package/freetype: fix CVE-2022-27404, CVE-2022-27405, CVE-2022-27406

This fixes CVE-2022-27404, CVE-2022-27405, CVE-2022-27406 by backporting patches from master branch. Cc: Quentin Schulz <foss+buildroot@0leil.net> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2022-09-19 16:25:55 +02:00 · 2022-09-19 16:25:55 +02:00 · 10932e5fca
commit 10932e5fca
parent 4cc3e577aa
4 changed files with 122 additions and 0 deletions
--- a/package/freetype/0001-sfnt-Avoid-invalid-face-index.patch
+++ b/package/freetype/0001-sfnt-Avoid-invalid-face-index.patch
@ -0,0 +1,46 @@
+From 818eea8aa682f867e4fbeb9794959a28864e4acc Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+
+Backport: https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ src/sfnt/sfwoff2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index 789102479..ea17ca8f4 100644
+--- a/src/sfnt/sfobjs.c
+++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
+    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
+diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
+index 5ee8dea28..2da697d69 100644
+--- a/src/sfnt/sfwoff2.c
+++ b/src/sfnt/sfwoff2.c
+@@ -2086,7 +2086,7 @@
+     /* Validate requested face index. */
+     *num_faces = woff2.num_fonts;
+     /* value -(N+1) requests information on index N */
+-    if ( *face_instance_index < 0 )
+    if ( *face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= woff2.num_fonts )
+-- 
+2.37.3
+
--- a/package/freetype/0002-src-base-ftobjs.c-ft_open_face_internal-Properly-gua.patch
+++ b/package/freetype/0002-src-base-ftobjs.c-ft_open_face_internal-Properly-gua.patch
@ -0,0 +1,39 @@
+From edbc2be0ccac0d524de82b5f9737d7f070dbf8cd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+
+Backport: https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 883f1a897..e00dcc57b 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -2451,6 +2451,15 @@
+ #endif
+ 
+ 
+    /* only use lower 31 bits together with sign bit */
+    if ( face_index > 0 )
+      face_index &= 0x7FFFFFFFL;
+    else
+    {
+      face_index &= 0x7FFFFFFFL;
+      face_index  = -face_index;
+    }
+
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+2.37.3
+
--- a/package/freetype/0003-src-base-ftobjs.c-FT_Request_Size-Guard-face-size.patch
+++ b/package/freetype/0003-src-base-ftobjs.c-FT_Request_Size-Guard-face-size.patch
@ -0,0 +1,30 @@
+From f975217879490247cf8622c65cfef73b5642e787 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+
+Backport: https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index e00dcc57b..46baf5fed 100644
+--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
+@@ -3332,6 +3332,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
+    if ( !face->size )
+      return FT_THROW( Invalid_Size_Handle );
+
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+2.37.3
+
--- a/package/freetype/freetype.mk
+++ b/package/freetype/freetype.mk
@ -15,6 +15,13 @@ FREETYPE_CPE_ID_VENDOR = freetype
 FREETYPE_DEPENDENCIES = host-pkgconf
 FREETYPE_CONFIG_SCRIPTS = freetype-config

+# 0001-sfnt-Avoid-invalid-face-index.patch
+FREETYPE_IGNORE_CVES += CVE-2022-27404
+# 0002-src-base-ftobjs.c-ft_open_face_internal-Properly-gua.patch
+FREETYPE_IGNORE_CVES += CVE-2022-27405
+# 0003-src-base-ftobjs.c-FT_Request_Size-Guard-face-size.patch
+FREETYPE_IGNORE_CVES += CVE-2022-27406
+
 # harfbuzz already depends on freetype so disable harfbuzz in freetype to avoid
 # a circular dependency
 FREETYPE_CONF_OPTS = --without-harfbuzz