diff options
| author | Vladimír Čunát <vcunat@gmail.com> | 2017-05-14 14:59:55 +0200 |
|---|---|---|
| committer | Vladimír Čunát <vcunat@gmail.com> | 2017-05-14 15:00:44 +0200 |
| commit | b0d2de45cddcd1e4578bfae121e606f89b00fc5e (patch) | |
| tree | 056388bde1a223551b36aca68a1f17fa8a994333 /pkgs/development/libraries/freetype | |
| parent | fcdb4b51f852a5654e101f2035e55f129562658d (diff) | |
| download | nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar.gz nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar.bz2 nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar.lz nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar.xz nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.tar.zst nixpkgs-b0d2de45cddcd1e4578bfae121e606f89b00fc5e.zip | |
freetype: fix CVE-2017-{8105,8287} by upstream patches
I copied the patches, as the changelog changes would certainly conflict.
Diffstat (limited to 'pkgs/development/libraries/freetype')
| -rw-r--r-- | pkgs/development/libraries/freetype/cve-2017-8105.patch | 27 | ||||
| -rw-r--r-- | pkgs/development/libraries/freetype/cve-2017-8287.patch | 22 | ||||
| -rw-r--r-- | pkgs/development/libraries/freetype/default.nix | 3 |
3 files changed, 52 insertions, 0 deletions
diff --git a/pkgs/development/libraries/freetype/cve-2017-8105.patch b/pkgs/development/libraries/freetype/cve-2017-8105.patch new file mode 100644 index 00000000000..dc4327a52a8 --- /dev/null +++ b/pkgs/development/libraries/freetype/cve-2017-8105.patch @@ -0,0 +1,27 @@ +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee43 + +diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c +index af7b465..7dd4513 100644 +--- a/src/psaux/t1decode.c ++++ b/src/psaux/t1decode.c +@@ -780,10 +780,19 @@ + /* point without adding any point to the outline */ + idx = decoder->num_flex_vectors++; + if ( idx > 0 && idx < 7 ) ++ { ++ /* in malformed fonts it is possible to have other */ ++ /* opcodes in the middle of a flex (which don't */ ++ /* increase `num_flex_vectors'); we thus have to */ ++ /* check whether we can add a point */ ++ if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) ) ++ goto Syntax_Error; ++ + t1_builder_add_point( builder, + x, + y, + (FT_Byte)( idx == 3 || idx == 6 ) ); ++ } + } + break; + + diff --git a/pkgs/development/libraries/freetype/cve-2017-8287.patch b/pkgs/development/libraries/freetype/cve-2017-8287.patch new file mode 100644 index 00000000000..7ccf4f3278b --- /dev/null +++ b/pkgs/development/libraries/freetype/cve-2017-8287.patch @@ -0,0 +1,22 @@ +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b + +diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c +index d18e821..0baf836 100644 +--- a/src/psaux/psobjs.c ++++ b/src/psaux/psobjs.c +@@ -1718,6 +1718,14 @@ + first = outline->n_contours <= 1 + ? 0 : outline->contours[outline->n_contours - 2] + 1; + ++ /* in malformed fonts it can happen that a contour was started */ ++ /* but no points were added */ ++ if ( outline->n_contours && first == outline->n_points ) ++ { ++ outline->n_contours--; ++ return; ++ } ++ + /* We must not include the last point in the path if it */ + /* is located on the first point. */ + if ( outline->n_points > 1 ) + diff --git a/pkgs/development/libraries/freetype/default.nix b/pkgs/development/libraries/freetype/default.nix index 287a0742440..9b2c6fe11e1 100644 --- a/pkgs/development/libraries/freetype/default.nix +++ b/pkgs/development/libraries/freetype/default.nix @@ -48,6 +48,9 @@ in stdenv.mkDerivation { ./pcf-config-long-family-names.patch ./disable-pcf-long-family-names.patch ./enable-table-validation.patch + # remove the two CVE patches after updating to >= 2.8 + ./cve-2017-8105.patch + ./cve-2017-8287.patch ] ++ optional useEncumberedCode ./enable-subpixel-rendering.patch; |