From cc32025ea0c0bf79c1575a96b03b44db1edd9ee3 Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: May 20 2020 13:07:38 +0000 Subject: import fontforge-20120731b-13.el7 --- diff --git a/SOURCES/fontforge-20120731-b-cve-2020-5395.patch b/SOURCES/fontforge-20120731-b-cve-2020-5395.patch new file mode 100644 index 0000000..19c615e --- /dev/null +++ b/SOURCES/fontforge-20120731-b-cve-2020-5395.patch @@ -0,0 +1,59 @@ +diff -urN fontforge-20120731-b.old/fontforge/sfd1.c fontforge-20120731-b/fontforge/sfd1.c +--- fontforge-20120731-b.old/fontforge/sfd1.c 2012-08-02 20:39:09.000000000 +0530 ++++ fontforge-20120731-b/fontforge/sfd1.c 2020-04-08 14:15:27.262285908 +0530 +@@ -667,7 +667,7 @@ + + /* Fix up some gunk from really old versions of the sfd format */ + SFDCleanupAnchorClasses(&sf->sf); +- if ( sf->sf.uni_interp==ui_unset ) ++ if ( sf->sf.uni_interp==ui_unset && sf->sf.map!=NULL ) + sf->sf.uni_interp = interp_from_encoding(sf->sf.map->enc,ui_none); + + /* Fixup for an old bug */ +diff -urN fontforge-20120731-b.old/fontforge/sfd.c fontforge-20120731-b/fontforge/sfd.c +--- fontforge-20120731-b.old/fontforge/sfd.c 2012-08-02 20:39:09.000000000 +0530 ++++ fontforge-20120731-b/fontforge/sfd.c 2020-04-08 14:16:37.448996390 +0530 +@@ -3333,13 +3333,16 @@ + while ( fscanf(sfd,"%lg %lg %c", &cp.x, &cp.y, &cp.ty )==3 ) { + if ( cur!=NULL ) { + if ( cur->spiro_cnt>=cur->spiro_max ) +- cur->spiros = grealloc(cur->spiros,(cur->spiro_max+=10)*sizeof(spiro_cp)); ++ cur->spiros = realloc(cur->spiros, ++ (cur->spiro_max+=10)*sizeof(spiro_cp)); + cur->spiros[cur->spiro_cnt++] = cp; + } + } +- if ( cur!=NULL && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { ++ if ( cur!=NULL && cur->spiro_cnt>0 ++ && (cur->spiros[cur->spiro_cnt-1].ty&0x7f)!=SPIRO_END ) { + if ( cur->spiro_cnt>=cur->spiro_max ) +- cur->spiros = grealloc(cur->spiros,(cur->spiro_max+=1)*sizeof(spiro_cp)); ++ cur->spiros = realloc(cur->spiros, ++ (cur->spiro_max+=1)*sizeof(spiro_cp)); + memset(&cur->spiros[cur->spiro_cnt],0,sizeof(spiro_cp)); + cur->spiros[cur->spiro_cnt++].ty = SPIRO_END; + } +@@ -6611,8 +6614,10 @@ + sf->grid.order2 = o2; + } else if ( strmatch(tok,"LayerCount:")==0 ) { + had_layer_cnt = true; +- getint(sfd,&sf->layer_cnt); +- if ( sf->layer_cnt>2 ) { ++ int layer_cnt_tmp; ++ getint(sfd,&layer_cnt_tmp); ++ if ( layer_cnt_tmp>2 ) { ++ sf->layer_cnt = layer_cnt_tmp; + sf->layers = grealloc(sf->layers,sf->layer_cnt*sizeof(LayerInfo)); + memset(sf->layers+2,0,(sf->layer_cnt-2)*sizeof(LayerInfo)); + } +@@ -7227,6 +7232,10 @@ + } + } + ++ // Many downstream functions assume this isn't NULL (use strlen, etc.) ++ if ( sf->fontname==NULL) ++ sf->fontname = copy(""); ++ + if ( fromdir ) + sf = SFD_FigureDirType(sf,tok,dirname,enc,remap,had_layer_cnt); + else if ( sf->subfontcnt!=0 ) { diff --git a/SPECS/fontforge.spec b/SPECS/fontforge.spec index 926ecaf..b5d5b9b 100644 --- a/SPECS/fontforge.spec +++ b/SPECS/fontforge.spec @@ -5,7 +5,7 @@ Name: fontforge Version: 20120731b -Release: 12%{?dist} +Release: 13%{?dist} Summary: Outline and bitmap font editor Group: Applications/Publishing @@ -18,6 +18,9 @@ Patch2: fontforge-20120731-pdf-bounds.patch # aarch64 support until it upstreams Patch3: http://ausil.fedorapeople.org/aarch64/fontforge/fontforge-aarch64.patch Patch4: fontforge-20120731-pdf-filters.patch +# https://github.com/fontforge/fontforge/issues/4084 +# https://github.com/fontforge/fontforge/issues/4164 +Patch5: fontforge-20120731-b-cve-2020-5395.patch Requires: xdg-utils Requires: autotrace @@ -61,6 +64,7 @@ to compile applications against fontforge. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 mkdir htdocs tar xjf %{SOURCE2} -C htdocs @@ -157,6 +161,9 @@ fi %{_libdir}/pkgconfig/*.pc %changelog +* Wed Apr 08 2020 Parag Nemade - 20120731b-13 +- Resolves:rh#1790973 - CVE-2020-5395:out-of-bounds write in sfd.c + * Fri Jan 24 2014 Daniel Mach - 20120731b-12 - Mass rebuild 2014-01-24