main/freetype: fix CVE-2022-27405 and CVE-2022-27406

(cherry picked from commit 2cac7499017def246acff43ed3bec6e9e857c240)

3 files changed, 71 insertions, 1 deletions

diff --git a/main/freetype/APKBUILD b/main/freetype/APKBUILD
index c4be348f1ae..34532ab6c39 100644
--- a/main/freetype/APKBUILD
+++ b/main/freetype/APKBUILD
@@ -2,7 +2,7 @@
 # Maintainer: Carlo Landmeter <clandmeter@alpinelinux.org>
 pkgname=freetype
 pkgver=2.10.4
-pkgrel=2
+pkgrel=3
 pkgdesc="TrueType font rendering library"
 url="https://www.freetype.org/"
 arch="all"
@@ -14,9 +14,14 @@ source="https://download.savannah.gnu.org/releases/freetype/freetype-$pkgver.tar
 	0001-Enable-table-validation-modules.patch
 	subpixel.patch
 	CVE-2022-27404.patch
+	CVE-2022-27405.patch
+	CVE-2022-27406.patch
 	"
 
 # secfixes:
+#   2.10.4-r3:
+#     - CVE-2022-27405
+#     - CVE-2022-27406
 #   2.10.4-r2:
 #     - CVE-2022-27404
 #   2.10.4-r0:
@@ -59,4 +64,6 @@ sha512sums="
 580fe59acddfd41966e387bdb6a88336b8bc119cc3d60d8689be20c96fb0dd07c5138ea31f6cb9c854f497ecb41c3adc49eb3ec16a34b2e010e8294851770763  0001-Enable-table-validation-modules.patch
 72883fa203fd2552a7b1b8c39b4aaa68d407c62c289236031cd0fa1c8cdc6ad38e90d3b53f8ee682064986d09c9455961f4941c80566b150d15d5539a716c190  subpixel.patch
 a00040fddd30f8b7add990c4614cbe69a04d702c471064eaf1f28b70a24c35e25e430bc8ae1d90f198b3e432d90c8884519db30fab2e41e467892d79f5cdee8f  CVE-2022-27404.patch
+4e4ed4b325ca8dbbd7362782867901b90eef48cb78d6a030769c33add029d4f61ddafe590c1cca35edd8e2b0c128106b7e01874acf52ac7c2b475f4ca6cf8cdf  CVE-2022-27405.patch
+574f0a93a022ba8bae4440012dd4062841187e1af4e906e5a8f117549a7e528e9d4a0bd35833294248f3a71b299175cbf6d144231af29d8d2dd350bc7dc5b804  CVE-2022-27406.patch
 "
diff --git a/main/freetype/CVE-2022-27405.patch b/main/freetype/CVE-2022-27405.patch
new file mode 100644
index 00000000000..47668676013
--- /dev/null
+++ b/main/freetype/CVE-2022-27405.patch
@@ -0,0 +1,36 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
+
diff --git a/main/freetype/CVE-2022-27406.patch b/main/freetype/CVE-2022-27406.patch
new file mode 100644
index 00000000000..0fdef7d2164
--- /dev/null
+++ b/main/freetype/CVE-2022-27406.patch
@@ -0,0 +1,27 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
+