From 9c2d2c13ce1f080dd8cff6a451625883fe6abab3 Mon Sep 17 00:00:00 2001 From: Efraim Flashner Date: Thu, 30 Nov 2017 23:46:55 +0200 Subject: gnu: t1lib: Change how patched CVEs are listed. * gnu/packages/fontutils.scm (t1lib)[source]: Change patch name. [properties]: New field, register patched CVEs. * gnu/packages/patches/CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch: Rename to CVE-2011-1552+.patch. * gnu/local.mk (dist_patch_DATA): Change patch name. --- gnu/packages/fontutils.scm | 8 +- gnu/packages/patches/t1lib-CVE-2011-1552+.patch | 133 +++++++++++++++++++++ ...CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch | 133 --------------------- 3 files changed, 139 insertions(+), 135 deletions(-) create mode 100644 gnu/packages/patches/t1lib-CVE-2011-1552+.patch delete mode 100644 gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch (limited to 'gnu/packages') diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index f20eb45f18..19d5171956 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -303,9 +303,13 @@ high quality, anti-aliased and subpixel rendered text on a display.") (sha256 (base32 "0nbvjpnmcznib1nlgg8xckrmsw3haa154byds2h90y2g0nsjh4w2")) (patches (search-patches - "t1lib-CVE-2010-2642.patch" + "t1lib-CVE-2010-2642.patch" ; 2011-0443, 2011-5244 "t1lib-CVE-2011-0764.patch" - "t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch")))) + "t1lib-CVE-2011-1552+.patch")))) ; 2011-1553, 2011-1554 + (properties `((lint-hidden-cve . ("CVE-2011-0433" + "CVE-2011-1553" + "CVE-2011-1554" + "CVE-2011-5244")))) (build-system gnu-build-system) (arguments ;; Making the documentation requires latex, but t1lib is also an input diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch new file mode 100644 index 0000000000..aaa31f7b93 --- /dev/null +++ b/gnu/packages/patches/t1lib-CVE-2011-1552+.patch @@ -0,0 +1,133 @@ +Author: Jaroslav Škarvada +Description: Fix more crashes on oversized fonts +Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909 +Index: t1lib-5.1.2/lib/type1/lines.c +=================================================================== +--- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600 ++++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600 +@@ -67,6 +67,10 @@ + None. + */ + ++#define BITS (sizeof(LONG)*8) ++#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */ ++#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy)) ++ + /* + :h2.StepLine() - Produces Run Ends for a Line After Checks + +@@ -84,6 +88,9 @@ + IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n", + x1, y1, x2, y2); + ++ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2)) ++ abort("Lines this big not supported", 49); ++ + dy = y2 - y1; + + /* +Index: t1lib-5.1.2/lib/type1/objects.c +=================================================================== +--- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600 ++++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600 +@@ -1137,12 +1137,13 @@ + "Context: out of them", /* 46 */ + "MatrixInvert: can't", /* 47 */ + "xiStub called", /* 48 */ +- "Illegal access type1 abort() message" /* 49 */ ++ "Lines this big not supported", /* 49 */ ++ "Illegal access type1 abort() message" /* 50 */ + }; + +- /* no is valid from 1 to 48 */ +- if ( (number<1)||(number>48)) +- number=49; ++ /* no is valid from 1 to 49 */ ++ if ( (number<1)||(number>49)) ++ number=50; + return( err_msgs[number-1]); + + } +Index: t1lib-5.1.2/lib/type1/type1.c +=================================================================== +--- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600 ++++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600 +@@ -1012,6 +1012,7 @@ + double nextdtana = 0.0; /* tangent of post-delta against horizontal line */ + double nextdtanb = 0.0; /* tangent of post-delta against vertical line */ + ++ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n"); + + /* setup default hinted position */ + ppoints[numppoints-1].ax = ppoints[numppoints-1].x; +@@ -1289,7 +1290,7 @@ + static int DoRead(CodeP) + int *CodeP; + { +- if (strindex >= CharStringP->len) return(FALSE); /* end of string */ ++ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */ + /* We handle the non-documented Adobe convention to use lenIV=-1 to + suppress charstring encryption. */ + if (blues->lenIV==-1) { +@@ -1700,7 +1701,7 @@ + long pindex = 0; + + /* compute hinting for previous segment! */ +- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n"); ++ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n"); + FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); + + /* Allocate a new path point and pre-setup data */ +@@ -1729,7 +1730,7 @@ + long pindex = 0; + + /* compute hinting for previous point! */ +- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n"); ++ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n"); + FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); + + /* Allocate three new path points and pre-setup data */ +@@ -1788,7 +1789,9 @@ + long tmpind; + double deltax = 0.0; + double deltay = 0.0; +- ++ ++ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!"); ++ + /* If this ClosePath command together with the starting point of this + path completes to a segment aligned to a stem, we would miss + hinting for this point. --> Check and explicitly care for this! */ +@@ -1803,6 +1806,7 @@ + deltax = ppoints[i].x - ppoints[numppoints-1].x; + deltay = ppoints[i].y - ppoints[numppoints-1].y; + ++ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!"); + /* save nummppoints and reset to move point */ + tmpind = numppoints; + numppoints = i + 1; +@@ -1905,7 +1909,7 @@ + FindStems( currx, curry, 0, 0, dx, dy); + } + else { +- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n"); ++ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n"); + FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy); + } + +@@ -2155,6 +2159,7 @@ + DOUBLE cx, cy; + DOUBLE ex, ey; + ++ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!"); + + /* Our PPOINT list now contains 7 moveto commands which + are about to be consumed by the Flex mechanism. --> Remove these +@@ -2324,6 +2329,7 @@ + /* Returns currentpoint on stack */ + static void FlxProc2() + { ++ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!"); + /* Push CurrentPoint on fake PostScript stack */ + PSFakePush( ppoints[numppoints-1].x); + PSFakePush( ppoints[numppoints-1].y); diff --git a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch b/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch deleted file mode 100644 index aaa31f7b93..0000000000 --- a/gnu/packages/patches/t1lib-CVE-2011-1552+CVE-2011-1553+CVE-2011-1554.patch +++ /dev/null @@ -1,133 +0,0 @@ -Author: Jaroslav Škarvada -Description: Fix more crashes on oversized fonts -Bug-Redhat: http://bugzilla.redhat.com/show_bug.cgi?id=692909 -Index: t1lib-5.1.2/lib/type1/lines.c -=================================================================== ---- t1lib-5.1.2.orig/lib/type1/lines.c 2007-12-23 09:49:42.000000000 -0600 -+++ t1lib-5.1.2/lib/type1/lines.c 2012-01-17 14:15:08.000000000 -0600 -@@ -67,6 +67,10 @@ - None. - */ - -+#define BITS (sizeof(LONG)*8) -+#define HIGHTEST(p) (((p)>>(BITS-2)) != 0) /* includes sign bit */ -+#define TOOBIG(xy) ((xy < 0) ? HIGHTEST(-xy) : HIGHTEST(xy)) -+ - /* - :h2.StepLine() - Produces Run Ends for a Line After Checks - -@@ -84,6 +88,9 @@ - IfTrace4((LineDebug > 0), ".....StepLine: (%d,%d) to (%d,%d)\n", - x1, y1, x2, y2); - -+ if ( TOOBIG(x1) || TOOBIG(x2) || TOOBIG(y1) || TOOBIG(y2)) -+ abort("Lines this big not supported", 49); -+ - dy = y2 - y1; - - /* -Index: t1lib-5.1.2/lib/type1/objects.c -=================================================================== ---- t1lib-5.1.2.orig/lib/type1/objects.c 2007-12-23 09:49:42.000000000 -0600 -+++ t1lib-5.1.2/lib/type1/objects.c 2012-01-17 14:15:08.000000000 -0600 -@@ -1137,12 +1137,13 @@ - "Context: out of them", /* 46 */ - "MatrixInvert: can't", /* 47 */ - "xiStub called", /* 48 */ -- "Illegal access type1 abort() message" /* 49 */ -+ "Lines this big not supported", /* 49 */ -+ "Illegal access type1 abort() message" /* 50 */ - }; - -- /* no is valid from 1 to 48 */ -- if ( (number<1)||(number>48)) -- number=49; -+ /* no is valid from 1 to 49 */ -+ if ( (number<1)||(number>49)) -+ number=50; - return( err_msgs[number-1]); - - } -Index: t1lib-5.1.2/lib/type1/type1.c -=================================================================== ---- t1lib-5.1.2.orig/lib/type1/type1.c 2012-01-17 14:13:28.000000000 -0600 -+++ t1lib-5.1.2/lib/type1/type1.c 2012-01-17 14:19:54.000000000 -0600 -@@ -1012,6 +1012,7 @@ - double nextdtana = 0.0; /* tangent of post-delta against horizontal line */ - double nextdtanb = 0.0; /* tangent of post-delta against vertical line */ - -+ if (ppoints == NULL || numppoints < 1) Error0v("FindStems: No previous point!\n"); - - /* setup default hinted position */ - ppoints[numppoints-1].ax = ppoints[numppoints-1].x; -@@ -1289,7 +1290,7 @@ - static int DoRead(CodeP) - int *CodeP; - { -- if (strindex >= CharStringP->len) return(FALSE); /* end of string */ -+ if (!CharStringP || strindex >= CharStringP->len) return(FALSE); /* end of string */ - /* We handle the non-documented Adobe convention to use lenIV=-1 to - suppress charstring encryption. */ - if (blues->lenIV==-1) { -@@ -1700,7 +1701,7 @@ - long pindex = 0; - - /* compute hinting for previous segment! */ -- if (ppoints == NULL) Error0i("RLineTo: No previous point!\n"); -+ if (ppoints == NULL || numppoints < 2) Error0i("RLineTo: No previous point!\n"); - FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx, dy); - - /* Allocate a new path point and pre-setup data */ -@@ -1729,7 +1730,7 @@ - long pindex = 0; - - /* compute hinting for previous point! */ -- if (ppoints == NULL) Error0i("RRCurveTo: No previous point!\n"); -+ if (ppoints == NULL || numppoints < 2) Error0i("RRCurveTo: No previous point!\n"); - FindStems( currx, curry, currx-ppoints[numppoints-2].x, curry-ppoints[numppoints-2].y, dx1, dy1); - - /* Allocate three new path points and pre-setup data */ -@@ -1788,7 +1789,9 @@ - long tmpind; - double deltax = 0.0; - double deltay = 0.0; -- -+ -+ if (ppoints == NULL || numppoints < 1) Error0i("DoClosePath: No previous point!"); -+ - /* If this ClosePath command together with the starting point of this - path completes to a segment aligned to a stem, we would miss - hinting for this point. --> Check and explicitly care for this! */ -@@ -1803,6 +1806,7 @@ - deltax = ppoints[i].x - ppoints[numppoints-1].x; - deltay = ppoints[i].y - ppoints[numppoints-1].y; - -+ if (ppoints == NULL || numppoints <= i + 1) Error0i("DoClosePath: No previous point!"); - /* save nummppoints and reset to move point */ - tmpind = numppoints; - numppoints = i + 1; -@@ -1905,7 +1909,7 @@ - FindStems( currx, curry, 0, 0, dx, dy); - } - else { -- if (ppoints == NULL) Error0i("RMoveTo: No previous point!\n"); -+ if (ppoints == NULL || numppoints < 2) Error0i("RMoveTo: No previous point!\n"); - FindStems( currx, curry, ppoints[numppoints-2].x, ppoints[numppoints-2].y, dx, dy); - } - -@@ -2155,6 +2159,7 @@ - DOUBLE cx, cy; - DOUBLE ex, ey; - -+ if (ppoints == NULL || numppoints < 8) Error0v("FlxProc: No previous point!"); - - /* Our PPOINT list now contains 7 moveto commands which - are about to be consumed by the Flex mechanism. --> Remove these -@@ -2324,6 +2329,7 @@ - /* Returns currentpoint on stack */ - static void FlxProc2() - { -+ if (ppoints == NULL || numppoints < 1) Error0v("FlxProc2: No previous point!"); - /* Push CurrentPoint on fake PostScript stack */ - PSFakePush( ppoints[numppoints-1].x); - PSFakePush( ppoints[numppoints-1].y); -- cgit 1.4.1