Bug#305413: NMU patch for two rc bugs

Sun, 24 Apr 2005 06:53:06 -0700 

Attached is the patch to fix two release critical bugs in the Debian
freetype package:
#302269: fontconfig: Segmentation fault with certain bdf fonts
#305413: libfreetype6: Many packages which use freetype now segfault

I will make an NMU with this patch in a moment, since Anthony has been
inactive in maintaining the package and Martin Michlmayr told in
http://lists.debian.org/debian-devel/2005/03/msg00805.html that Anthony
had told him people should go ahead with adopting any of his packages.
I'm not ready to adopt this package, however.


diff -ruN orig/debian/changelog freetype-2.1.7/debian/changelog
--- orig/debian/changelog	2005-04-24 15:41:53.000000000 +0300
+++ freetype-2.1.7/debian/changelog	2005-04-24 16:02:24.000000000 +0300
@@ -1,3 +1,25 @@
+freetype (2.1.7-2.4) unstable; urgency=high
+
+  * Non-maintainer upload.
+  * freetype-2.1.7/src/bdf/bdflib.c: When a glyph has zero width or height,
+    a bitmap is not actually allocated for it, but the code used to try to
+    use it anyway. Now it no longer does that. Fix by Steve Langasek,
+    based on something I did earlier. Added
+    debian/patches/300-bdflib-zero-width-glyphs.diff. Closes: #302269
+    (Segmentation fault with certain bdf fonts).
+  * freetype-2.1.7/src/bdf/bdflib.c: BDF font files with glyphs with an
+    encoding value of at least 65536 would overflow the bitmap with 
+    65536 bits which bdflib.c uses to keep track of whether it has seen
+    an encoding already. Changed things so that encodings above the 
+    limit cause an error code to be returned instead of a segfault
+    happening. Ideally, the bitmap should be replaced with a more
+    compact representation, but that is too big a change for something
+    this small. I will, however, only lower the severity of the bug
+    (305413) to normal, instead of marking it fixed. Added
+    debian/patches/300-bdflib-large-encodings.diff.
+
+ -- Lars Wirzenius <[EMAIL PROTECTED]>  Sun, 24 Apr 2005 15:42:00 +0300
+
 freetype (2.1.7-2.3) unstable; urgency=low
 
   * NMU
diff -ruN orig/debian/patches/300-bdflib-large-encodings.diff freetype-2.1.7/debian/patches/300-bdflib-large-encodings.diff
--- orig/debian/patches/300-bdflib-large-encodings.diff	1970-01-01 02:00:00.000000000 +0200
+++ freetype-2.1.7/debian/patches/300-bdflib-large-encodings.diff	2005-04-24 15:59:37.000000000 +0300
@@ -0,0 +1,17 @@
+--- freetype-2.1.7/src/bdf/bdflib.c.old	2005-04-24 11:58:44.000000000 +0000
++++ freetype-2.1.7/src/bdf/bdflib.c	2005-04-24 11:56:37.000000000 +0000
+@@ -1570,6 +1570,14 @@
+         goto Exit;
+       p->glyph_enc = _bdf_atol( p->list.field[1], 0, 10 );
+ 
++      /* Check that the encoding is in the range [0, 65535] because       */
++      /* otherwise p->have (a bitmap with static size) overflows.         */
++      if ( p->glyph_enc >= sizeof(p->have) * 8 )
++      {
++	error = BDF_Err_Invalid_File_Format; /* Not the ideal error code */
++	goto Exit;
++      }
++
+       /* Check to see whether this encoding has already been encountered. */
+       /* If it has then change it to unencoded so it gets added if        */
+       /* indicated.                                                       */
diff -ruN orig/debian/patches/300-bdflib-zero-width-glyphs.diff freetype-2.1.7/debian/patches/300-bdflib-zero-width-glyphs.diff
--- orig/debian/patches/300-bdflib-zero-width-glyphs.diff	1970-01-01 02:00:00.000000000 +0200
+++ freetype-2.1.7/debian/patches/300-bdflib-zero-width-glyphs.diff	2005-04-24 15:46:22.000000000 +0300
@@ -0,0 +1,22 @@
+diff -ur freetype-2.1.7.orig/src/bdf/bdflib.c freetype-2.1.7/src/bdf/bdflib.c
+--- freetype-2.1.7.orig/src/bdf/bdflib.c	2003-10-15 15:20:56.000000000 -0700
++++ freetype-2.1.7/src/bdf/bdflib.c	2005-04-24 02:46:31.858144092 -0700
+@@ -1683,7 +1683,7 @@
+       nibbles = glyph->bpr << 1;
+       bp      = glyph->bitmap + p->row * glyph->bpr;
+ 
+-      for ( i = 0, *bp = 0; i < nibbles; i++ )
++      for ( i = 0; i < nibbles; i++ )
+       {
+         c = line[i];
+         *bp = (FT_Byte)( ( *bp << 4 ) + a2i[c] );
+@@ -1693,7 +1693,8 @@
+ 
+       /* Remove possible garbage at the right. */
+       mask_index = ( glyph->bbx.width * p->font->bpp ) & 7;
+-      *bp &= nibble_mask[mask_index];
++      if (glyph->bbx.width)
++        *bp &= nibble_mask[mask_index];
+ 
+       /* If any line has extra columns, indicate they have been removed. */
+       if ( ( line[nibbles] == '0' || a2i[(int)line[nibbles]] != 0 ) &&
diff -ruN orig/debian/rules freetype-2.1.7/debian/rules
--- orig/debian/rules	2005-04-24 15:41:53.000000000 +0300
+++ freetype-2.1.7/debian/rules	2005-04-24 16:01:56.000000000 +0300
@@ -160,6 +160,12 @@
 	# backport of normalization fix (#259875)
 	patch -p0 -i $(patchdir)/090-freetype-2.1.7-normalize-fix.diff
 
+	# don't segfault on zero width BDF glyphs (#302269)
+	patch -p0 -i $(patchdir)/300-bdflib-zero-width-glyphs.diff
+
+	# don't segfault on BDF glyphs with encodings above 65536 (#305413)
+	patch -p0 -i $(patchdir)/300-bdflib-large-encodings.diff
+
 	cd $(freetype_u) && ./configure --prefix=/usr CFLAGS=\"$(CFLAGS)\"
 #	cd $(freetype_u) && ./configure --prefix=/usr
 	$(MAKE) -C $(freetype_u)

Reply via email to