From owner-freebsd-gnome@FreeBSD.ORG  Fri May 18 20:49:50 2007
Return-Path: <owner-freebsd-gnome@FreeBSD.ORG>
X-Original-To: gnome@freebsd.org
Delivered-To: freebsd-gnome@FreeBSD.ORG
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id D1E5316A401
	for <gnome@freebsd.org>; Fri, 18 May 2007 20:49:50 +0000 (UTC)
	(envelope-from snb@smtp.earth.threerings.net)
Received: from smtp.earth.threerings.net (smtp1.earth.threerings.net
	[64.127.109.108])
	by mx1.freebsd.org (Postfix) with ESMTP id C4A6813C457
	for <gnome@freebsd.org>; Fri, 18 May 2007 20:49:50 +0000 (UTC)
	(envelope-from snb@smtp.earth.threerings.net)
Received: by smtp.earth.threerings.net (Postfix, from userid 10038)
	id 5E65461E4E; Fri, 18 May 2007 13:28:42 -0700 (PDT)
To: FreeBSD-gnats-submit@freebsd.org
From: Nick Barkas <snb@threerings.net>
X-send-pr-version: 3.113
X-GNATS-Notify: 
Message-Id: <20070518202842.5E65461E4E@smtp.earth.threerings.net>
Date: Fri, 18 May 2007 13:28:42 -0700 (PDT)
Cc: gnome@freebsd.org
Subject: [patch] [security] print/freetype2 fix for heap overflow
X-BeenThere: freebsd-gnome@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
Reply-To: Nick Barkas <snb@threerings.net>
List-Id: GNOME for FreeBSD -- porting and maintaining
	<freebsd-gnome.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-gnome>
List-Post: <mailto:freebsd-gnome@freebsd.org>
List-Help: <mailto:freebsd-gnome-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-gnome>,
	<mailto:freebsd-gnome-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 18 May 2007 20:49:50 -0000


>Submitter-Id:	current-users
>Originator:	Nick Barkas
>Organization:	Three Rings Design
>Confidential:	no
>Synopsis:	[patch] [security] print/freetype2 fix for heap overflow
>Severity:	critical
>Priority:	high
>Category:	ports
>Class:		update
>Release:	FreeBSD 6.1-RELEASE-p6 i386
>Environment:
FreeBSD lab1.earth.threerings.net 6.1-RELEASE-p6 FreeBSD 6.1-RELEASE-p6 #5: Wed
Sep 13 17:45:32 PDT 2006
root@lab1.earth.threerings.net:/usr/obj/usr/src/sys/SMP  i386
>Description:
See http://nvd.nist.gov/nvd.cfm?cvename=CVE-2007-2754

"Integer signedness error in truetype/ttgload.c in Freetype 2.3.4 and earlier
might allow remote attackers to execute arbitrary code via a crafted TTF image
with a negative n_points value, which leads to an integer overflow and
heap-based buffer overflow."

This bug can allow remote code execution, so this should probably be added to
the VuXML. Maintainer has been CC'd.
>How-To-Repeat:
>Fix:
The latest release of FreeType does not seem to include a fix for this, but this
patch should fix the problem. I put it in the port's files directory,
incremented portrevision, and portupgrade took care of updating the port for me.

--- patch-src_truetype_ttgload.c begins here ---
--- src/truetype/ttgload.c.orig	Tue Feb 14 12:44:56 2006
+++ src/truetype/ttgload.c	Fri May 18 13:05:34 2007
@@ -269,7 +269,11 @@
 
     n_points = 0;
     if ( n_contours > 0 )
+    {
       n_points = cont[-1] + 1;
+      if ( n_points < 0 )
+        goto Invalid_Outline;
+    }
 
     /* note that we will add four phantom points later */
     error = FT_GLYPHLOADER_CHECK_POINTS( gloader, n_points + 4, 0 );
@@ -677,7 +681,7 @@
     FT_GlyphLoader  gloader = loader->gloader;
     FT_Error        error   = TT_Err_Ok;
     FT_Outline*     outline;
-    FT_UInt         n_points;
+    FT_Int          n_points;
 
 
     outline  = &gloader->current.outline;
@@ -704,7 +708,7 @@
       /* Deltas apply to the unscaled data. */
       FT_Vector*  deltas;
       FT_Memory   memory = loader->face->memory;
-      FT_UInt     i;
+      FT_Int      i;
 
 
       error = TT_Vary_Get_Glyph_Deltas( (TT_Face)(loader->face),
--- patch-src_truetype_ttgload.c ends here ---