NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

freetype: add upstream security fixes for CVE-2017-8105 and CVE-2017-8287

Browse Source 
Add upstream post-2.7.1 commits (except for ChangeLog modifications) fixing
the following security issues:

CVE-2017-8105 - FreeType 2 before 2017-03-24 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_decoder_parse_charstrings function in psaux/t1decode.c.

CVE-2017-8287 - FreeType 2 before 2017-03-26 has an out-of-bounds write
caused by a heap-based buffer overflow related to the
t1_builder_close_contour function in psaux/psobjs.c.

Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@free-electrons.com>
This commit is contained in:
Peter Korsgaard 2017-04-30 21:36:02 +02:00 committed by Thomas Petazzoni
parent c1595feb0e
commit 6d557ac013
2 changed files with 82 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

47
package/freetype/0001-psaux-Better-protect-flex-handling.patch Normal file
View File

@ -0,0 +1,47 @@
From f958c48ee431bef8d4d466b40c9cb2d4dbcb7791 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Fri, 24 Mar 2017 09:15:10 +0100
Subject: [PATCH] [psaux] Better protect `flex' handling.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=935
* src/psaux/t1decode.c (t1_decoder_parse_charstrings)
<callothersubr>: Since there is not a single flex operator but a
series of subroutine calls, malformed fonts can call arbitrary other
operators after the start of a flex, possibly adding points. For
this reason we have to check the available number of points before
inserting a point.
Fixes CVE-2017-8105
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
---
diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
index af7b465e..7dd45135 100644
--- a/src/psaux/t1decode.c
+++ b/src/psaux/t1decode.c
@@ -780,10 +780,19 @@
/* point without adding any point to the outline */
idx = decoder->num_flex_vectors++;
if ( idx > 0 && idx < 7 )
+ {
+ /* in malformed fonts it is possible to have other */
+ /* opcodes in the middle of a flex (which don't */
+ /* increase `num_flex_vectors'); we thus have to */
+ /* check whether we can add a point */
+ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
+ goto Syntax_Error;
+
t1_builder_add_point( builder,
x,
y,
(FT_Byte)( idx == 3 || idx == 6 ) );
+ }
}
break;
--
2.11.0

35
package/freetype/0002-src-psaux-psobjs.c-t1_builder_close_contour-Add-safe.patch Normal file
View File

@ -0,0 +1,35 @@
From 3774fc08b502c3e685afca098b6e8a195aded6a0 Mon Sep 17 00:00:00 2001
From: Werner Lemberg <wl@gnu.org>
Date: Sun, 26 Mar 2017 08:32:09 +0200
Subject: [PATCH] * src/psaux/psobjs.c (t1_builder_close_contour): Add safety
guard.
Reported as
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=941
Fixes CVE-2017-8287
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
index d18e821a..0baf8368 100644
--- a/src/psaux/psobjs.c
+++ b/src/psaux/psobjs.c
@@ -1718,6 +1718,14 @@
first = outline->n_contours <= 1
? 0 : outline->contours[outline->n_contours - 2] + 1;
+ /* in malformed fonts it can happen that a contour was started */
+ /* but no points were added */
+ if ( outline->n_contours && first == outline->n_points )
+ {
+ outline->n_contours--;
+ return;
+ }
+
/* We must not include the last point in the path if it */
/* is located on the first point. */
if ( outline->n_points > 1 )
--
2.11.0