update CVE-2025-27363 patch
This commit is contained in:
zhangpan
parent
8502dfe89e
commit
245bafa9cd
@ -1,147 +0,0 @@
|
||||
From ef636696524b081f1b8819eb0c6a0b932d35757d Mon Sep 17 00:00:00 2001
|
||||
From: Alexei Podtelezhnikov <apodtele@gmail.com>
|
||||
Date: Fri, 17 Mar 2023 23:25:45 -0400
|
||||
Subject: [PATCH] [truetype] Clean up zeroing and local variables.
|
||||
|
||||
* src/truetype/ttgload.c (TT_Process_Simple_Glyph): Avoid zeroing.
|
||||
(load_truetype_glyph): Avoid zeroing and clean local variables.
|
||||
|
||||
Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/ef636696524b081f1b8819eb0c6a0b932d35757d
|
||||
Conflict:context adaptation and points->outline.points
|
||||
|
||||
---
|
||||
src/truetype/ttgload.c | 82 ++++++++++++++----------------------------
|
||||
1 file changed, 26 insertions(+), 56 deletions(-)
|
||||
|
||||
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
|
||||
index 2ca63d6..8c1fbbf 100644
|
||||
--- a/src/truetype/ttgload.c
|
||||
+++ b/src/truetype/ttgload.c
|
||||
@@ -981,7 +981,7 @@
|
||||
|
||||
if ( !IS_DEFAULT_INSTANCE( FT_FACE( loader->face ) ) )
|
||||
{
|
||||
- if ( FT_NEW_ARRAY( unrounded, n_points ) )
|
||||
+ if ( FT_QNEW_ARRAY( unrounded, n_points ) )
|
||||
goto Exit;
|
||||
|
||||
/* Deltas apply to the unscaled data. */
|
||||
@@ -1948,10 +1948,7 @@
|
||||
short i, limit;
|
||||
FT_SubGlyph subglyph;
|
||||
|
||||
- FT_Outline outline;
|
||||
- FT_Vector* points = NULL;
|
||||
- char* tags = NULL;
|
||||
- short* contours = NULL;
|
||||
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
|
||||
FT_Vector* unrounded = NULL;
|
||||
|
||||
|
||||
@@ -1959,19 +1956,14 @@
|
||||
|
||||
/* construct an outline structure for */
|
||||
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
|
||||
- outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
|
||||
- outline.n_contours = outline.n_points;
|
||||
-
|
||||
- outline.points = NULL;
|
||||
- outline.tags = NULL;
|
||||
- outline.contours = NULL;
|
||||
-
|
||||
- if ( FT_NEW_ARRAY( points, outline.n_points ) ||
|
||||
- FT_NEW_ARRAY( tags, outline.n_points ) ||
|
||||
- FT_NEW_ARRAY( contours, outline.n_points ) ||
|
||||
- FT_NEW_ARRAY( unrounded, outline.n_points ) )
|
||||
+ if ( FT_QNEW_ARRAY( outline.points, limit + 4 ) ||
|
||||
+ FT_QNEW_ARRAY( outline.tags, limit ) ||
|
||||
+ FT_QNEW_ARRAY( outline.contours, limit ) ||
|
||||
+ FT_QNEW_ARRAY( unrounded, limit + 4 ) )
|
||||
goto Exit1;
|
||||
|
||||
+ outline.n_contours = outline.n_points = limit;
|
||||
+
|
||||
subglyph = gloader->current.subglyphs;
|
||||
|
||||
for ( i = 0; i < limit; i++, subglyph++ )
|
||||
@@ -1979,38 +1971,16 @@
|
||||
/* applying deltas for anchor points doesn't make sense, */
|
||||
/* but we don't have to specially check this since */
|
||||
/* unused delta values are zero anyways */
|
||||
- points[i].x = subglyph->arg1;
|
||||
- points[i].y = subglyph->arg2;
|
||||
- tags[i] = 1;
|
||||
- contours[i] = i;
|
||||
+ outline.points[i].x = subglyph->arg1;
|
||||
+ outline.points[i].y = subglyph->arg2;
|
||||
+ outline.tags[i] = ON_CURVE_POINT;
|
||||
+ outline.contours[i] = i;
|
||||
}
|
||||
|
||||
- points[i].x = loader->pp1.x;
|
||||
- points[i].y = loader->pp1.y;
|
||||
- tags[i] = 1;
|
||||
- contours[i] = i;
|
||||
-
|
||||
- i++;
|
||||
- points[i].x = loader->pp2.x;
|
||||
- points[i].y = loader->pp2.y;
|
||||
- tags[i] = 1;
|
||||
- contours[i] = i;
|
||||
-
|
||||
- i++;
|
||||
- points[i].x = loader->pp3.x;
|
||||
- points[i].y = loader->pp3.y;
|
||||
- tags[i] = 1;
|
||||
- contours[i] = i;
|
||||
-
|
||||
- i++;
|
||||
- points[i].x = loader->pp4.x;
|
||||
- points[i].y = loader->pp4.y;
|
||||
- tags[i] = 1;
|
||||
- contours[i] = i;
|
||||
-
|
||||
- outline.points = points;
|
||||
- outline.tags = tags;
|
||||
- outline.contours = contours;
|
||||
+ outline.points[i++] = loader->pp1;
|
||||
+ outline.points[i++] = loader->pp2;
|
||||
+ outline.points[i++] = loader->pp3;
|
||||
+ outline.points[i ] = loader->pp4;
|
||||
|
||||
/* this call provides additional offsets */
|
||||
/* for each component's translation */
|
||||
@@ -2028,20 +1998,20 @@
|
||||
{
|
||||
if ( subglyph->flags & ARGS_ARE_XY_VALUES )
|
||||
{
|
||||
- subglyph->arg1 = (FT_Int16)points[i].x;
|
||||
- subglyph->arg2 = (FT_Int16)points[i].y;
|
||||
+ subglyph->arg1 = (FT_Int16)outline.points[i].x;
|
||||
+ subglyph->arg2 = (FT_Int16)outline.points[i].y;
|
||||
}
|
||||
}
|
||||
|
||||
- loader->pp1.x = points[i + 0].x;
|
||||
- loader->pp1.y = points[i + 0].y;
|
||||
- loader->pp2.x = points[i + 1].x;
|
||||
- loader->pp2.y = points[i + 1].y;
|
||||
+ loader->pp1.x = outline.points[i + 0].x;
|
||||
+ loader->pp1.y = outline.points[i + 0].y;
|
||||
+ loader->pp2.x = outline.points[i + 1].x;
|
||||
+ loader->pp2.y = outline.points[i + 1].y;
|
||||
|
||||
- loader->pp3.x = points[i + 2].x;
|
||||
- loader->pp3.y = points[i + 2].y;
|
||||
- loader->pp4.x = points[i + 3].x;
|
||||
- loader->pp4.y = points[i + 3].y;
|
||||
+ loader->pp3.x = outline.points[i + 2].x;
|
||||
+ loader->pp3.y = outline.points[i + 2].y;
|
||||
+ loader->pp4.x = outline.points[i + 3].x;
|
||||
+ loader->pp4.y = outline.points[i + 3].y;
|
||||
|
||||
/* recalculate linear horizontal and vertical advances */
|
||||
/* if we don't have HVAR and VVAR, respectively */
|
||||
--
|
||||
2.33.0
|
||||
|
||||
@ -1,36 +0,0 @@
|
||||
From 73720c7c9958e87b3d134a7574d1720ad2d24442 Mon Sep 17 00:00:00 2001
|
||||
From: Alexei Podtelezhnikov <apodtele@gmail.com>
|
||||
Date: Sun, 23 Jun 2024 10:58:00 -0400
|
||||
Subject: [PATCH] * src/truetype/ttgload.c (load_truetype_glyph): Unsigned fix.
|
||||
|
||||
Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/73720c7c9958e87b3d134a7574d1720ad2d24442
|
||||
Conflict:NA
|
||||
|
||||
---
|
||||
src/truetype/ttgload.c | 4 ++--
|
||||
1 file changed, 2 insertions(+), 2 deletions(-)
|
||||
|
||||
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
|
||||
index 8cddc394c..b656ccf04 100644
|
||||
--- a/src/truetype/ttgload.c
|
||||
+++ b/src/truetype/ttgload.c
|
||||
@@ -1738,14 +1738,14 @@
|
||||
if ( FT_IS_NAMED_INSTANCE( FT_FACE( face ) ) ||
|
||||
FT_IS_VARIATION( FT_FACE( face ) ) )
|
||||
{
|
||||
- short i, limit;
|
||||
+ FT_UShort i, limit;
|
||||
FT_SubGlyph subglyph;
|
||||
|
||||
FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
|
||||
FT_Vector* unrounded = NULL;
|
||||
|
||||
|
||||
- limit = (short)gloader->current.num_subglyphs;
|
||||
+ limit = (FT_UShort)gloader->current.num_subglyphs;
|
||||
|
||||
/* construct an outline structure for */
|
||||
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
|
||||
--
|
||||
GitLab
|
||||
|
||||
44
backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch
Normal file
44
backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch
Normal file
@ -0,0 +1,44 @@
|
||||
From: Marc Deslauriers <marc.deslauriers@canonical.com>
|
||||
Date: Fri, 14 Mar 2025 08:55:06 -0400
|
||||
Subject: [PATCH] Minimal stop-gap fix for CVE-2025-27363
|
||||
Origin: https://www.openwall.com/lists/oss-security/2025/03/14/3
|
||||
Bug: https://gitlab.freedesktop.org/freetype/freetype/-/issues/1322
|
||||
Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2025-27363
|
||||
|
||||
Reference:https://salsa.debian.org/debian/freetype/-/merge_requests/4
|
||||
Conflict:NA
|
||||
|
||||
---
|
||||
src/truetype/ttgload.c | 9 ++++++++-
|
||||
1 file changed, 8 insertions(+), 1 deletion(-)
|
||||
|
||||
diff --git a/src/truetype/ttgload.c b/src/truetype/ttgload.c
|
||||
index 2ca63d65a3a3..7ce6d2a6fb29 100644
|
||||
--- a/src/truetype/ttgload.c
|
||||
+++ b/src/truetype/ttgload.c
|
||||
@@ -1948,7 +1948,7 @@
|
||||
short i, limit;
|
||||
FT_SubGlyph subglyph;
|
||||
|
||||
- FT_Outline outline;
|
||||
+ FT_Outline outline = { 0, 0, NULL, NULL, NULL, 0 };
|
||||
FT_Vector* points = NULL;
|
||||
char* tags = NULL;
|
||||
short* contours = NULL;
|
||||
@@ -1957,6 +1957,13 @@
|
||||
|
||||
limit = (short)gloader->current.num_subglyphs;
|
||||
|
||||
+ /* make sure this isn't negative as we're going to add 4 later */
|
||||
+ if ( limit < 0 )
|
||||
+ {
|
||||
+ error = FT_THROW( Invalid_Argument );
|
||||
+ goto Exit;
|
||||
+ }
|
||||
+
|
||||
/* construct an outline structure for */
|
||||
/* communication with `TT_Vary_Apply_Glyph_Deltas' */
|
||||
outline.n_points = (short)( gloader->current.num_subglyphs + 4 );
|
||||
--
|
||||
2.47.2
|
||||
|
||||
@ -4,7 +4,7 @@
|
||||
|
||||
Name: freetype
|
||||
Version: 2.12.1
|
||||
Release: 4
|
||||
Release: 5
|
||||
Summary: FreeType is a freely available software library to render fonts
|
||||
License: (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
|
||||
URL: http://www.freetype.org
|
||||
@ -23,8 +23,7 @@ Patch6003: backport-freetype-2.8-multilib.patch
|
||||
Patch6004: backport-freetype-2.10.0-internal-outline.patch
|
||||
Patch6005: backport-freetype-2.10.1-debughook.patch
|
||||
Patch6006: backport-CVE-2023-2004.patch
|
||||
Patch6007: backport-0001-CVE-2025-27363.patch
|
||||
Patch6008: backport-0002-CVE-2025-27363.patch
|
||||
Patch6007: backport-Minimal-stop-gap-fix-for-CVE-2025-27363.patch
|
||||
|
||||
BuildRequires: gcc libX11-devel libpng-devel zlib-devel bzip2-devel meson
|
||||
|
||||
@ -74,7 +73,6 @@ popd
|
||||
%patch6005 -p1
|
||||
%patch6006 -p1
|
||||
%patch6007 -p1
|
||||
%patch6008 -p1
|
||||
|
||||
%build
|
||||
%configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no
|
||||
@ -155,6 +153,9 @@ meson test -C out
|
||||
%{_mandir}/man1/*
|
||||
|
||||
%changelog
|
||||
* Mon Apr 14 2025 zhangpan <zhangpan103@h-partners.com> - 2.12.1-5
|
||||
- update CVE-2025-27363 patch
|
||||
|
||||
* Mon Mar 17 2025 zhangpan <zhangpan103@h-partners.com> - 2.12.1-4
|
||||
- fix CVE-2025-27363
|
||||
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user