyph indices */
+@@ -2057,7 +2065,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2079,7 +2089,12 @@
+
+ if ( valid->level >= FT_VALIDATE_TIGHT )
+ {
+- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) )
++ FT_UInt32 d = end - start;
++
++
++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */
++ if ( d > TT_VALID_GLYPH_COUNT( valid ) ||
++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d )
+ FT_INVALID_GLYPH_ID;
+ }
+
+@@ -2381,7 +2396,9 @@
+ num_groups = TT_NEXT_ULONG( p );
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 16 + 12 * num_groups )
++ /* length < 16 + 12 * num_groups ? */
++ length < 16 ||
++ ( length - 16 ) / 12 < num_groups )
+ FT_INVALID_TOO_SHORT;
+
+ /* check groups, they must be in increasing order */
+@@ -2762,7 +2779,9 @@
+
+
+ if ( length > (FT_ULong)( valid->limit - table ) ||
+- length < 10 + 11 * num_selectors )
++ /* length < 10 + 11 * num_selectors ? */
++ length < 10 ||
++ ( length - 10 ) / 11 < num_selectors )
+ FT_INVALID_TOO_SHORT;
+
+ /* check selectors, they must be in increasing order */
+@@ -2798,7 +2817,8 @@
+ FT_ULong lastBase = 0;
+
+
+- if ( defp + numRanges * 4 > valid->limit )
++ /* defp + numRanges * 4 > valid->limit ? */
++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numRanges; ++i )
+@@ -2825,7 +2845,8 @@
+ FT_ULong i, lastUni = 0;
+
+
+- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */
++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 )
+ FT_INVALID_TOO_SHORT;
+
+ for ( i = 0; i < numMappings; ++i )
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9670.patch b/SOURCES/freetype-2.4.11-CVE-2014-9670.patch
new file mode 100644
index 0000000..0a9b70a
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9670.patch
@@ -0,0 +1,30 @@
+From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 06 Nov 2014 22:25:05 +0000
+Subject: Fix Savannah bug #43548.
+
+* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and
+column values.
+---
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index 8db31bd..668c962 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -812,6 +812,15 @@ THE SOFTWARE.
+ if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) )
+ return PCF_Err_Invalid_File_Format;
+
++ /* sanity checks */
++ if ( firstCol < 0 ||
++ firstCol > lastCol ||
++ lastCol > 0xFF ||
++ firstRow < 0 ||
++ firstRow > lastRow ||
++ lastRow > 0xFF )
++ return PCF_Err_Invalid_Table;
++
+ FT_TRACE4(( "pdf_get_encodings:\n" ));
+
+ FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n",
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9671.patch b/SOURCES/freetype-2.4.11-CVE-2014-9671.patch
new file mode 100644
index 0000000..a291150
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9671.patch
@@ -0,0 +1,36 @@
+From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 06 Nov 2014 21:32:46 +0000
+Subject: Fix Savannah bug #43547.
+
+* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset'
+values.
+---
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index f63377b..8db31bd 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -151,6 +151,21 @@ THE SOFTWARE.
+ break;
+ }
+
++ /* we now check whether the `size' and `offset' values are reasonable: */
++ /* `offset' + `size' must not exceed the stream size */
++ tables = face->toc.tables;
++ for ( n = 0; n < toc->count; n++ )
++ {
++ /* we need two checks to avoid overflow */
++ if ( ( tables->size > stream->size ) ||
++ ( tables->offset > stream->size - tables->size ) )
++ {
++ error = PCF_Err_Invalid_Table;
++ goto Exit;
++ }
++ tables++;
++ }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+ {
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9673.patch b/SOURCES/freetype-2.4.11-CVE-2014-9673.patch
new file mode 100644
index 0000000..957ebe3
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9673.patch
@@ -0,0 +1,53 @@
+From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 06:52:23 +0000
+Subject: Fix Savannah bug #43539.
+
+* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+by a broken POST table in resource-fork.
+---
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index ffbbc32..922216e 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -1589,6 +1589,11 @@
+ goto Exit2;
+ if ( FT_READ_LONG( rlen ) )
+ goto Exit;
++ if ( rlen < 0 )
++ {
++ error = FT_Err_Invalid_Offset;
++ goto Exit2;
++ }
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+@@ -1606,7 +1611,14 @@
+ rlen = 0;
+
+ if ( ( flags >> 8 ) == type )
++ {
++ if ( 0x7FFFFFFFL - rlen < len )
++ {
++ error = FT_Err_Array_Too_Large;
++ goto Exit2;
++ }
+ len += rlen;
++ }
+ else
+ {
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+@@ -1635,6 +1647,11 @@
+ }
+
+ error = FT_Err_Cannot_Open_Resource;
++ if ( rlen > 0x7FFFFFFFL - pfb_pos )
++ {
++ error = FT_Err_Array_Too_Large;
++ goto Exit2;
++ }
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9674a.patch b/SOURCES/freetype-2.4.11-CVE-2014-9674a.patch
new file mode 100644
index 0000000..631a5bf
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9674a.patch
@@ -0,0 +1,39 @@
+From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 06:43:29 +0000
+Subject: Fix Savannah bug #43538.
+
+* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow
+by a broken POST table in resource-fork.
+---
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 4d60e88..ffbbc32 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -1565,10 +1565,23 @@
+ goto Exit;
+ if ( FT_READ_LONG( temp ) )
+ goto Exit;
++ if ( 0 > temp )
++ error = FT_Err_Invalid_Offset;
++ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
++ error = FT_Err_Array_Too_Large;
++
++ if ( error )
++ goto Exit;
++
+ pfb_len += temp + 6;
+ }
+
+- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
++ if ( 0x7FFFFFFFL - 2 < pfb_len )
++ error = FT_Err_Array_Too_Large;
++ else
++ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
++
++ if ( error )
+ goto Exit;
+
+ pfb_data[0] = 0x80;
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9674b.patch b/SOURCES/freetype-2.4.11-CVE-2014-9674b.patch
new file mode 100644
index 0000000..288953a
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9674b.patch
@@ -0,0 +1,26 @@
+From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001
+From: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed, 26 Nov 2014 15:20:48 +0000
+Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional
+
+overflow check in the summation of POST fragment lengths,
+suggested by Mateusz Jurczyk <mjurczyk@google.com>.
+---
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 4321126..b28216a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -1566,8 +1566,10 @@
+ if ( FT_READ_ULONG( temp ) )
+ goto Exit;
+ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
+- if ( 0x7FFFFFFFUL < temp )
++ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len )
+ {
++ FT_TRACE2(( " too long fragment length makes"
++ " pfb_len confused: temp=0x%08x\n", temp ));
+ error = FT_Err_Invalid_Offset;
+ goto Exit;
+ }
+--
+cgit v0.9.0.2
diff --git a/SOURCES/freetype-2.4.11-CVE-2014-9675.patch b/SOURCES/freetype-2.4.11-CVE-2014-9675.patch
new file mode 100644
index 0000000..3c3ea40
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-CVE-2014-9675.patch
@@ -0,0 +1,237 @@
+commit 2c4832d30939b45c05757f0a05128ce64c4cacc7
+Author: Werner Lemberg <wl@gnu.org>
+Date: Fri Nov 7 07:42:33 2014 +0100
+
+ Fix Savannah bug #43535.
+
+ * src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one
+ character more than `strncmp'.
+ s/ft_strncmp/_bdf_strncmp/ everywhere.
+
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index 2eda11c..c128526 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -169,6 +169,18 @@
+ sizeof ( _bdf_properties[0] );
+
+
++ /* An auxiliary macro to parse properties, to be used in conditionals. */
++ /* It behaves like `strncmp' but also tests the following character */
++ /* whether it is a whitespace or NULL. */
++ /* `property' is a constant string of length `n' to compare with. */
++#define _bdf_strncmp( name, property, n ) \
++ ( ft_strncmp( name, property, n ) || \
++ !( name[n] == ' ' || \
++ name[n] == '\0' || \
++ name[n] == '\n' || \
++ name[n] == '\r' || \
++ name[n] == '\t' ) )
++
+ /* Auto correction messages. */
+ #define ACMSG1 "FONT_ASCENT property missing. " \
+ "Added `FONT_ASCENT %hd'.\n"
+@@ -1402,7 +1414,7 @@
+
+ /* If the property happens to be a comment, then it doesn't need */
+ /* to be added to the internal hash table. */
+- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
++ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 )
+ {
+ /* Add the property to the font property table. */
+ error = hash_insert( fp->name,
+@@ -1420,13 +1432,13 @@
+ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
+ /* present, and the SPACING property should override the default */
+ /* spacing. */
+- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
++ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ font->default_char = fp->value.l;
+- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
++ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ font->font_ascent = fp->value.l;
+- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
++ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ font->font_descent = fp->value.l;
+- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
++ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 )
+ {
+ if ( !fp->value.atom )
+ {
+@@ -1484,7 +1496,7 @@
+ memory = font->memory;
+
+ /* Check for a comment. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ linelen -= 7;
+
+@@ -1501,7 +1513,7 @@
+ /* The very first thing expected is the number of glyphs. */
+ if ( !( p->flags & _BDF_GLYPHS ) )
+ {
+- if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
++ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
+ error = BDF_Err_Missing_Chars_Field;
+@@ -1535,7 +1547,7 @@
+ }
+
+ /* Check for the ENDFONT field. */
+- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+@@ -1549,7 +1561,7 @@
+ }
+
+ /* Check for the ENDCHAR field. */
+- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ {
+ p->glyph_enc = 0;
+ p->flags &= ~_BDF_GLYPH_BITS;
+@@ -1565,7 +1577,7 @@
+ goto Exit;
+
+ /* Check for the STARTCHAR field. */
+- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
++ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ {
+ /* Set the character name in the parse info first until the */
+ /* encoding can be checked for an unencoded character. */
+@@ -1599,7 +1611,7 @@
+ }
+
+ /* Check for the ENCODING field. */
+- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
++ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_GLYPH ) )
+ {
+@@ -1785,7 +1797,7 @@
+ }
+
+ /* Expect the SWIDTH (scalable width) field next. */
+- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1801,7 +1813,7 @@
+ }
+
+ /* Expect the DWIDTH (scalable width) field next. */
+- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1829,7 +1841,7 @@
+ }
+
+ /* Expect the BBX field next. */
+- if ( ft_strncmp( line, "BBX", 3 ) == 0 )
++ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1897,7 +1909,7 @@
+ }
+
+ /* And finally, gather up the bitmap. */
+- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
++ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 )
+ {
+ unsigned long bitmap_size;
+
+@@ -1972,7 +1984,7 @@
+ p = (_bdf_parse_t *) client_data;
+
+ /* Check for the end of the properties. */
+- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
++ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ {
+ /* If the FONT_ASCENT or FONT_DESCENT properties have not been */
+ /* encountered yet, then make sure they are added as properties and */
+@@ -2013,12 +2025,12 @@
+ }
+
+ /* Ignore the _XFREE86_GLYPH_RANGES properties. */
+- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
++ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ goto Exit;
+
+ /* Handle COMMENT fields and properties in a special way to preserve */
+ /* the spacing. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ name = value = line;
+ value += 7;
+@@ -2082,7 +2094,7 @@
+
+ /* Check for a comment. This is done to handle those fonts that have */
+ /* comments before the STARTFONT line for some reason. */
+- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ if ( p->opts->keep_comments != 0 && p->font != 0 )
+ {
+@@ -2108,7 +2120,7 @@
+ {
+ memory = p->memory;
+
+- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
++ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 )
+ {
+ /* we don't emit an error message since this code gets */
+ /* explicitly caught one level higher */
+@@ -2156,7 +2168,7 @@
+ }
+
+ /* Check for the start of the properties. */
+- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
++ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_BBX ) )
+ {
+@@ -2185,7 +2197,7 @@
+ }
+
+ /* Check for the FONTBOUNDINGBOX field. */
+- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
++ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_SIZE ) )
+ {
+@@ -2216,7 +2228,7 @@
+ }
+
+ /* The next thing to check for is the FONT field. */
+- if ( ft_strncmp( line, "FONT", 4 ) == 0 )
++ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 )
+ {
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -2251,7 +2263,7 @@
+ }
+
+ /* Check for the SIZE field. */
+- if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
++ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_NAME ) )
+ {
+@@ -2305,7 +2317,7 @@
+ }
+
+ /* Check for the CHARS field -- font properties are optional */
+- if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
++ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 )
+ {
+ char nbuf[128];
+
diff --git a/SOURCES/freetype-2.4.11-ft-strncmp.patch b/SOURCES/freetype-2.4.11-ft-strncmp.patch
new file mode 100644
index 0000000..6de33c5
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-ft-strncmp.patch
@@ -0,0 +1,228 @@
+commit 9a56764037dfc01a89fe61f5c67971bf50343d00
+Author: Werner Lemberg <wl@gnu.org>
+Date: Wed Feb 26 13:08:07 2014 +0100
+
+ [bdf] Fix Savannah bug #41692.
+
+ bdflib puts data from the input stream into a buffer in chunks of
+ 1024 bytes. The data itself gets then parsed line by line, simply
+ increasing the current pointer into the buffer; if the search for
+ the final newline character exceeds the buffer size, more data gets
+ read.
+
+ However, in case the current line's end is very near to the buffer
+ end, and the keyword to compare with is longer than the current
+ line's length, an out-of-bounds read might happen since `memcmp'
+ doesn't stop properly at the string end.
+
+ * src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons
+ stop at string ends.
+
+diff --git a/src/bdf/bdflib.c b/src/bdf/bdflib.c
+index c9e231e..b0ec292 100644
+--- a/src/bdf/bdflib.c
++++ b/src/bdf/bdflib.c
+@@ -1402,7 +1402,7 @@
+
+ /* If the property happens to be a comment, then it doesn't need */
+ /* to be added to the internal hash table. */
+- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 )
++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 )
+ {
+ /* Add the property to the font property table. */
+ error = hash_insert( fp->name,
+@@ -1420,13 +1420,13 @@
+ /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */
+ /* present, and the SPACING property should override the default */
+ /* spacing. */
+- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 )
++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 )
+ font->default_char = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 )
+ font->font_ascent = fp->value.l;
+- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 )
++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 )
+ font->font_descent = fp->value.l;
+- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 )
++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 )
+ {
+ if ( !fp->value.atom )
+ {
+@@ -1484,7 +1484,7 @@
+ memory = font->memory;
+
+ /* Check for a comment. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ linelen -= 7;
+
+@@ -1501,7 +1501,7 @@
+ /* The very first thing expected is the number of glyphs. */
+ if ( !( p->flags & _BDF_GLYPHS ) )
+ {
+- if ( ft_memcmp( line, "CHARS", 5 ) != 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 )
+ {
+ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" ));
+ error = BDF_Err_Missing_Chars_Field;
+@@ -1535,7 +1535,7 @@
+ }
+
+ /* Check for the ENDFONT field. */
+- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 )
+ {
+ /* Sort the glyphs by encoding. */
+ ft_qsort( (char *)font->glyphs,
+@@ -1549,7 +1549,7 @@
+ }
+
+ /* Check for the ENDCHAR field. */
+- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 )
++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 )
+ {
+ p->glyph_enc = 0;
+ p->flags &= ~_BDF_GLYPH_BITS;
+@@ -1565,7 +1565,7 @@
+ goto Exit;
+
+ /* Check for the STARTCHAR field. */
+- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 )
++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 )
+ {
+ /* Set the character name in the parse info first until the */
+ /* encoding can be checked for an unencoded character. */
+@@ -1599,7 +1599,7 @@
+ }
+
+ /* Check for the ENCODING field. */
+- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 )
++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_GLYPH ) )
+ {
+@@ -1785,7 +1785,7 @@
+ }
+
+ /* Expect the SWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1801,7 +1801,7 @@
+ }
+
+ /* Expect the DWIDTH (scalable width) field next. */
+- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 )
++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1829,7 +1829,7 @@
+ }
+
+ /* Expect the BBX field next. */
+- if ( ft_memcmp( line, "BBX", 3 ) == 0 )
++ if ( ft_strncmp( line, "BBX", 3 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_ENCODING ) )
+ goto Missing_Encoding;
+@@ -1897,7 +1897,7 @@
+ }
+
+ /* And finally, gather up the bitmap. */
+- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 )
++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 )
+ {
+ unsigned long bitmap_size;
+
+@@ -1972,7 +1972,7 @@
+ p = (_bdf_parse_t *) client_data;
+
+ /* Check for the end of the properties. */
+- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 )
++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 )
+ {
+ /* If the FONT_ASCENT or FONT_DESCENT properties have not been */
+ /* encountered yet, then make sure they are added as properties and */
+@@ -2013,12 +2013,12 @@
+ }
+
+ /* Ignore the _XFREE86_GLYPH_RANGES properties. */
+- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 )
+ goto Exit;
+
+ /* Handle COMMENT fields and properties in a special way to preserve */
+ /* the spacing. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ name = value = line;
+ value += 7;
+@@ -2082,7 +2082,7 @@
+
+ /* Check for a comment. This is done to handle those fonts that have */
+ /* comments before the STARTFONT line for some reason. */
+- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 )
++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 )
+ {
+ if ( p->opts->keep_comments != 0 && p->font != 0 )
+ {
+@@ -2108,7 +2108,7 @@
+ {
+ memory = p->memory;
+
+- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 )
++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 )
+ {
+ /* we don't emit an error message since this code gets */
+ /* explicitly caught one level higher */
+@@ -2156,7 +2156,7 @@
+ }
+
+ /* Check for the start of the properties. */
+- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 )
++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_BBX ) )
+ {
+@@ -2185,7 +2185,7 @@
+ }
+
+ /* Check for the FONTBOUNDINGBOX field. */
+- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_SIZE ) )
+ {
+@@ -2216,7 +2216,7 @@
+ }
+
+ /* The next thing to check for is the FONT field. */
+- if ( ft_memcmp( line, "FONT", 4 ) == 0 )
++ if ( ft_strncmp( line, "FONT", 4 ) == 0 )
+ {
+ error = _bdf_list_split( &p->list, (char *)" +", line, linelen );
+ if ( error )
+@@ -2251,7 +2251,7 @@
+ }
+
+ /* Check for the SIZE field. */
+- if ( ft_memcmp( line, "SIZE", 4 ) == 0 )
++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 )
+ {
+ if ( !( p->flags & _BDF_FONT_NAME ) )
+ {
+@@ -2305,7 +2305,7 @@
+ }
+
+ /* Check for the CHARS field -- font properties are optional */
+- if ( ft_memcmp( line, "CHARS", 5 ) == 0 )
++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 )
+ {
+ char nbuf[128];
+
diff --git a/SOURCES/freetype-2.4.11-pcf-read-a.patch b/SOURCES/freetype-2.4.11-pcf-read-a.patch
new file mode 100644
index 0000000..34ab2e0
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-pcf-read-a.patch
@@ -0,0 +1,107 @@
+From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 8 Dec 2014 16:01:50 +0100
+Subject: [PATCH] [pcf] Fix Savannah bug #43774.
+
+Work around `features' of X11's `pcfWriteFont' and `pcfReadFont'
+functions. Since the PCF format doesn't have an official
+specification, we have to exactly follow these functions' behaviour.
+
+The problem was unveiled with a patch from 2014-11-06, fixing issue #43547.
+
+* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last
+element. Instead, assign real size.
+---
+ ChangeLog | 14 ++++++++++++++
+ src/pcf/pcfread.c | 54 +++++++++++++++++++++++++++++++++++++++++++-----------
+ 2 files changed, 57 insertions(+), 11 deletions(-)
+
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index 998cbed..e3caf82 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -95,9 +95,11 @@ THE SOFTWARE.
+ FT_Memory memory = FT_FACE(face)->memory;
+ FT_UInt n;
+
++ FT_ULong size;
+
+- if ( FT_STREAM_SEEK ( 0 ) ||
+- FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) )
++
++ if ( FT_STREAM_SEEK( 0 ) ||
++ FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) )
+ return PCF_Err_Cannot_Open_Resource;
+
+ if ( toc->version != PCF_FILE_VERSION ||
+@@ -151,14 +153,35 @@ THE SOFTWARE.
+ break;
+ }
+
+- /* we now check whether the `size' and `offset' values are reasonable: */
+- /* `offset' + `size' must not exceed the stream size */
++ /*
++ * We now check whether the `size' and `offset' values are reasonable:
++ * `offset' + `size' must not exceed the stream size.
++ *
++ * Note, however, that X11's `pcfWriteFont' routine (used by the
++ * `bdftopcf' program to create PDF font files) has two special
++ * features.
++ *
++ * - It always assigns the accelerator table a size of 100 bytes in the
++ * TOC, regardless of its real size, which can vary between 34 and 72
++ * bytes.
++ *
++ * - Due to the way the routine is designed, it ships out the last font
++ * table with its real size, ignoring the TOC's size value. Since
++ * the TOC size values are always rounded up to a multiple of 4, the
++ * difference can be up to three bytes for all tables except the
++ * accelerator table, for which the difference can be as large as 66
++ * bytes.
++ *
++ */
++
+ tables = face->toc.tables;
+- for ( n = 0; n < toc->count; n++ )
++ size = stream->size;
++
++ for ( n = 0; n < toc->count - 1; n++ )
+ {
+ /* we need two checks to avoid overflow */
+- if ( ( tables->size > stream->size ) ||
+- ( tables->offset > stream->size - tables->size ) )
++ if ( ( tables->size > size ) ||
++ ( tables->offset > size - tables->size ) )
+ {
+ error = PCF_Err_Invalid_Table;
+ goto Exit;
+@@ -166,6 +189,15 @@ THE SOFTWARE.
+ tables++;
+ }
+
++ /* no check of `tables->size' for last table element ... */
++ if ( ( tables->offset > size ) )
++ {
++ error = PCF_Err_Invalid_Table;
++ goto Exit;
++ }
++ /* ... instead, we adjust `tables->size' to the real value */
++ tables->size = size - tables->offset;
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+ {
+@@ -714,8 +746,8 @@ THE SOFTWARE.
+
+ FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps ));
+
+- /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */
+- if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics )
++ /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */
++ if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics )
+ return PCF_Err_Invalid_File_Format;
+
+ if ( FT_NEW_ARRAY( offsets, nbitmaps ) )
+--
+2.1.0
+
diff --git a/SOURCES/freetype-2.4.11-pcf-read-b.patch b/SOURCES/freetype-2.4.11-pcf-read-b.patch
new file mode 100644
index 0000000..16c68cc
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-pcf-read-b.patch
@@ -0,0 +1,37 @@
+From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 13 Dec 2014 07:42:51 +0100
+Subject: [PATCH] * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from
+ 2014-12-08.
+
+---
+ ChangeLog | 4 ++++
+ src/pcf/pcfread.c | 7 ++++---
+ 2 files changed, 8 insertions(+), 3 deletions(-)
+
+diff --git a/src/pcf/pcfread.c b/src/pcf/pcfread.c
+index e3caf82..a29a9e3 100644
+--- a/src/pcf/pcfread.c
++++ b/src/pcf/pcfread.c
+@@ -189,14 +189,15 @@ THE SOFTWARE.
+ tables++;
+ }
+
+- /* no check of `tables->size' for last table element ... */
++ /* only check `tables->offset' for last table element ... */
+ if ( ( tables->offset > size ) )
+ {
+ error = PCF_Err_Invalid_Table;
+ goto Exit;
+ }
+- /* ... instead, we adjust `tables->size' to the real value */
+- tables->size = size - tables->offset;
++ /* ... and adjust `tables->size' to the real value if necessary */
++ if ( tables->size > size - tables->offset )
++ tables->size = size - tables->offset;
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+
+--
+2.1.0
+
diff --git a/SOURCES/freetype-2.4.11-unsigned-long.patch b/SOURCES/freetype-2.4.11-unsigned-long.patch
new file mode 100644
index 0000000..04db8c1
--- /dev/null
+++ b/SOURCES/freetype-2.4.11-unsigned-long.patch
@@ -0,0 +1,153 @@
+commit 453316792fee912cfced48e9e270e9eb19892e64
+Author: suzuki toshiya <mpsuzuki@hiroshima-u.ac.jp>
+Date: Wed Nov 26 16:02:17 2014 +0900
+
+ * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long
+ variables to read the lengths in POST fragments. Suggested by
+ Mateusz Jurczyk <mjurczyk@google.com>.
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 922216e..dfad24a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -1545,9 +1545,9 @@
+ FT_Memory memory = library->memory;
+ FT_Byte* pfb_data = NULL;
+ int i, type, flags;
+- FT_Long len;
+- FT_Long pfb_len, pfb_pos, pfb_lenpos;
+- FT_Long rlen, temp;
++ FT_ULong len;
++ FT_ULong pfb_len, pfb_pos, pfb_lenpos;
++ FT_ULong rlen, temp;
+
+
+ if ( face_index == -1 )
+@@ -1563,25 +1563,25 @@
+ error = FT_Stream_Seek( stream, offsets[i] );
+ if ( error )
+ goto Exit;
+- if ( FT_READ_LONG( temp ) )
++ if ( FT_READ_ULONG( temp ) )
+ goto Exit;
+- if ( 0 > temp )
++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp));
++ if ( 0x7FFFFFFFUL < temp )
++ {
+ error = FT_Err_Invalid_Offset;
+- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp )
+- error = FT_Err_Array_Too_Large;
+-
+- if ( error )
+ goto Exit;
++ }
+
+ pfb_len += temp + 6;
+ }
+
+- if ( 0x7FFFFFFFL - 2 < pfb_len )
++ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n",
++ resource_cnt, pfb_len + 2));
++ if ( pfb_len + 2 < 6 ) {
+ error = FT_Err_Array_Too_Large;
+- else
+- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 );
+-
+- if ( error )
++ goto Exit;
++ }
++ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) )
+ goto Exit;
+
+ pfb_data[0] = 0x80;
+@@ -1600,21 +1602,25 @@
+ error = FT_Stream_Seek( stream, offsets[i] );
+ if ( error )
+ goto Exit2;
+- if ( FT_READ_LONG( rlen ) )
++ if ( FT_READ_ULONG( rlen ) )
+ goto Exit;
+- if ( rlen < 0 )
++ if ( 0x7FFFFFFFUL < rlen )
+ {
+ error = FT_Err_Invalid_Offset;
+ goto Exit2;
+ }
+ if ( FT_READ_USHORT( flags ) )
+ goto Exit;
+ FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n",
+ i, offsets[i], rlen, flags ));
+
++ error = FT_Err_Array_Too_Large;
+ /* postpone the check of rlen longer than buffer until FT_Stream_Read() */
+ if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */
++ {
++ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i ));
+ continue;
++ }
+
+ /* the flags are part of the resource, so rlen >= 2. */
+ /* but some fonts declare rlen = 0 for empty fragment */
+@@ -1624,16 +1632,10 @@
+ rlen = 0;
+
+ if ( ( flags >> 8 ) == type )
+- {
+- if ( 0x7FFFFFFFL - rlen < len )
+- {
+- error = FT_Err_Array_Too_Large;
+- goto Exit2;
+- }
+ len += rlen;
+- }
+ else
+ {
++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos ));
+ if ( pfb_lenpos + 3 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_lenpos ] = (FT_Byte)( len );
+@@ -1644,6 +1646,7 @@
+ if ( ( flags >> 8 ) == 5 ) /* End of font mark */
+ break;
+
++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos ));
+ if ( pfb_pos + 6 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+@@ -1659,21 +1662,17 @@
+ pfb_data[pfb_pos++] = 0;
+ }
+
+- error = FT_Err_Cannot_Open_Resource;
+- if ( rlen > 0x7FFFFFFFL - pfb_pos )
+- {
+- error = FT_Err_Array_Too_Large;
+- goto Exit2;
+- }
+ if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len )
+ goto Exit2;
+
++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos ));
+ error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen );
+ if ( error )
+ goto Exit2;
+ pfb_pos += rlen;
+ }
+
++ error = FT_Err_Array_Too_Large;
+ if ( pfb_pos + 2 > pfb_len + 2 )
+ goto Exit2;
+ pfb_data[pfb_pos++] = 0x80;
+@@ -1694,6 +1693,12 @@
+ aface );
+
+ Exit2:
++ if ( error == FT_Err_Array_Too_Large )
++ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" ));
++ else if ( error == FT_Err_Invalid_Offset )
++ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" ));
++ if ( error )
++ error = FT_Err_Cannot_Open_Resource;
+ FT_FREE( pfb_data );
+
+ Exit:
diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec
index 3ea702d..d9773ca 100644
--- a/SPECS/freetype.spec
+++ b/SPECS/freetype.spec
@@ -7,7 +7,7 @@
Summary: A free and portable font rendering engine
Name: freetype
Version: 2.4.11
-Release: 9%{?dist}
+Release: 10%{?dist}.1
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
Group: System Environment/Libraries
URL: http://www.freetype.org
@@ -32,6 +32,28 @@ Patch89: freetype-2.4.11-fix-emboldening.patch
# https://bugzilla.redhat.com/show_bug.cgi?id=1010341
Patch90: 0001-Fix-vertical-size-of-emboldened-glyphs.patch
+# https://bugzilla.redhat.com/show_bug.cgi?id=1197739
+Patch91: freetype-2.4.11-CVE-2014-9657.patch
+Patch92: freetype-2.4.11-CVE-2014-9658.patch
+Patch93: freetype-2.4.11-ft-strncmp.patch
+Patch94: freetype-2.4.11-CVE-2014-9675.patch
+Patch95: freetype-2.4.11-CVE-2014-9660.patch
+Patch96: freetype-2.4.11-CVE-2014-9661a.patch
+Patch97: freetype-2.4.11-CVE-2014-9661b.patch
+Patch98: freetype-2.4.11-CVE-2014-9663.patch
+Patch99: freetype-2.4.11-CVE-2014-9664a.patch
+Patch100: freetype-2.4.11-CVE-2014-9664b.patch
+Patch101: freetype-2.4.11-CVE-2014-9667.patch
+Patch102: freetype-2.4.11-CVE-2014-9669.patch
+Patch103: freetype-2.4.11-CVE-2014-9670.patch
+Patch104: freetype-2.4.11-CVE-2014-9671.patch
+Patch105: freetype-2.4.11-CVE-2014-9673.patch
+Patch106: freetype-2.4.11-CVE-2014-9674a.patch
+Patch107: freetype-2.4.11-unsigned-long.patch
+Patch108: freetype-2.4.11-CVE-2014-9674b.patch
+Patch109: freetype-2.4.11-pcf-read-a.patch
+Patch110: freetype-2.4.11-pcf-read-b.patch
+
Buildroot: %{_tmppath}/%{name}-%{version}-root-%(%{__id_u} -n)
BuildRequires: libX11-devel
@@ -94,6 +116,27 @@ popd
%patch89 -p1 -b .emboldening
%patch90 -p1 -b .emboldened-glyphs
+%patch91 -p1 -b .CVE-2014-9657
+%patch92 -p1 -b .CVE-2014-9658
+%patch93 -p1 -b .ft-strncmp
+%patch94 -p1 -b .CVE-2014-9675
+%patch95 -p1 -b .CVE-2014-9660
+%patch96 -p1 -b .CVE-2014-9661a
+%patch97 -p1 -b .CVE-2014-9661b
+%patch98 -p1 -b .CVE-2014-9663
+%patch99 -p1 -b .CVE-2014-9664a
+%patch100 -p1 -b .CVE-2014-9664b
+%patch101 -p1 -b .CVE-2014-9667
+%patch102 -p1 -b .CVE-2014-9669
+%patch103 -p1 -b .CVE-2014-9670
+%patch104 -p1 -b .CVE-2014-9671
+%patch105 -p1 -b .CVE-2014-9673
+%patch106 -p1 -b .CVE-2014-9674a
+%patch107 -p1 -b .unsigned-long
+%patch108 -p1 -b .CVE-2014-9674b
+%patch109 -p1 -b .pcf-read-a
+%patch110 -p1 -b .pcf-read-b
+
%build
%configure --disable-static
@@ -140,11 +183,7 @@ rm -rf $RPM_BUILD_ROOT
%endif
# fix multilib issues
-%ifarch x86_64 s390x ia64 ppc64 alpha sparc64 aarch64
-%define wordsize 64
-%else
-%define wordsize 32
-%endif
+%define wordsize %{__isa_bits}
mv $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/config/ftconfig.h \
$RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/config/ftconfig-%{wordsize}.h
@@ -214,6 +253,45 @@ rm -rf $RPM_BUILD_ROOT
%doc docs/tutorial
%changelog
+* Tue Mar 10 2015 Marek Kasik <mkasik@redhat.com> - 2.4.11-10.el7_1.1
+- Fixes CVE-2014-9657
+ - Check minimum size of `record_size'.
+- Fixes CVE-2014-9658
+ - Use correct value for minimum table length test.
+- Fixes CVE-2014-9675
+ - New macro that checks one character more than `strncmp'.
+- Fixes CVE-2014-9660
+ - Check `_BDF_GLYPH_BITS'.
+- Fixes CVE-2014-9661
+ - Initialize `face->ttf_size'.
+ - Always set `face->ttf_size' directly.
+ - Exclusively use the `truetype' font driver for loading
+ the font contained in the `sfnts' array.
+- Fixes CVE-2014-9663
+ - Fix order of validity tests.
+- Fixes CVE-2014-9664
+ - Add another boundary testing.
+ - Fix boundary testing.
+- Fixes CVE-2014-9667
+ - Protect against addition overflow.
+- Fixes CVE-2014-9669
+ - Protect against overflow in additions and multiplications.
+- Fixes CVE-2014-9670
+ - Add sanity checks for row and column values.
+- Fixes CVE-2014-9671
+ - Check `size' and `offset' values.
+- Fixes CVE-2014-9673
+ - Fix integer overflow by a broken POST table in resource-fork.
+- Fixes CVE-2014-9674
+ - Fix integer overflow by a broken POST table in resource-fork.
+ - Additional overflow check in the summation of POST fragment lengths.
+- Work around behaviour of X11's `pcfWriteFont' and `pcfReadFont' functions
+- Resolves: #1197739
+
+* Mon Aug 18 2014 Peter Robinson <pbrobinson@redhat.com> - 2.4.11-10
+- Generic 32/64 bit platform detection (fix ppc64le build)
+- Resolves: #1126099
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 2.4.11-9
- Mass rebuild 2014-01-24