reverted: --- freetype-2.5.2/.pc/.quilt_patches +++ freetype-2.5.2.orig/.pc/.quilt_patches @@ -1 +0,0 @@ -/home/devel/freetype/freetype-2.5.2/debian/patches-freetype reverted: --- freetype-2.5.2/.pc/.quilt_series +++ freetype-2.5.2.orig/.pc/.quilt_series @@ -1 +0,0 @@ -series reverted: --- freetype-2.5.2/.pc/.version +++ freetype-2.5.2.orig/.pc/.version @@ -1 +0,0 @@ -2 reverted: --- freetype-2.5.2/.pc/applied-patches +++ freetype-2.5.2.orig/.pc/applied-patches @@ -1 +0,0 @@ -no-uninitialized-bbox.patch diff -u freetype-2.5.2/debian/changelog freetype-2.5.2/debian/changelog --- freetype-2.5.2/debian/changelog +++ freetype-2.5.2/debian/changelog @@ -1,3 +1,32 @@ +freetype (2.5.2-2ubuntu1.1) utopic-security; urgency=medium + + * SECURITY UPDATE: denial of service and possible code execution via + multiple security issues + - debian/patches-freetype/CVE-2014-96xx/*.patch: backport a large + quantity of upstream commits to fix multiple security issues. + - CVE-2014-9656 + - CVE-2014-9657 + - CVE-2014-9658 + - CVE-2014-9659 + - CVE-2014-9660 + - CVE-2014-9661 + - CVE-2014-9662 + - CVE-2014-9663 + - CVE-2014-9664 + - CVE-2014-9665 + - CVE-2014-9666 + - CVE-2014-9667 + - CVE-2014-9668 + - CVE-2014-9669 + - CVE-2014-9670 + - CVE-2014-9671 + - CVE-2014-9672 + - CVE-2014-9673 + - CVE-2014-9674 + - CVE-2014-9675 + + -- Marc Deslauriers Tue, 24 Feb 2015 08:41:04 -0500 + freetype (2.5.2-2ubuntu1) utopic; urgency=medium * Merge from Debian unstable, remaining changes: diff -u freetype-2.5.2/debian/patches-freetype/series freetype-2.5.2/debian/patches-freetype/series --- freetype-2.5.2/debian/patches-freetype/series +++ freetype-2.5.2/debian/patches-freetype/series @@ -12,0 +13,31 @@ +CVE-2014-96xx/CVE-2014-9656.patch +CVE-2014-96xx/CVE-2014-9657.patch +CVE-2014-96xx/CVE-2014-9658.patch +CVE-2014-96xx/CVE-2014-9659-1.patch +CVE-2014-96xx/CVE-2014-9659-2.patch +CVE-2014-96xx/CVE-2014-9660.patch +CVE-2014-96xx/CVE-2014-9661-1.patch +CVE-2014-96xx/CVE-2014-9661-2.patch +CVE-2014-96xx/CVE-2014-9662.patch +CVE-2014-96xx/CVE-2014-9663.patch +CVE-2014-96xx/CVE-2014-9664-1.patch +CVE-2014-96xx/CVE-2014-9664-2.patch +CVE-2014-96xx/CVE-2014-9665-1.patch +CVE-2014-96xx/CVE-2014-9665-2.patch +CVE-2014-96xx/CVE-2014-9666.patch +CVE-2014-96xx/CVE-2014-9667.patch +CVE-2014-96xx/CVE-2014-9668.patch +CVE-2014-96xx/CVE-2014-9669.patch +CVE-2014-96xx/CVE-2014-9670-1.patch +CVE-2014-96xx/CVE-2014-9670-2.patch +CVE-2014-96xx/CVE-2014-9671-1.patch +CVE-2014-96xx/CVE-2014-9671-2.patch +CVE-2014-96xx/CVE-2014-9671-3.patch +CVE-2014-96xx/CVE-2014-9672.patch +CVE-2014-96xx/CVE-2014-9673.patch +CVE-2014-96xx/CVE-2014-9674-1.patch +CVE-2014-96xx/CVE-2014-9674-2.patch +CVE-2014-96xx/CVE-2014-9674-3.patch +CVE-2014-96xx/CVE-2014-9674-4.patch +CVE-2014-96xx/CVE-2014-9675-1.patch +CVE-2014-96xx/CVE-2014-9675-2.patch only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9656.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9656.patch @@ -0,0 +1,25 @@ +From f0292bb9920aa1dbfed5f53861e7c7a89b35833a Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 24 Nov 2014 09:51:21 +0000 +Subject: [sfnt] Fix Savannah bug #43680. + +This adds an additional constraint to make the fix from 2013-01-25 +really work. + +* src/sfnt/ttsbit.c (tt_sbit_decoder_load_image) : +Check `p' before `num_glyphs'. +--- +Index: freetype-2.5.2/src/sfnt/ttsbit.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/ttsbit.c 2015-02-24 08:19:30.901177578 -0500 ++++ freetype-2.5.2/src/sfnt/ttsbit.c 2015-02-24 08:19:30.901177578 -0500 +@@ -1143,7 +1143,8 @@ + num_glyphs = FT_NEXT_ULONG( p ); + + /* overflow check for p + ( num_glyphs + 1 ) * 4 */ +- if ( num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) ++ if ( p + 4 > p_limit || ++ num_glyphs > (FT_ULong)( ( ( p_limit - p ) >> 2 ) - 1 ) ) + goto NoBitmap; + + for ( mm = 0; mm < num_glyphs; mm++ ) only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9657.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9657.patch @@ -0,0 +1,40 @@ +From eca0f067068020870a429fe91f6329e499390d55 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 24 Nov 2014 09:22:08 +0000 +Subject: [truetype] Fix Savannah bug #43679. + +* src/truetype/ttpload.c (tt_face_load_hdmx): Check minimum size of +`record_size'. +--- +diff --git a/src/truetype/ttpload.c b/src/truetype/ttpload.c +index 9723a51..9991925 100644 +--- a/src/truetype/ttpload.c ++++ b/src/truetype/ttpload.c +@@ -508,9 +508,9 @@ + record_size = FT_NEXT_ULONG( p ); + + /* The maximum number of bytes in an hdmx device record is the */ +- /* maximum number of glyphs + 2; this is 0xFFFF + 2; this is */ +- /* the reason why `record_size' is a long (which we read as */ +- /* unsigned long for convenience). In practice, two bytes */ ++ /* maximum number of glyphs + 2; this is 0xFFFF + 2, thus */ ++ /* explaining why `record_size' is a long (which we read as */ ++ /* unsigned long for convenience). In practice, two bytes are */ + /* sufficient to hold the size value. */ + /* */ + /* There are at least two fonts, HANNOM-A and HANNOM-B version */ +@@ -522,8 +522,10 @@ + record_size &= 0xFFFFU; + + /* The limit for `num_records' is a heuristic value. */ +- +- if ( version != 0 || num_records > 255 || record_size > 0x10001L ) ++ if ( version != 0 || ++ num_records > 255 || ++ record_size > 0x10001L || ++ record_size < 4 ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9658.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9658.patch @@ -0,0 +1,23 @@ +From f70d9342e65cd2cb44e9f26b6d7edeedf191fc6c Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 24 Nov 2014 08:31:32 +0000 +Subject: [sfnt] Fix Savannah bug #43672. + +* src/sfnt/ttkern.c (tt_face_load_kern): Use correct value for +minimum table length test. +--- +diff --git a/src/sfnt/ttkern.c b/src/sfnt/ttkern.c +index 32c4008..455e7b5 100644 +--- a/src/sfnt/ttkern.c ++++ b/src/sfnt/ttkern.c +@@ -99,7 +99,7 @@ + length = FT_NEXT_USHORT( p ); + coverage = FT_NEXT_USHORT( p ); + +- if ( length <= 6 ) ++ if ( length <= 6 + 8 ) + break; + + p_next += length; +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-1.patch @@ -0,0 +1,83 @@ +From 2cdc4562f873237f1c77d43540537c7a721d3fd8 Mon Sep 17 00:00:00 2001 +From: Dave Arnold +Date: Thu, 04 Dec 2014 05:10:16 +0000 +Subject: [cff] Fix Savannah bug #43661. + +* src/cff/cf2intrp.c (cf2_interpT2CharString) : Don't append to stem arrays after +hintmask is constructed. + +* src/cff/cf2hints.c (cf2_hintmap_build): Add defensive code to +avoid reading past end of hintmask. +--- +diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c +index 81049f4..28a892b 100644 +--- a/src/cff/cf2hints.c ++++ b/src/cff/cf2hints.c +@@ -794,9 +794,12 @@ + maskPtr = cf2_hintmask_getMaskPtr( &tempHintMask ); + + /* use the hStem hints only, which are first in the mask */ +- /* TODO: compare this to cffhintmaskGetBitCount */ + bitCount = cf2_arrstack_size( hStemHintArray ); + ++ /* Defense-in-depth. Should never return here. */ ++ if ( bitCount > hintMask->bitCount ) ++ return; ++ + /* synthetic embox hints get highest priority */ + if ( font->blues.doEmBoxHints ) + { +diff --git a/src/cff/cf2intrp.c b/src/cff/cf2intrp.c +index 5610917..a269606 100644 +--- a/src/cff/cf2intrp.c ++++ b/src/cff/cf2intrp.c +@@ -593,8 +593,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid horizontal hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -614,8 +617,11 @@ + + /* never add hints after the mask is computed */ + if ( cf2_hintmask_isValid( &hintMask ) ) ++ { + FT_TRACE4(( "cf2_interpT2CharString:" + " invalid vertical hint mask\n" )); ++ break; ++ } + + cf2_doStems( font, + opStack, +@@ -1141,15 +1147,16 @@ + /* `cf2_hintmask_read' (which also traces the mask bytes) */ + FT_TRACE4(( op1 == cf2_cmdCNTRMASK ? " cntrmask" : " hintmask" )); + +- /* if there are arguments on the stack, there this is an */ +- /* implied cf2_cmdVSTEMHM */ +- if ( cf2_stack_count( opStack ) != 0 ) ++ /* never add hints after the mask is computed */ ++ if ( cf2_stack_count( opStack ) > 1 && ++ cf2_hintmask_isValid( &hintMask ) ) + { +- /* never add hints after the mask is computed */ +- if ( cf2_hintmask_isValid( &hintMask ) ) +- FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ FT_TRACE4(( "cf2_interpT2CharString: invalid hint mask\n" )); ++ break; + } + ++ /* if there are arguments on the stack, there this is an */ ++ /* implied cf2_cmdVSTEMHM */ + cf2_doStems( font, + opStack, + &vStemHintArray, +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9659-2.patch @@ -0,0 +1,55 @@ +From f89396cb6284954ff98b5dcbfc38e144deccdc83 Mon Sep 17 00:00:00 2001 +From: Dave Arnold +Date: Thu, 04 Dec 2014 05:17:26 +0000 +Subject: [cff] Modify an FT_ASSERT. + +* src/cff/cf2hints.c (cf2_hintmap_map): After the fix for Savannah +bug #43661, the test font `...aspartam.otf' still triggers an +FT_ASSERT. Since hintmap still works with count==0, ... +(cf2_glyphpath_lineTo, cf2_glyphpath_curveTo): ... add that term to +suppress the assert. +--- +diff --git a/src/cff/cf2hints.c b/src/cff/cf2hints.c +index 28a892b..040d193 100644 +--- a/src/cff/cf2hints.c ++++ b/src/cff/cf2hints.c +@@ -304,9 +304,6 @@ + cf2_hintmap_map( CF2_HintMap hintmap, + CF2_Fixed csCoord ) + { +- FT_ASSERT( hintmap->isValid ); /* must call Build before Map */ +- FT_ASSERT( hintmap->lastIndex < CF2_MAX_HINT_EDGES ); +- + if ( hintmap->count == 0 || ! hintmap->hinted ) + { + /* there are no hints; use uniform scale and zero offset */ +@@ -317,6 +314,7 @@ + /* start linear search from last hit */ + CF2_UInt i = hintmap->lastIndex; + ++ FT_ASSERT( hintmap->lastIndex < CF2_MAX_HINT_EDGES ); + + /* search up */ + while ( i < hintmap->count - 1 && +@@ -1694,7 +1692,8 @@ + + if ( glyphpath->elemIsQueued ) + { +- FT_ASSERT( cf2_hintmap_isValid( &glyphpath->hintMap ) ); ++ FT_ASSERT( cf2_hintmap_isValid( &glyphpath->hintMap ) || ++ glyphpath->hintMap.count == 0 ); + + cf2_glyphpath_pushPrevElem( glyphpath, + &glyphpath->hintMap, +@@ -1780,7 +1779,8 @@ + + if ( glyphpath->elemIsQueued ) + { +- FT_ASSERT( cf2_hintmap_isValid( &glyphpath->hintMap ) ); ++ FT_ASSERT( cf2_hintmap_isValid( &glyphpath->hintMap ) || ++ glyphpath->hintMap.count == 0 ); + + cf2_glyphpath_pushPrevElem( glyphpath, + &glyphpath->hintMap, +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9660.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9660.patch @@ -0,0 +1,29 @@ +Backport of: + +From af8346172a7b573715134f7a51e6c5c60fa7f2ab Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 22 Nov 2014 12:29:10 +0000 +Subject: [bdf] Fix Savannah bug #43660. + +* src/bdf/bdflib.c (_bdf_parse_glyphs) <"ENDFONT">: Check +`_BDF_GLYPH_BITS'. +--- +Index: freetype-2.5.2/src/bdf/bdflib.c +=================================================================== +--- freetype-2.5.2.orig/src/bdf/bdflib.c 2015-02-24 08:20:12.517448056 -0500 ++++ freetype-2.5.2/src/bdf/bdflib.c 2015-02-24 08:20:12.513448030 -0500 +@@ -1544,6 +1544,14 @@ + /* Check for the ENDFONT field. */ + if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) + { ++ if ( p->flags & _BDF_GLYPH_BITS ) ++ { ++ /* Missing ENDCHAR field. */ ++ FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "ENDCHAR" )); ++ error = FT_THROW( Corrupted_Font_Glyphs ); ++ goto Exit; ++ } ++ + /* Sort the glyphs by encoding. */ + ft_qsort( (char *)font->glyphs, + font->glyphs_used, only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-1.patch @@ -0,0 +1,106 @@ +From 3788187e0c396952cd7d905c6c61f3ff8e84b2b4 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 22 Nov 2014 09:46:47 +0000 +Subject: [type42] Fix Savannah bug #43659. + +* src/type42/t42objs.c (T42_Open_Face): Initialize `face->ttf_size'. + +* src/type42/t42parse.c (t42_parse_sfnts): Always set +`face->ttf_size' directly. This ensures a correct stream size in +the call to `FT_Open_Face', which follows after parsing, even for +buggy input data. +Fix error messages. +--- +Index: freetype-2.5.2/src/type42/t42objs.c +=================================================================== +--- freetype-2.5.2.orig/src/type42/t42objs.c 2015-02-24 08:21:14.977853949 -0500 ++++ freetype-2.5.2/src/type42/t42objs.c 2015-02-24 08:21:14.973853922 -0500 +@@ -47,6 +47,12 @@ + if ( FT_ALLOC( face->ttf_data, 12 ) ) + goto Exit; + ++ /* while parsing the font we always update `face->ttf_size' so that */ ++ /* even in case of buggy data (which might lead to premature end of */ ++ /* scanning without causing an error) the call to `FT_Open_Face' in */ ++ /* `T42_Face_Init' passes the correct size */ ++ face->ttf_size = 12; ++ + error = t42_parser_init( parser, + face->root.stream, + memory, +Index: freetype-2.5.2/src/type42/t42parse.c +=================================================================== +--- freetype-2.5.2.orig/src/type42/t42parse.c 2015-02-24 08:21:14.977853949 -0500 ++++ freetype-2.5.2/src/type42/t42parse.c 2015-02-24 08:21:14.973853922 -0500 +@@ -498,7 +498,7 @@ + FT_Byte* limit = parser->root.limit; + FT_Error error; + FT_Int num_tables = 0; +- FT_ULong count, ttf_size = 0; ++ FT_ULong count; + + FT_Long n, string_size, old_string_size, real_size; + FT_Byte* string_buf = NULL; +@@ -591,7 +591,7 @@ + + if ( limit - parser->root.cursor < string_size ) + { +- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); ++ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } +@@ -631,18 +631,18 @@ + } + else + { +- num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; +- status = BEFORE_TABLE_DIR; +- ttf_size = 12 + 16 * num_tables; ++ num_tables = 16 * face->ttf_data[4] + face->ttf_data[5]; ++ status = BEFORE_TABLE_DIR; ++ face->ttf_size = 12 + 16 * num_tables; + +- if ( FT_REALLOC( face->ttf_data, 12, ttf_size ) ) ++ if ( FT_REALLOC( face->ttf_data, 12, face->ttf_size ) ) + goto Fail; + } + /* fall through */ + + case BEFORE_TABLE_DIR: + /* the offset table is read; read the table directory */ +- if ( count < ttf_size ) ++ if ( count < face->ttf_size ) + { + face->ttf_data[count++] = string_buf[n]; + continue; +@@ -661,24 +661,23 @@ + len = FT_PEEK_ULONG( p ); + + /* Pad to a 4-byte boundary length */ +- ttf_size += ( len + 3 ) & ~3; ++ face->ttf_size += ( len + 3 ) & ~3; + } + +- status = OTHER_TABLES; +- face->ttf_size = ttf_size; ++ status = OTHER_TABLES; + + /* there are no more than 256 tables, so no size check here */ + if ( FT_REALLOC( face->ttf_data, 12 + 16 * num_tables, +- ttf_size + 1 ) ) ++ face->ttf_size + 1 ) ) + goto Fail; + } + /* fall through */ + + case OTHER_TABLES: + /* all other tables are just copied */ +- if ( count >= ttf_size ) ++ if ( count >= face->ttf_size ) + { +- FT_ERROR(( "t42_parse_sfnts: too many binary data\n" )); ++ FT_ERROR(( "t42_parse_sfnts: too much binary data\n" )); + error = FT_THROW( Invalid_File_Format ); + goto Fail; + } only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9661-2.patch @@ -0,0 +1,28 @@ +From 42fcd6693ec7bd6ffc65ddc63e74287a65dda669 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 22 Nov 2014 11:44:33 +0000 +Subject: [type42] Allow only embedded TrueType fonts. + +This is a follow-up to Savannah bug #43659. + +* src/type42/t42objs.c (T42_Face_Init): Exclusively use the +`truetype' font driver for loading the font contained in the `sfnts' +array. +--- +diff --git a/src/type42/t42objs.c b/src/type42/t42objs.c +index 7a9cb57..915e81f 100644 +--- a/src/type42/t42objs.c ++++ b/src/type42/t42objs.c +@@ -292,7 +292,9 @@ + FT_Open_Args args; + + +- args.flags = FT_OPEN_MEMORY; ++ args.flags = FT_OPEN_MEMORY | FT_OPEN_DRIVER; ++ args.driver = FT_Get_Module( FT_FACE_LIBRARY( face ), ++ "truetype" ); + args.memory_base = face->ttf_data; + args.memory_size = face->ttf_size; + +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9662.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9662.patch @@ -0,0 +1,94 @@ +From 5f201ab5c24cb69bc96b724fd66e739928d6c5e2 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 22 Nov 2014 08:16:39 +0000 +Subject: [cff] Fix Savannah bug #43658. + +* src/cff/cf2ft.c (cf2_builder_lineTo, cf2_builder_cubeTo): Handle +return values of point allocation routines. +--- +Index: freetype-2.5.2/src/cff/cf2ft.c +=================================================================== +--- freetype-2.5.2.orig/src/cff/cf2ft.c 2015-02-24 08:21:29.449947985 -0500 ++++ freetype-2.5.2/src/cff/cf2ft.c 2015-02-24 08:21:29.445947958 -0500 +@@ -140,6 +140,8 @@ + cf2_builder_lineTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -154,15 +156,27 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* `cff_builder_add_point1' includes a check_points call for one point */ +- cff_builder_add_point1( builder, +- params->pt1.x, +- params->pt1.y ); ++ error = cff_builder_add_point1( builder, ++ params->pt1.x, ++ params->pt1.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + +@@ -170,6 +184,8 @@ + cf2_builder_cubeTo( CF2_OutlineCallbacks callbacks, + const CF2_CallbackParams params ) + { ++ FT_Error error; ++ + /* downcast the object pointer */ + CF2_Outline outline = (CF2_Outline)callbacks; + CFF_Builder* builder; +@@ -184,13 +200,25 @@ + { + /* record the move before the line; also check points and set */ + /* `path_begun' */ +- cff_builder_start_point( builder, +- params->pt0.x, +- params->pt0.y ); ++ error = cff_builder_start_point( builder, ++ params->pt0.x, ++ params->pt0.y ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + } + + /* prepare room for 3 points: 2 off-curve, 1 on-curve */ +- cff_check_points( builder, 3 ); ++ error = cff_check_points( builder, 3 ); ++ if ( error ) ++ { ++ if ( !*callbacks->error ) ++ *callbacks->error = error; ++ return; ++ } + + cff_builder_add_point( builder, + params->pt1.x, only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9663.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9663.patch @@ -0,0 +1,34 @@ +Backport of: + +From 9bd20b7304aae61de5d50ac359cf27132bafd4c1 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 22 Nov 2014 05:24:45 +0000 +Subject: [sfnt] Fix Savannah bug #43656. + +* src/sfnt/ttcmap.c (tt_cmap4_validate): Fix order of validity +tests. +--- +Index: freetype-2.5.2/src/sfnt/ttcmap.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/ttcmap.c 2015-02-24 08:21:38.682007970 -0500 ++++ freetype-2.5.2/src/sfnt/ttcmap.c 2015-02-24 08:21:38.678007944 -0500 +@@ -825,9 +825,6 @@ + FT_Error error = FT_Err_Ok; + + +- if ( length < 16 ) +- FT_INVALID_TOO_SHORT; +- + /* in certain fonts, the `length' field is invalid and goes */ + /* out of bound. We try to correct this here... */ + if ( table + length > valid->limit ) +@@ -838,6 +835,9 @@ + length = (FT_UInt)( valid->limit - table ); + } + ++ if ( length < 16 ) ++ FT_INVALID_TOO_SHORT; ++ + p = table + 6; + num_segs = TT_NEXT_USHORT( p ); /* read segCountX2 */ + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-1.patch @@ -0,0 +1,34 @@ +From dd89710f0f643eb0f99a3830e0712d26c7642acd Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Fri, 21 Nov 2014 21:19:28 +0000 +Subject: [type1, type42] Fix Savannah bug #43655. + +* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c +(t42_parse_charstrings): Fix boundary testing. +--- +Index: freetype-2.5.2/src/type1/t1load.c +=================================================================== +--- freetype-2.5.2.orig/src/type1/t1load.c 2015-02-24 08:22:36.886386117 -0500 ++++ freetype-2.5.2/src/type1/t1load.c 2015-02-24 08:22:36.882386090 -0500 +@@ -1599,7 +1599,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + error = FT_THROW( Invalid_File_Format ); + goto Fail; +Index: freetype-2.5.2/src/type42/t42parse.c +=================================================================== +--- freetype-2.5.2.orig/src/type42/t42parse.c 2015-02-24 08:22:36.886386117 -0500 ++++ freetype-2.5.2/src/type42/t42parse.c 2015-02-24 08:22:36.882386090 -0500 +@@ -831,7 +831,7 @@ + FT_PtrDist len; + + +- if ( cur + 1 >= limit ) ++ if ( cur + 2 >= limit ) + { + FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); + error = FT_THROW( Invalid_File_Format ); only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9664-2.patch @@ -0,0 +1,41 @@ +From 73be9f9ab67842cfbec36ee99e8d2301434c84ca Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 24 Nov 2014 06:30:05 +0000 +Subject: [type1, type42] Another fix for Savannah bug #43655. + +* src/type1/t1load.c (parse_charstrings), src/type42/t42parse.c +(t42_parse_charstrings): Add another boundary testing. +--- +Index: freetype-2.5.2/src/type1/t1load.c +=================================================================== +--- freetype-2.5.2.orig/src/type1/t1load.c 2015-02-24 08:22:44.330434475 -0500 ++++ freetype-2.5.2/src/type1/t1load.c 2015-02-24 08:22:44.326434449 -0500 +@@ -1591,6 +1591,11 @@ + } + + T1_Skip_PS_Token( parser ); ++ if ( parser->root.cursor >= limit ) ++ { ++ error = FT_THROW( Invalid_File_Format ); ++ goto Fail; ++ } + if ( parser->root.error ) + return; + +Index: freetype-2.5.2/src/type42/t42parse.c +=================================================================== +--- freetype-2.5.2.orig/src/type42/t42parse.c 2015-02-24 08:22:44.330434475 -0500 ++++ freetype-2.5.2/src/type42/t42parse.c 2015-02-24 08:22:44.326434449 -0500 +@@ -823,6 +823,12 @@ + break; + + T1_Skip_PS_Token( parser ); ++ if ( parser->root.cursor >= limit ) ++ { ++ FT_ERROR(( "t42_parse_charstrings: out of bounds\n" )); ++ error = FT_THROW( Invalid_File_Format ); ++ goto Fail; ++ } + if ( parser->root.error ) + return; + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-1.patch @@ -0,0 +1,216 @@ +Backport of: + +From b3500af717010137046ec4076d1e1c0641e33727 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 19 Nov 2014 20:28:21 +0000 +Subject: Change some fields in `FT_Bitmap' to unsigned type. + +This doesn't break ABI. + +* include/ftimage.h (FT_Bitmap): Make `rows', `width', `num_grays', +`pixel_mode', and `palette_mode' unsigned types. + +* src/base/ftbitmap.c: Updated. +(FT_Bitmap_Copy): Fix casts. + +* src/cache/ftcsbits.c, src/raster/ftraster.c, src/sfnt/pngshim.c: +Updated. +--- +Index: freetype-2.5.2/include/ftimage.h +=================================================================== +--- freetype-2.5.2.orig/include/ftimage.h 2015-02-24 08:23:03.894563138 -0500 ++++ freetype-2.5.2/include/ftimage.h 2015-02-24 08:23:03.886563086 -0500 +@@ -318,13 +318,13 @@ + /* */ + typedef struct FT_Bitmap_ + { +- int rows; +- int width; ++ unsigned int rows; ++ unsigned int width; + int pitch; + unsigned char* buffer; +- short num_grays; +- char pixel_mode; +- char palette_mode; ++ unsigned short num_grays; ++ unsigned char pixel_mode; ++ unsigned char palette_mode; + void* palette; + + } FT_Bitmap; +Index: freetype-2.5.2/src/base/ftbitmap.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftbitmap.c 2015-02-24 08:23:03.894563138 -0500 ++++ freetype-2.5.2/src/base/ftbitmap.c 2015-02-24 08:24:03.126959580 -0500 +@@ -62,7 +62,7 @@ + + if ( pitch < 0 ) + pitch = -pitch; +- size = (FT_ULong)( pitch * source->rows ); ++ size = (FT_ULong)pitch * source->rows; + + if ( target->buffer ) + { +@@ -72,7 +72,7 @@ + + if ( target_pitch < 0 ) + target_pitch = -target_pitch; +- target_size = (FT_ULong)( target_pitch * target->rows ); ++ target_size = (FT_ULong)target_pitch * target->rows; + + if ( target_size != size ) + (void)FT_QREALLOC( target->buffer, target_size, size ); +@@ -106,7 +106,7 @@ + int pitch; + int new_pitch; + FT_UInt bpp; +- FT_Int i, width, height; ++ FT_UInt i, width, height; + unsigned char* buffer = NULL; + + +@@ -144,17 +144,17 @@ + if ( ypixels == 0 && new_pitch <= pitch ) + { + /* zero the padding */ +- FT_Int bit_width = pitch * 8; +- FT_Int bit_last = ( width + xpixels ) * bpp; ++ FT_UInt bit_width = pitch * 8; ++ FT_UInt bit_last = ( width + xpixels ) * bpp; + + + if ( bit_last < bit_width ) + { + FT_Byte* line = bitmap->buffer + ( bit_last >> 3 ); + FT_Byte* end = bitmap->buffer + pitch; +- FT_Int shift = bit_last & 7; ++ FT_UInt shift = bit_last & 7; + FT_UInt mask = 0xFF00U >> shift; +- FT_Int count = height; ++ FT_UInt count = height; + + + for ( ; count > 0; count--, line += pitch, end += pitch ) +@@ -180,7 +180,7 @@ + + if ( bitmap->pitch > 0 ) + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -189,7 +189,7 @@ + } + else + { +- FT_Int len = ( width * bpp + 7 ) >> 3; ++ FT_UInt len = ( width * bpp + 7 ) >> 3; + + + for ( i = 0; i < bitmap->rows; i++ ) +@@ -220,7 +220,8 @@ + { + FT_Error error; + unsigned char* p; +- FT_Int i, x, y, pitch; ++ FT_Int i, x, pitch; ++ FT_UInt y; + FT_Int xstr, ystr; + + +@@ -460,7 +461,7 @@ + case FT_PIXEL_MODE_BGRA: + { + FT_Int pad; +- FT_Long old_size; ++ FT_ULong old_size; + + + old_size = target->rows * target->pitch; +Index: freetype-2.5.2/src/cache/ftcsbits.c +=================================================================== +--- freetype-2.5.2.orig/src/cache/ftcsbits.c 2015-02-24 08:23:03.894563138 -0500 ++++ freetype-2.5.2/src/cache/ftcsbits.c 2015-02-24 08:23:03.890563112 -0500 +@@ -142,12 +142,12 @@ + goto BadGlyph; + } + +- /* Check that our values fit into 8-bit containers! */ ++ /* Check whether our values fit into 8-bit containers! */ + /* If this is not the case, our bitmap is too large */ + /* and we will leave it as `missing' with sbit.buffer = 0 */ + +-#define CHECK_CHAR( d ) ( temp = (FT_Char)d, temp == d ) +-#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, temp == d ) ++#define CHECK_CHAR( d ) ( temp = (FT_Char)d, (FT_Int) temp == (FT_Int) d ) ++#define CHECK_BYTE( d ) ( temp = (FT_Byte)d, (FT_UInt)temp == (FT_UInt)d ) + + /* horizontal advance in pixels */ + xadvance = ( slot->advance.x + 32 ) >> 6; +Index: freetype-2.5.2/src/raster/ftraster.c +=================================================================== +--- freetype-2.5.2.orig/src/raster/ftraster.c 2015-02-24 08:23:03.894563138 -0500 ++++ freetype-2.5.2/src/raster/ftraster.c 2015-02-24 08:23:03.890563112 -0500 +@@ -2550,7 +2550,7 @@ + + e1 = TRUNC( e1 ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + PByte p; + +@@ -2644,7 +2644,7 @@ + /* bounding box instead */ + if ( pxl < 0 ) + pxl = e1; +- else if ( TRUNC( pxl ) >= ras.target.rows ) ++ else if ( (ULong)( TRUNC( pxl ) ) >= ras.target.rows ) + pxl = e2; + + /* check that the other pixel isn't set */ +@@ -2659,9 +2659,9 @@ + if ( ras.target.pitch > 0 ) + bits += ( ras.target.rows - 1 ) * ras.target.pitch; + +- if ( e1 >= 0 && +- e1 < ras.target.rows && +- *bits & f1 ) ++ if ( e1 >= 0 && ++ (ULong)e1 < ras.target.rows && ++ *bits & f1 ) + return; + } + else +@@ -2673,7 +2673,7 @@ + + e1 = TRUNC( pxl ); + +- if ( e1 >= 0 && e1 < ras.target.rows ) ++ if ( e1 >= 0 && (ULong)e1 < ras.target.rows ) + { + bits -= e1 * ras.target.pitch; + if ( ras.target.pitch > 0 ) +Index: freetype-2.5.2/src/sfnt/pngshim.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/pngshim.c 2015-02-24 08:23:03.894563138 -0500 ++++ freetype-2.5.2/src/sfnt/pngshim.c 2015-02-24 08:23:03.890563112 -0500 +@@ -205,11 +205,11 @@ + goto Exit; + } + +- if ( !populate_map_and_metrics && +- ( x_offset + metrics->width > map->width || +- y_offset + metrics->height > map->rows || +- pix_bits != 32 || +- map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) ++ if ( !populate_map_and_metrics && ++ ( (FT_UInt)x_offset + metrics->width > map->width || ++ (FT_UInt)y_offset + metrics->height > map->rows || ++ pix_bits != 32 || ++ map->pixel_mode != FT_PIXEL_MODE_BGRA ) ) + { + error = FT_THROW( Invalid_Argument ); + goto Exit; only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9665-2.patch @@ -0,0 +1,28 @@ +From 54abd22891bd51ef8b533b24df53b3019b5cee81 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 15 Nov 2014 08:05:22 +0000 +Subject: [sfnt] Fix Savannah bug #43597. + +* src/sfnt/pngshim.c (Load_SBit_Png): Protect against too large +bitmaps. +--- +diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c +index 9afbe5a..fdb15d4 100644 +--- a/src/sfnt/pngshim.c ++++ b/src/sfnt/pngshim.c +@@ -269,6 +269,13 @@ + map->pitch = map->width * 4; + map->num_grays = 256; + ++ /* reject too large bitmaps similarly to the rasterizer */ ++ if ( map->rows > 0x7FFF || map->width > 0x7FFF ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto DestroyExit; ++ } ++ + size = map->rows * map->pitch; + + error = ft_glyphslot_alloc_bitmap( slot, size ); +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9666.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9666.patch @@ -0,0 +1,27 @@ +From 257c270bd25e15890190a28a1456e7623bba4439 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 12 Nov 2014 20:42:13 +0000 +Subject: [sfnt] Fix Savannah bug #43591. + +* src/sfnt/ttsbit.c (tt_sbit_decoder_init): Protect against addition +and multiplication overflow. +--- +Index: freetype-2.5.2/src/sfnt/ttsbit.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/ttsbit.c 2015-02-24 08:25:51.003681022 -0500 ++++ freetype-2.5.2/src/sfnt/ttsbit.c 2015-02-24 08:25:50.999680996 -0500 +@@ -380,9 +380,11 @@ + p += 34; + decoder->bit_depth = *p; + +- if ( decoder->strike_index_array > face->sbit_table_size || +- decoder->strike_index_array + 8 * decoder->strike_index_count > +- face->sbit_table_size ) ++ /* decoder->strike_index_array + */ ++ /* 8 * decoder->strike_index_count > face->sbit_table_size ? */ ++ if ( decoder->strike_index_array > face->sbit_table_size || ++ decoder->strike_index_count > ++ ( face->sbit_table_size - decoder->strike_index_array ) / 8 ) + error = FT_THROW( Invalid_File_Format ); + } + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9667.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9667.patch @@ -0,0 +1,38 @@ +From 677ddf4f1dc1b36cef7c7ddd59a14c508f4b1891 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 12 Nov 2014 20:26:44 +0000 +Subject: [sfnt] Fix Savannah bug #43590. + +* src/sfnt/ttload.c (check_table_dir, tt_face_load_font_dir): +Protect against addition overflow. +--- +diff --git a/src/sfnt/ttload.c b/src/sfnt/ttload.c +index 0a3cd29..8338150 100644 +--- a/src/sfnt/ttload.c ++++ b/src/sfnt/ttload.c +@@ -207,7 +207,10 @@ + } + + /* we ignore invalid tables */ +- if ( table.Offset + table.Length > stream->size ) ++ ++ /* table.Offset + table.Length > stream->size ? */ ++ if ( table.Length > stream->size || ++ table.Offset > stream->size - table.Length ) + { + FT_TRACE2(( "check_table_dir: table entry %d invalid\n", nn )); + continue; +@@ -395,7 +398,10 @@ + entry->Length = FT_GET_ULONG(); + + /* ignore invalid tables */ +- if ( entry->Offset + entry->Length > stream->size ) ++ ++ /* entry->Offset + entry->Length > stream->size ? */ ++ if ( entry->Length > stream->size || ++ entry->Offset > stream->size - entry->Length ) + continue; + else + { +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9668.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9668.patch @@ -0,0 +1,25 @@ +From f46add13895337ece929b18bb8f036431b3fb538 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 12 Nov 2014 20:06:08 +0000 +Subject: [sfnt] Fix Savannah bug #43589. + +* src/sfnt/sfobjs.c (woff_open_font): Protect against addition +overflow. +--- +Index: freetype-2.5.2/src/sfnt/sfobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/sfobjs.c 2015-02-24 08:26:40.400011124 -0500 ++++ freetype-2.5.2/src/sfnt/sfobjs.c 2015-02-24 08:26:40.392011070 -0500 +@@ -574,8 +574,10 @@ + + + if ( table->Offset != woff_offset || +- table->Offset + table->CompLength > woff.length || +- sfnt_offset + table->OrigLength > woff.totalSfntSize || ++ table->CompLength > woff.length || ++ table->Offset > woff.length - table->CompLength || ++ table->OrigLength > woff.totalSfntSize || ++ sfnt_offset > woff.totalSfntSize - table->OrigLength || + table->CompLength > table->OrigLength ) + { + error = FT_THROW( Invalid_Table ); only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9669.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9669.patch @@ -0,0 +1,117 @@ +Backport of: + +From 602040b1112c9f94d68e200be59ea7ac3d104565 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 12 Nov 2014 19:51:20 +0000 +Subject: [sfnt] Fix Savannah bug #43588. + +* src/sfnt/ttcmap.c (tt_cmap8_validate, tt_cmap10_validate, +tt_cmap12_validate, tt_cmap13_validate, tt_cmap14_validate): Protect +against overflow in additions and multiplications. +--- +Index: freetype-2.5.2/src/sfnt/ttcmap.c +=================================================================== +--- freetype-2.5.2.orig/src/sfnt/ttcmap.c 2015-02-24 08:26:48.072062380 -0500 ++++ freetype-2.5.2/src/sfnt/ttcmap.c 2015-02-24 08:26:48.068062354 -0500 +@@ -1649,7 +1649,8 @@ + p = is32 + 8192; /* skip `is32' array */ + num_groups = TT_NEXT_ULONG( p ); + +- if ( p + num_groups * 12 > valid->limit ) ++ /* p + num_groups * 12 > valid->limit ? */ ++ if ( num_groups > (FT_UInt32)( valid->limit - p ) / 12 ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -1674,7 +1675,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + + count = (FT_UInt32)( end - start + 1 ); +@@ -1872,7 +1878,9 @@ + count = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 20 + count * 2 ) ++ /* length < 20 + count * 2 ? */ ++ length < 20 || ++ ( length - 20 ) / 2 < count ) + FT_INVALID_TOO_SHORT; + + /* check glyph indices */ +@@ -2059,7 +2067,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2081,7 +2091,12 @@ + + if ( valid->level >= FT_VALIDATE_TIGHT ) + { +- if ( start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ) ++ FT_UInt32 d = end - start; ++ ++ ++ /* start_id + end - start >= TT_VALID_GLYPH_COUNT( valid ) ? */ ++ if ( d > TT_VALID_GLYPH_COUNT( valid ) || ++ start_id >= TT_VALID_GLYPH_COUNT( valid ) - d ) + FT_INVALID_GLYPH_ID; + } + +@@ -2383,7 +2398,9 @@ + num_groups = TT_NEXT_ULONG( p ); + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 16 + 12 * num_groups ) ++ /* length < 16 + 12 * num_groups ? */ ++ length < 16 || ++ ( length - 16 ) / 12 < num_groups ) + FT_INVALID_TOO_SHORT; + + /* check groups, they must be in increasing order */ +@@ -2764,7 +2781,9 @@ + + + if ( length > (FT_ULong)( valid->limit - table ) || +- length < 10 + 11 * num_selectors ) ++ /* length < 10 + 11 * num_selectors ? */ ++ length < 10 || ++ ( length - 10 ) / 11 < num_selectors ) + FT_INVALID_TOO_SHORT; + + /* check selectors, they must be in increasing order */ +@@ -2800,7 +2819,8 @@ + FT_ULong lastBase = 0; + + +- if ( defp + numRanges * 4 > valid->limit ) ++ /* defp + numRanges * 4 > valid->limit ? */ ++ if ( numRanges > (FT_ULong)( valid->limit - defp ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numRanges; ++i ) +@@ -2827,7 +2847,8 @@ + FT_ULong i, lastUni = 0; + + +- if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ) ++ /* numMappings * 4 > (FT_ULong)( valid->limit - ndp ) ? */ ++ if ( numMappings > ( (FT_ULong)( valid->limit - ndp ) ) / 4 ) + FT_INVALID_TOO_SHORT; + + for ( i = 0; i < numMappings; ++i ) only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-1.patch @@ -0,0 +1,28 @@ +From ef1eba75187adfac750f326b563fe543dd5ff4e6 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Thu, 06 Nov 2014 22:25:05 +0000 +Subject: Fix Savannah bug #43548. + +* src/pcf/pcfread (pcf_get_encodings): Add sanity checks for row and +column values. +--- +Index: freetype-2.5.2/src/pcf/pcfread.c +=================================================================== +--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:27:55.260511108 -0500 ++++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:27:55.256511081 -0500 +@@ -812,6 +812,15 @@ + if ( !PCF_FORMAT_MATCH( format, PCF_DEFAULT_FORMAT ) ) + return FT_THROW( Invalid_File_Format ); + ++ /* sanity checks */ ++ if ( firstCol < 0 || ++ firstCol > lastCol || ++ lastCol > 0xFF || ++ firstRow < 0 || ++ firstRow > lastRow || ++ lastRow > 0xFF ) ++ return FT_THROW( Invalid_Table ); ++ + FT_TRACE4(( "pdf_get_encodings:\n" )); + + FT_TRACE4(( " firstCol %d, lastCol %d, firstRow %d, lastRow %d\n", only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9670-2.patch @@ -0,0 +1,60 @@ +From b1fc00d5dc0e89432c58367477b6d9d63b6b0be9 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Fri, 21 Nov 2014 11:06:40 +0000 +Subject: * src/pcf/pcfread.c (pcf_get_metrics): Sanitize invalid metrics. + +--- +Index: freetype-2.5.2/src/pcf/pcfread.c +=================================================================== +--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:28:02.140557042 -0500 ++++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:28:02.136557016 -0500 +@@ -631,24 +631,40 @@ + return FT_THROW( Out_Of_Memory ); + + metrics = face->metrics; +- for ( i = 0; i < nmetrics; i++ ) ++ for ( i = 0; i < nmetrics; i++, metrics++ ) + { +- error = pcf_get_metric( stream, format, metrics + i ); ++ error = pcf_get_metric( stream, format, metrics ); + +- metrics[i].bits = 0; ++ metrics->bits = 0; + + FT_TRACE5(( " idx %d: width=%d, " + "lsb=%d, rsb=%d, ascent=%d, descent=%d, swidth=%d\n", + i, +- ( metrics + i )->characterWidth, +- ( metrics + i )->leftSideBearing, +- ( metrics + i )->rightSideBearing, +- ( metrics + i )->ascent, +- ( metrics + i )->descent, +- ( metrics + i )->attributes )); ++ metrics->characterWidth, ++ metrics->leftSideBearing, ++ metrics->rightSideBearing, ++ metrics->ascent, ++ metrics->descent, ++ metrics->attributes )); + + if ( error ) + break; ++ ++ /* sanity checks -- those values are used in `PCF_Glyph_Load' to */ ++ /* compute a glyph's bitmap dimensions, thus setting them to zero in */ ++ /* case of an error disables this particular glyph only */ ++ if ( metrics->rightSideBearing < metrics->leftSideBearing || ++ metrics->ascent + metrics->descent < 0 ) ++ { ++ metrics->characterWidth = 0; ++ metrics->leftSideBearing = 0; ++ metrics->rightSideBearing = 0; ++ metrics->ascent = 0; ++ metrics->descent = 0; ++ ++ FT_TRACE0(( "pcf_get_metrics:" ++ " invalid metrics for glyph %d\n", i )); ++ } + } + + if ( error ) only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-1.patch @@ -0,0 +1,34 @@ +From 0e2f5d518c60e2978f26400d110eff178fa7e3c3 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Thu, 06 Nov 2014 21:32:46 +0000 +Subject: Fix Savannah bug #43547. + +* src/pcf/pcfread.c (pcf_read_TOC): Check `size' and `offset' +values. +--- +Index: freetype-2.5.2/src/pcf/pcfread.c +=================================================================== +--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:28:11.636620437 -0500 ++++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:28:11.632620410 -0500 +@@ -151,6 +151,21 @@ + break; + } + ++ /* we now check whether the `size' and `offset' values are reasonable: */ ++ /* `offset' + `size' must not exceed the stream size */ ++ tables = face->toc.tables; ++ for ( n = 0; n < toc->count; n++ ) ++ { ++ /* we need two checks to avoid overflow */ ++ if ( ( tables->size > stream->size ) || ++ ( tables->offset > stream->size - tables->size ) ) ++ { ++ error = FT_THROW( Invalid_Table ); ++ goto Exit; ++ } ++ tables++; ++ } ++ + #ifdef FT_DEBUG_LEVEL_TRACE + + { only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-2.patch @@ -0,0 +1,109 @@ +From 74af85c4b62b35e55b0ce9dec55ee10cbc4962a2 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Mon, 08 Dec 2014 15:01:50 +0000 +Subject: [pcf] Fix Savannah bug #43774. + +Work around `features' of X11's `pcfWriteFont' and `pcfReadFont' +functions. Since the PCF format doesn't have an official +specification, we have to exactly follow these functions' behaviour. + +The problem was unveiled with a patch from 2014-11-06, fixing issue #43547. + +* src/pcf/pcfread.c (pcf_read_TOC): Don't check table size for last +element. Instead, assign real size. +--- +Index: freetype-2.5.2/src/pcf/pcfread.c +=================================================================== +--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:28:18.044663213 -0500 ++++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:28:18.040663186 -0500 +@@ -78,7 +78,7 @@ + FT_FRAME_START( 16 ), + FT_FRAME_ULONG_LE( type ), + FT_FRAME_ULONG_LE( format ), +- FT_FRAME_ULONG_LE( size ), ++ FT_FRAME_ULONG_LE( size ), /* rounded up to a multiple of 4 */ + FT_FRAME_ULONG_LE( offset ), + FT_FRAME_END + }; +@@ -95,9 +95,11 @@ + FT_Memory memory = FT_FACE( face )->memory; + FT_UInt n; + ++ FT_ULong size; + +- if ( FT_STREAM_SEEK ( 0 ) || +- FT_STREAM_READ_FIELDS ( pcf_toc_header, toc ) ) ++ ++ if ( FT_STREAM_SEEK( 0 ) || ++ FT_STREAM_READ_FIELDS( pcf_toc_header, toc ) ) + return FT_THROW( Cannot_Open_Resource ); + + if ( toc->version != PCF_FILE_VERSION || +@@ -151,14 +153,35 @@ + break; + } + +- /* we now check whether the `size' and `offset' values are reasonable: */ +- /* `offset' + `size' must not exceed the stream size */ ++ /* ++ * We now check whether the `size' and `offset' values are reasonable: ++ * `offset' + `size' must not exceed the stream size. ++ * ++ * Note, however, that X11's `pcfWriteFont' routine (used by the ++ * `bdftopcf' program to create PDF font files) has two special ++ * features. ++ * ++ * - It always assigns the accelerator table a size of 100 bytes in the ++ * TOC, regardless of its real size, which can vary between 34 and 72 ++ * bytes. ++ * ++ * - Due to the way the routine is designed, it ships out the last font ++ * table with its real size, ignoring the TOC's size value. Since ++ * the TOC size values are always rounded up to a multiple of 4, the ++ * difference can be up to three bytes for all tables except the ++ * accelerator table, for which the difference can be as large as 66 ++ * bytes. ++ * ++ */ ++ + tables = face->toc.tables; +- for ( n = 0; n < toc->count; n++ ) ++ size = stream->size; ++ ++ for ( n = 0; n < toc->count - 1; n++ ) + { + /* we need two checks to avoid overflow */ +- if ( ( tables->size > stream->size ) || +- ( tables->offset > stream->size - tables->size ) ) ++ if ( ( tables->size > size ) || ++ ( tables->offset > size - tables->size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; +@@ -166,6 +189,15 @@ + tables++; + } + ++ /* no check of `tables->size' for last table element ... */ ++ if ( ( tables->offset > size ) ) ++ { ++ error = FT_THROW( Invalid_Table ); ++ goto Exit; ++ } ++ /* ... instead, we adjust `tables->size' to the real value */ ++ tables->size = size - tables->offset; ++ + #ifdef FT_DEBUG_LEVEL_TRACE + + { +@@ -730,8 +762,8 @@ + + FT_TRACE4(( " number of bitmaps: %d\n", nbitmaps )); + +- /* XXX: PCF_Face->nmetrics is singed FT_Long, see pcf.h */ +- if ( face->nmetrics < 0 || nbitmaps != ( FT_ULong )face->nmetrics ) ++ /* XXX: PCF_Face->nmetrics is signed FT_Long, see pcf.h */ ++ if ( face->nmetrics < 0 || nbitmaps != (FT_ULong)face->nmetrics ) + return FT_THROW( Invalid_File_Format ); + + if ( FT_NEW_ARRAY( offsets, nbitmaps ) ) only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-3.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9671-3.patch @@ -0,0 +1,29 @@ +From 06842c7b49c21f13c0ab61201daab6ff5a358fcc Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Sat, 13 Dec 2014 06:42:51 +0000 +Subject: * src/pcf/pcfread.c (pcf_read_TOC): Improve fix from 2014-12-08. + +--- +Index: freetype-2.5.2/src/pcf/pcfread.c +=================================================================== +--- freetype-2.5.2.orig/src/pcf/pcfread.c 2015-02-24 08:28:25.584713543 -0500 ++++ freetype-2.5.2/src/pcf/pcfread.c 2015-02-24 08:28:25.580713516 -0500 +@@ -189,14 +189,15 @@ + tables++; + } + +- /* no check of `tables->size' for last table element ... */ ++ /* only check `tables->offset' for last table element ... */ + if ( ( tables->offset > size ) ) + { + error = FT_THROW( Invalid_Table ); + goto Exit; + } +- /* ... instead, we adjust `tables->size' to the real value */ +- tables->size = size - tables->offset; ++ /* ... and adjust `tables->size' to the real value if necessary */ ++ if ( tables->size > size - tables->offset ) ++ tables->size = size - tables->offset; + + #ifdef FT_DEBUG_LEVEL_TRACE + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9672.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9672.patch @@ -0,0 +1,36 @@ +From 18a8f0d9943369449bc4de92d411c78fb08d616c Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 07:11:38 +0000 +Subject: Fix Savannah bug #43540. + +* src/base/ftmac.c (parse_fond): Prevent a buffer overrun +caused by a font including too many (> 63) strings to store +names[] table. +--- +diff --git a/src/base/ftmac.c b/src/base/ftmac.c +index 9b49da8..184a2e1 100644 +--- a/src/base/ftmac.c ++++ b/src/base/ftmac.c +@@ -440,9 +440,10 @@ + style = (StyleTable*)p; + p += sizeof ( StyleTable ); + string_count = EndianS16_BtoN( *(short*)(p) ); ++ string_count = FT_MIN( 64, string_count ); + p += sizeof ( short ); + +- for ( i = 0; i < string_count && i < 64; i++ ) ++ for ( i = 0; i < string_count; i++ ) + { + names[i] = p; + p += names[i][0]; +@@ -459,7 +460,7 @@ + ps_name[ps_name_len] = 0; + } + if ( style->indexes[face_index] > 1 && +- style->indexes[face_index] <= FT_MIN( string_count, 64 ) ) ++ style->indexes[face_index] <= string_count ) + { + unsigned char* suffixes = names[style->indexes[face_index] - 1]; + +-- +cgit v0.9.0.2 only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9673.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9673.patch @@ -0,0 +1,63 @@ +Backport of: + +From 35252ae9aa1dd9343e9f4884e9ddb1fee10ef415 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 06:52:23 +0000 +Subject: Fix Savannah bug #43539. + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. + +Also includes: + +http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/src/base/ftobjs.c?id=5aff85301bdce7677766fa1367c82ff41a739637 + +--- +Index: freetype-2.5.2/src/base/ftobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftobjs.c 2015-02-24 08:32:11.902222646 -0500 ++++ freetype-2.5.2/src/base/ftobjs.c 2015-02-24 08:32:34.850375500 -0500 +@@ -1626,9 +1626,14 @@ + if ( error ) + goto Exit2; + if ( FT_READ_LONG( rlen ) ) +- goto Exit; ++ goto Exit2; ++ if ( rlen < 0 ) ++ { ++ error = FT_THROW( Invalid_Offset ); ++ goto Exit2; ++ } + if ( FT_READ_USHORT( flags ) ) +- goto Exit; ++ goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + +@@ -1644,7 +1649,14 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) ++ { ++ if ( 0x7FFFFFFFL - rlen < len ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + len += rlen; ++ } + else + { + if ( pfb_lenpos + 3 > pfb_len + 2 ) +@@ -1673,6 +1685,11 @@ + } + + error = FT_ERR( Cannot_Open_Resource ); ++ if ( rlen > 0x7FFFFFFFL - pfb_pos ) ++ { ++ error = FT_THROW( Array_Too_Large ); ++ goto Exit2; ++ } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-1.patch @@ -0,0 +1,37 @@ +From 240c94a185cd8dae7d03059abec8a5662c35ecd3 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 06:43:29 +0000 +Subject: Fix Savannah bug #43538. + +* src/base/ftobjs.c (Mac_Read_POST_Resource): Fix integer overflow +by a broken POST table in resource-fork. +--- +Index: freetype-2.5.2/src/base/ftobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftobjs.c 2015-02-24 08:33:33.990769289 -0500 ++++ freetype-2.5.2/src/base/ftobjs.c 2015-02-24 08:33:33.986769263 -0500 +@@ -1603,10 +1603,23 @@ + goto Exit; + if ( FT_READ_LONG( temp ) ) + goto Exit; ++ if ( 0 > temp ) ++ error = FT_THROW( Invalid_Offset ); ++ else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) ++ error = FT_THROW( Array_Too_Large ); ++ ++ if ( error ) ++ goto Exit; ++ + pfb_len += temp + 6; + } + +- if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) ++ if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ error = FT_THROW( Array_Too_Large ); ++ else ++ error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); ++ ++ if ( error ) + goto Exit; + + pfb_data[0] = 0x80; only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-2.patch @@ -0,0 +1,157 @@ +From 453316792fee912cfced48e9e270e9eb19892e64 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 07:02:17 +0000 +Subject: * src/base/ftobjs.c (Mac_Read_POST_Resource): Use unsigned long + +variables to read the lengths in POST fragments. Suggested by +Mateusz Jurczyk . +--- +Index: freetype-2.5.2/src/base/ftobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftobjs.c 2015-02-24 08:33:40.530812824 -0500 ++++ freetype-2.5.2/src/base/ftobjs.c 2015-02-24 08:33:40.526812798 -0500 +@@ -1583,9 +1583,9 @@ + FT_Memory memory = library->memory; + FT_Byte* pfb_data = NULL; + int i, type, flags; +- FT_Long len; +- FT_Long pfb_len, pfb_pos, pfb_lenpos; +- FT_Long rlen, temp; ++ FT_ULong len; ++ FT_ULong pfb_len, pfb_pos, pfb_lenpos; ++ FT_ULong rlen, temp; + + + if ( face_index == -1 ) +@@ -1601,25 +1601,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit; +- if ( FT_READ_LONG( temp ) ) ++ if ( FT_READ_ULONG( temp ) ) + goto Exit; +- if ( 0 > temp ) ++#if 0 ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ if ( 0x7FFFFFFFUL < temp ) ++ { + error = FT_THROW( Invalid_Offset ); +- else if ( 0x7FFFFFFFL - 6 - pfb_len < temp ) +- error = FT_THROW( Array_Too_Large ); +- +- if ( error ) + goto Exit; ++ } ++#endif + + pfb_len += temp + 6; + } + +- if ( 0x7FFFFFFFL - 2 < pfb_len ) ++ FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ resource_cnt, pfb_len + 2)); ++ if ( pfb_len + 2 < 6 ) { + error = FT_THROW( Array_Too_Large ); +- else +- error = FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ); +- +- if ( error ) ++ goto Exit; ++ } ++ if ( FT_ALLOC( pfb_data, (FT_Long)pfb_len + 2 ) ) + goto Exit; + + pfb_data[0] = 0x80; +@@ -1638,21 +1640,27 @@ + error = FT_Stream_Seek( stream, offsets[i] ); + if ( error ) + goto Exit2; +- if ( FT_READ_LONG( rlen ) ) ++ if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +- if ( rlen < 0 ) ++#if 0 ++ if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } ++#endif + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", + i, offsets[i], rlen, flags )); + ++ error = FT_ERR( Array_Too_Large ); + /* postpone the check of rlen longer than buffer until FT_Stream_Read() */ + if ( ( flags >> 8 ) == 0 ) /* Comment, should not be loaded */ ++ { ++ FT_TRACE3(( " Skip POST fragment #%d because it is a comment\n", i )); + continue; ++ } + + /* the flags are part of the resource, so rlen >= 2. */ + /* but some fonts declare rlen = 0 for empty fragment */ +@@ -1662,16 +1670,10 @@ + rlen = 0; + + if ( ( flags >> 8 ) == type ) +- { +- if ( 0x7FFFFFFFL - rlen < len ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + len += rlen; +- } + else + { ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1682,6 +1684,7 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1697,21 +1700,17 @@ + pfb_data[pfb_pos++] = 0; + } + +- error = FT_ERR( Cannot_Open_Resource ); +- if ( rlen > 0x7FFFFFFFL - pfb_pos ) +- { +- error = FT_THROW( Array_Too_Large ); +- goto Exit2; +- } + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; + pfb_pos += rlen; + } + ++ error = FT_ERR( Array_Too_Large ); + if ( pfb_pos + 2 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1732,6 +1731,12 @@ + aface ); + + Exit2: ++ if ( error == FT_ERR( Array_Too_Large ) ) ++ FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ else if ( error == FT_ERR( Invalid_Offset ) ) ++ FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); ++ if ( error ) ++ error = FT_ERR( Cannot_Open_Resource ); + FT_FREE( pfb_data ); + + Exit: only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-3.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-3.patch @@ -0,0 +1,103 @@ +From 1720e81e3ecc7c266e54fe40175cc39c47117bf5 Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 07:39:00 +0000 +Subject: * src/base/ftobjs.c (Mac_Read_POST_Resource): Insert comments + +and fold too long tracing messages. +--- +Index: freetype-2.5.2/src/base/ftobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftobjs.c 2015-02-24 08:33:47.710860617 -0500 ++++ freetype-2.5.2/src/base/ftobjs.c 2015-02-24 08:33:47.706860590 -0500 +@@ -1603,21 +1603,28 @@ + goto Exit; + if ( FT_READ_ULONG( temp ) ) + goto Exit; +-#if 0 +- FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", i, temp)); ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large value causing overflow should be checked ++ */ ++ FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", ++ i, temp)); + if ( 0x7FFFFFFFUL < temp ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +-#endif + + pfb_len += temp + 6; + } + +- FT_TRACE2(( " total buffer size to concatenate %d POST fragments: 0x%08x\n", ++ FT_TRACE2(( " total buffer size to concatenate %d" ++ " POST fragments: 0x%08x\n", + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: 0x%08x\n", ++ pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } +@@ -1642,13 +1649,16 @@ + goto Exit2; + if ( FT_READ_ULONG( rlen ) ) + goto Exit2; +-#if 0 ++ ++ /* FT2 allocator takes signed long buffer length, ++ * too large fragment length causing overflow should be checked ++ */ + if ( 0x7FFFFFFFUL < rlen ) + { + error = FT_THROW( Invalid_Offset ); + goto Exit2; + } +-#endif ++ + if ( FT_READ_USHORT( flags ) ) + goto Exit2; + FT_TRACE3(( "POST fragment[%d]: offsets=0x%08x, rlen=0x%08x, flags=0x%04x\n", +@@ -1673,7 +1683,8 @@ + len += rlen; + else + { +- FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); ++ FT_TRACE3(( " Write POST fragment #%d header (4-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_lenpos )); + if ( pfb_lenpos + 3 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_lenpos ] = (FT_Byte)( len ); +@@ -1684,7 +1695,8 @@ + if ( ( flags >> 8 ) == 5 ) /* End of font mark */ + break; + +- FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Write POST fragment #%d header (6-byte) to buffer" ++ " 0x%p + 0x%08x\n", i, pfb_data, pfb_pos )); + if ( pfb_pos + 6 > pfb_len + 2 ) + goto Exit2; + pfb_data[pfb_pos++] = 0x80; +@@ -1703,7 +1715,8 @@ + if ( pfb_pos > pfb_len || pfb_pos + rlen > pfb_len ) + goto Exit2; + +- FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); ++ FT_TRACE3(( " Load POST fragment #%d (%d byte) to buffer" ++ " 0x%p + 0x%08x\n", i, rlen, pfb_data, pfb_pos )); + error = FT_Stream_Read( stream, (FT_Byte *)pfb_data + pfb_pos, rlen ); + if ( error ) + goto Exit2; +@@ -1732,7 +1745,8 @@ + + Exit2: + if ( error == FT_ERR( Array_Too_Large ) ) +- FT_TRACE2(( " Abort due to too-short buffer to store all POST fragments\n" )); ++ FT_TRACE2(( " Abort due to too-short buffer to store" ++ " all POST fragments\n" )); + else if ( error == FT_ERR( Invalid_Offset ) ) + FT_TRACE2(( " Abort due to invalid offset in a POST fragment\n" )); + if ( error ) only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-4.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9674-4.patch @@ -0,0 +1,34 @@ +From cd4a5a26e591d01494567df9dec7f72d59551f6e Mon Sep 17 00:00:00 2001 +From: suzuki toshiya +Date: Wed, 26 Nov 2014 15:20:48 +0000 +Subject: * src/base/ftobj.c (Mac_Read_POST_Resource): Additional + +overflow check in the summation of POST fragment lengths, +suggested by Mateusz Jurczyk . +--- +Index: freetype-2.5.2/src/base/ftobjs.c +=================================================================== +--- freetype-2.5.2.orig/src/base/ftobjs.c 2015-02-24 08:33:55.406911841 -0500 ++++ freetype-2.5.2/src/base/ftobjs.c 2015-02-24 08:33:55.402911814 -0500 +@@ -1609,8 +1609,10 @@ + */ + FT_TRACE4(( " POST fragment #%d: length=0x%08x\n", + i, temp)); +- if ( 0x7FFFFFFFUL < temp ) ++ if ( 0x7FFFFFFFUL < temp || pfb_len + temp + 6 < pfb_len ) + { ++ FT_TRACE2(( " too long fragment length makes" ++ " pfb_len confused: temp=0x%08x\n", temp )); + error = FT_THROW( Invalid_Offset ); + goto Exit; + } +@@ -1623,8 +1625,7 @@ + resource_cnt, pfb_len + 2)); + if ( pfb_len + 2 < 6 ) { + FT_TRACE2(( " too long fragment length makes" +- " pfb_len confused: 0x%08x\n", +- pfb_len )); ++ " pfb_len confused: pfb_len=0x%08x\n", pfb_len )); + error = FT_THROW( Array_Too_Large ); + goto Exit; + } only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-1.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-1.patch @@ -0,0 +1,227 @@ +From 9a56764037dfc01a89fe61f5c67971bf50343d00 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Wed, 26 Feb 2014 12:08:07 +0000 +Subject: [bdf] Fix Savannah bug #41692. + +bdflib puts data from the input stream into a buffer in chunks of +1024 bytes. The data itself gets then parsed line by line, simply +increasing the current pointer into the buffer; if the search for +the final newline character exceeds the buffer size, more data gets +read. + +However, in case the current line's end is very near to the buffer +end, and the keyword to compare with is longer than the current +line's length, an out-of-bounds read might happen since `memcmp' +doesn't stop properly at the string end. + +* src/bdf/bdflib.c: s/ft_memcmp/ft_strncmp/ to make comparisons +stop at string ends. +--- +Index: freetype-2.5.2/src/bdf/bdflib.c +=================================================================== +--- freetype-2.5.2.orig/src/bdf/bdflib.c 2015-02-24 08:38:21.676682123 -0500 ++++ freetype-2.5.2/src/bdf/bdflib.c 2015-02-24 08:38:21.672682097 -0500 +@@ -1409,7 +1409,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_memcmp( name, "COMMENT", 7 ) != 0 ) ++ if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1427,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_memcmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_memcmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_memcmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_memcmp( name, "SPACING", 7 ) == 0 ) ++ else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1491,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1508,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_memcmp( line, "CHARS", 5 ) != 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1542,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_memcmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1564,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_memcmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1580,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_memcmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1614,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_memcmp( line, "ENCODING", 8 ) == 0 ) ++ if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1800,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1816,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_memcmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1844,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_memcmp( line, "BBX", 3 ) == 0 ) ++ if ( ft_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1912,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_memcmp( line, "BITMAP", 6 ) == 0 ) ++ if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1987,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_memcmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2028,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_memcmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2097,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_memcmp( line, "COMMENT", 7 ) == 0 ) ++ if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2123,7 @@ + { + memory = p->memory; + +- if ( ft_memcmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2171,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_memcmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2200,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_memcmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2231,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_memcmp( line, "FONT", 4 ) == 0 ) ++ if ( ft_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2266,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_memcmp( line, "SIZE", 4 ) == 0 ) ++ if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2320,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_memcmp( line, "CHARS", 5 ) == 0 ) ++ if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; + only in patch2: unchanged: --- freetype-2.5.2.orig/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-2.patch +++ freetype-2.5.2/debian/patches-freetype/CVE-2014-96xx/CVE-2014-9675-2.patch @@ -0,0 +1,236 @@ +From 2c4832d30939b45c05757f0a05128ce64c4cacc7 Mon Sep 17 00:00:00 2001 +From: Werner Lemberg +Date: Fri, 07 Nov 2014 06:42:33 +0000 +Subject: Fix Savannah bug #43535. + +* src/bdf/bdflib.c (_bdf_strncmp): New macro that checks one +character more than `strncmp'. +s/ft_strncmp/_bdf_strncmp/ everywhere. +--- +Index: freetype-2.5.2/src/bdf/bdflib.c +=================================================================== +--- freetype-2.5.2.orig/src/bdf/bdflib.c 2015-02-24 08:39:01.796948535 -0500 ++++ freetype-2.5.2/src/bdf/bdflib.c 2015-02-24 08:39:01.796948535 -0500 +@@ -169,6 +169,18 @@ + sizeof ( _bdf_properties[0] ); + + ++ /* An auxiliary macro to parse properties, to be used in conditionals. */ ++ /* It behaves like `strncmp' but also tests the following character */ ++ /* whether it is a whitespace or NULL. */ ++ /* `property' is a constant string of length `n' to compare with. */ ++#define _bdf_strncmp( name, property, n ) \ ++ ( ft_strncmp( name, property, n ) || \ ++ !( name[n] == ' ' || \ ++ name[n] == '\0' || \ ++ name[n] == '\n' || \ ++ name[n] == '\r' || \ ++ name[n] == '\t' ) ) ++ + /* Auto correction messages. */ + #define ACMSG1 "FONT_ASCENT property missing. " \ + "Added `FONT_ASCENT %hd'.\n" +@@ -1409,7 +1421,7 @@ + + /* If the property happens to be a comment, then it doesn't need */ + /* to be added to the internal hash table. */ +- if ( ft_strncmp( name, "COMMENT", 7 ) != 0 ) ++ if ( _bdf_strncmp( name, "COMMENT", 7 ) != 0 ) + { + /* Add the property to the font property table. */ + error = hash_insert( fp->name, +@@ -1427,13 +1439,13 @@ + /* FONT_ASCENT and FONT_DESCENT need to be assigned if they are */ + /* present, and the SPACING property should override the default */ + /* spacing. */ +- if ( ft_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) ++ if ( _bdf_strncmp( name, "DEFAULT_CHAR", 12 ) == 0 ) + font->default_char = fp->value.l; +- else if ( ft_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_ASCENT", 11 ) == 0 ) + font->font_ascent = fp->value.l; +- else if ( ft_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) ++ else if ( _bdf_strncmp( name, "FONT_DESCENT", 12 ) == 0 ) + font->font_descent = fp->value.l; +- else if ( ft_strncmp( name, "SPACING", 7 ) == 0 ) ++ else if ( _bdf_strncmp( name, "SPACING", 7 ) == 0 ) + { + if ( !fp->value.atom ) + { +@@ -1491,7 +1503,7 @@ + memory = font->memory; + + /* Check for a comment. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + linelen -= 7; + +@@ -1508,7 +1520,7 @@ + /* The very first thing expected is the number of glyphs. */ + if ( !( p->flags & _BDF_GLYPHS ) ) + { +- if ( ft_strncmp( line, "CHARS", 5 ) != 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) != 0 ) + { + FT_ERROR(( "_bdf_parse_glyphs: " ERRMSG1, lineno, "CHARS" )); + error = FT_THROW( Missing_Chars_Field ); +@@ -1542,7 +1554,7 @@ + } + + /* Check for the ENDFONT field. */ +- if ( ft_strncmp( line, "ENDFONT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDFONT", 7 ) == 0 ) + { + if ( p->flags & _BDF_GLYPH_BITS ) + { +@@ -1564,7 +1576,7 @@ + } + + /* Check for the ENDCHAR field. */ +- if ( ft_strncmp( line, "ENDCHAR", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDCHAR", 7 ) == 0 ) + { + p->glyph_enc = 0; + p->flags &= ~_BDF_GLYPH_BITS; +@@ -1580,7 +1592,7 @@ + goto Exit; + + /* Check for the STARTCHAR field. */ +- if ( ft_strncmp( line, "STARTCHAR", 9 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTCHAR", 9 ) == 0 ) + { + /* Set the character name in the parse info first until the */ + /* encoding can be checked for an unencoded character. */ +@@ -1614,7 +1626,7 @@ + } + + /* Check for the ENCODING field. */ +- if ( ft_strncmp( line, "ENCODING", 8 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENCODING", 8 ) == 0 ) + { + if ( !( p->flags & _BDF_GLYPH ) ) + { +@@ -1800,7 +1812,7 @@ + } + + /* Expect the SWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "SWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "SWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1816,7 +1828,7 @@ + } + + /* Expect the DWIDTH (scalable width) field next. */ +- if ( ft_strncmp( line, "DWIDTH", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "DWIDTH", 6 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1844,7 +1856,7 @@ + } + + /* Expect the BBX field next. */ +- if ( ft_strncmp( line, "BBX", 3 ) == 0 ) ++ if ( _bdf_strncmp( line, "BBX", 3 ) == 0 ) + { + if ( !( p->flags & _BDF_ENCODING ) ) + goto Missing_Encoding; +@@ -1912,7 +1924,7 @@ + } + + /* And finally, gather up the bitmap. */ +- if ( ft_strncmp( line, "BITMAP", 6 ) == 0 ) ++ if ( _bdf_strncmp( line, "BITMAP", 6 ) == 0 ) + { + unsigned long bitmap_size; + +@@ -1987,7 +1999,7 @@ + p = (_bdf_parse_t *) client_data; + + /* Check for the end of the properties. */ +- if ( ft_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) ++ if ( _bdf_strncmp( line, "ENDPROPERTIES", 13 ) == 0 ) + { + /* If the FONT_ASCENT or FONT_DESCENT properties have not been */ + /* encountered yet, then make sure they are added as properties and */ +@@ -2028,12 +2040,12 @@ + } + + /* Ignore the _XFREE86_GLYPH_RANGES properties. */ +- if ( ft_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) ++ if ( _bdf_strncmp( line, "_XFREE86_GLYPH_RANGES", 21 ) == 0 ) + goto Exit; + + /* Handle COMMENT fields and properties in a special way to preserve */ + /* the spacing. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + name = value = line; + value += 7; +@@ -2097,7 +2109,7 @@ + + /* Check for a comment. This is done to handle those fonts that have */ + /* comments before the STARTFONT line for some reason. */ +- if ( ft_strncmp( line, "COMMENT", 7 ) == 0 ) ++ if ( _bdf_strncmp( line, "COMMENT", 7 ) == 0 ) + { + if ( p->opts->keep_comments != 0 && p->font != 0 ) + { +@@ -2123,7 +2135,7 @@ + { + memory = p->memory; + +- if ( ft_strncmp( line, "STARTFONT", 9 ) != 0 ) ++ if ( _bdf_strncmp( line, "STARTFONT", 9 ) != 0 ) + { + /* we don't emit an error message since this code gets */ + /* explicitly caught one level higher */ +@@ -2171,7 +2183,7 @@ + } + + /* Check for the start of the properties. */ +- if ( ft_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "STARTPROPERTIES", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_BBX ) ) + { +@@ -2200,7 +2212,7 @@ + } + + /* Check for the FONTBOUNDINGBOX field. */ +- if ( ft_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONTBOUNDINGBOX", 15 ) == 0 ) + { + if ( !( p->flags & _BDF_SIZE ) ) + { +@@ -2231,7 +2243,7 @@ + } + + /* The next thing to check for is the FONT field. */ +- if ( ft_strncmp( line, "FONT", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "FONT", 4 ) == 0 ) + { + error = _bdf_list_split( &p->list, (char *)" +", line, linelen ); + if ( error ) +@@ -2266,7 +2278,7 @@ + } + + /* Check for the SIZE field. */ +- if ( ft_strncmp( line, "SIZE", 4 ) == 0 ) ++ if ( _bdf_strncmp( line, "SIZE", 4 ) == 0 ) + { + if ( !( p->flags & _BDF_FONT_NAME ) ) + { +@@ -2320,7 +2332,7 @@ + } + + /* Check for the CHARS field -- font properties are optional */ +- if ( ft_strncmp( line, "CHARS", 5 ) == 0 ) ++ if ( _bdf_strncmp( line, "CHARS", 5 ) == 0 ) + { + char nbuf[128]; +