aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorLeo <thinkabit.ukim@gmail.com>2020-10-20 07:08:14 -0300
committerLeo <thinkabit.ukim@gmail.com>2020-10-20 07:09:18 -0300
commit58141e176cb1a99d3495cbef2733359bb7d79fbf (patch)
treec27a86045cb3047fba8f42936538e80547510752
parentd7f4631808dde481f85b6b3ade46dca0a5d6e6ea (diff)
downloadaports-58141e176cb1a99d3495cbef2733359bb7d79fbf.tar.gz
aports-58141e176cb1a99d3495cbef2733359bb7d79fbf.tar.bz2
aports-58141e176cb1a99d3495cbef2733359bb7d79fbf.tar.xz
main/freetype: fix CVE-2020-15999
-rw-r--r--main/freetype/APKBUILD8
-rw-r--r--main/freetype/CVE-2020-15999.patch48
2 files changed, 54 insertions, 2 deletions
diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index 7e55119ea8..13dc716818 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
# Maintainer: Carlo Landmeter <clandmeter@gmail.com>
pkgname=freetype
pkgver=2.10.0
-pkgrel=0
+pkgrel=1
pkgdesc="TrueType font rendering library"
url="https://www.freetype.org/"
arch="all"
@@ -15,9 +15,12 @@ subpackages="$pkgname-static $pkgname-dev $pkgname-doc"
source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar.bz2
0001-Enable-table-validation-modules.patch
subpixel.patch
+ CVE-2020-15999.patch
"
# secfixes:
+# 2.10.0-r1:
+# - CVE-2020-15999
# 2.9-r1:
# - CVE-2018-6942
# 2.7.1-r1:
@@ -56,4 +59,5 @@ package() {
sha512sums="dfad66f419ea9577f09932e0730c0c887bdcbdbc8152fa7477a0c39d69a5b68476761deed6864ddcc5cf18d100a7a3f728049768e24afcb04b1a74b25b6acf7e freetype-2.10.0.tar.bz2
580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763 0001-Enable-table-validation-modules.patch
-72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch"
+72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190 subpixel.patch
+fe697a15777b44bb36c705aa4e13f352329c418de89e3d457381d0852ca2931dfa6d6b6ebc6c59322ba2af94e956f06a31e25f0d57db139f5ba2ce79fa5a8fd9 CVE-2020-15999.patch"
diff --git a/main/freetype/CVE-2020-15999.patch b/main/freetype/CVE-2020-15999.patch
new file mode 100644
index 0000000000..067aa7e460
--- /dev/null
+++ b/main/freetype/CVE-2020-15999.patch
@@ -0,0 +1,48 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+
+This is CVE-2020-15999.
+
+* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 2e64e5846..f55016122 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -332,6 +332,13 @@
+
+ if ( populate_map_and_metrics )
+ {
++ /* reject too large bitmaps similarly to the rasterizer */
++ if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++ {
++ error = FT_THROW( Array_Too_Large );
++ goto DestroyExit;
++ }
++
+ metrics->width = (FT_UShort)imgWidth;
+ metrics->height = (FT_UShort)imgHeight;
+
+@@ -340,13 +347,6 @@
+ map->pixel_mode = FT_PIXEL_MODE_BGRA;
+ map->pitch = (int)( map->width * 4 );
+ map->num_grays = 256;
+-
+- /* reject too large bitmaps similarly to the rasterizer */
+- if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+- {
+- error = FT_THROW( Array_Too_Large );
+- goto DestroyExit;
+- }
+ }
+
+ /* convert palette/gray image to rgb */
+--
+cgit v1.2.1
+
+