diff --git a/SOURCES/freetype-2.9.1-png-bitmap-size.patch b/SOURCES/freetype-2.9.1-png-bitmap-size.patch new file mode 100644 index 0000000..bd01ed2 --- /dev/null +++ b/SOURCES/freetype-2.9.1-png-bitmap-size.patch @@ -0,0 +1,48 @@ +From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 19 Oct 2020 23:45:28 +0200 +Subject: [PATCH] [sfnt] Fix heap buffer overflow (#59308). + +This is CVE-2020-15999. + +* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. +--- + ChangeLog | 8 ++++++++ + src/sfnt/pngshim.c | 14 +++++++------- + 2 files changed, 15 insertions(+), 7 deletions(-) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 2e64e5846..f55016122 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -332,6 +332,13 @@ + + if ( populate_map_and_metrics ) + { ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + metrics->width = (FT_UShort)imgWidth; + metrics->height = (FT_UShort)imgHeight; + +@@ -340,13 +347,6 @@ + map->pixel_mode = FT_PIXEL_MODE_BGRA; + map->pitch = (int)( map->width * 4 ); + map->num_grays = 256; +- +- /* reject too large bitmaps similarly to the rasterizer */ +- if ( map->rows > 0x7FFF || map->width > 0x7FFF ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto DestroyExit; +- } + } + + /* convert palette/gray image to rgb */ +-- +2.26.2 + diff --git a/SOURCES/freetype-2.9.1-png-memory-leak.patch b/SOURCES/freetype-2.9.1-png-memory-leak.patch new file mode 100644 index 0000000..66f962f --- /dev/null +++ b/SOURCES/freetype-2.9.1-png-memory-leak.patch @@ -0,0 +1,28 @@ +From 007c109b4594c5e63948bd08b4d5011ad76ffb10 Mon Sep 17 00:00:00 2001 +From: Ben Wagner +Date: Fri, 23 Oct 2020 08:29:14 +0200 +Subject: [PATCH] * src/sfnt/pngshim.c (Load_SBit_Png): Fix memory leak + (#59322). + +The issue is that `rows` is allocated but will not be freed in the +event that the call to `png_read_image` fails and calls `longjmp`. +--- + ChangeLog | 7 +++++++ + src/sfnt/pngshim.c | 1 + + 2 files changed, 8 insertions(+) + +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index f55016122..d4e43a9f4 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -443,6 +443,7 @@ + png_read_end( png, info ); + + DestroyExit: ++ FT_FREE( rows ); + png_destroy_read_struct( &png, &info, NULL ); + FT_Stream_Close( &stream ); + +-- +2.26.2 + diff --git a/SPECS/freetype.spec b/SPECS/freetype.spec index 699307f..3c124bf 100644 --- a/SPECS/freetype.spec +++ b/SPECS/freetype.spec @@ -3,7 +3,7 @@ Summary: A free and portable font rendering engine Name: freetype Version: 2.9.1 -Release: 4%{?dist} +Release: 4%{?dist}.1 License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement Group: System Environment/Libraries URL: http://www.freetype.org @@ -28,6 +28,10 @@ Patch5: freetype-2.9-ftsmooth.patch # https://bugzilla.redhat.com/show_bug.cgi?id=1602501 Patch6: freetype-2.9.1-covscan.patch +# https://bugzilla.redhat.com/show_bug.cgi?id=1890210 +Patch7: freetype-2.9.1-png-bitmap-size.patch +Patch8: freetype-2.9.1-png-memory-leak.patch + BuildRequires: libX11-devel BuildRequires: libpng-devel BuildRequires: zlib-devel @@ -86,6 +90,8 @@ popd %patch4 -p1 -b .multilib %patch5 -p1 -b .ftsmooth %patch6 -p1 -b .covscan +%patch7 -p1 -b .png-bitmap-size +%patch8 -p1 -b .png-memory-leak %build @@ -198,6 +204,11 @@ rm -f $RPM_BUILD_ROOT%{_libdir}/*.{a,la} %{_mandir}/man1/* %changelog +* Fri Oct 30 2020 Marek Kasik - 2.9.1-4.el8_3.1 +- Test bitmap size earlier for PNGs +- Fix memory leak in pngshim.c +- Resolves: #1891905 + * Fri Dec 7 2018 Marek Kasik - 2.9.1-4 - Use pkgconf in freetype-config.in directly (RPMDiff) - Related: #1651252