Merge commit '6a2b3e4007e794bfc6c91030d0ed987f925164a8'

CMakeLists.txt

@@ -147,7 +147,7 @@ project(freetype C)
 
 set(VERSION_MAJOR "2")
 set(VERSION_MINOR "10")
-set(VERSION_PATCH "3")
+set(VERSION_PATCH "4")
 
 # Generate LIBRARY_VERSION and LIBRARY_SOVERSION.
 set(LIBTOOL_REGEX "version_info='([0-9]+):([0-9]+):([0-9]+)'")

ChangeLog

@@ -1,3 +1,42 @@
+2020-10-20  Werner Lemberg  <[email protected]>
+
+	* Version 2.10.4 released.
+	==========================
+
+
+	Tag sources with `VER-2-10-4'.
+
+	* docs/VERSION.TXT: Add entry for version 2.10.4.
+	* docs/CHANGES: Updated.
+
+	* README, src/base/ftver.rc, builds/windows/vc2010/index.html,
+	builds/windows/visualc/index.html,
+	builds/windows/visualce/index.html,
+	builds/wince/vc2005-ce/index.html,
+	builds/wince/vc2008-ce/index.html, docs/freetype-config.1:
+	s/2.10.3/2.10.4/, s/2103/2104/.
+
+	* include/freetype/freetype.h (FREETYPE_PATCH): Set to 4.
+
+	* builds/unix/configure.raw (version_info): Set to 23:4:17.
+	* CMakeLists.txt (VERSION_PATCH): Set to 4.
+
+2020-10-19  Werner Lemberg  <[email protected]>
+
+	[sfnt] Fix heap buffer overflow (#59308).
+
+	This is CVE-2020-15999.
+
+	* src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+
+2020-10-17  Alexei Podtelezhnikov  <[email protected]>
+
+	* src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++.
+
+2020-10-17  Alexei Podtelezhnikov  <[email protected]>
+
+	* src/sfnt/sfwoff2.c (Read255UShort): Tweak types to please VC++.
+
 2020-10-10  Werner Lemberg  <[email protected]>
 
 	* Version 2.10.3 released.

README

@@ -1,4 +1,4 @@
-  FreeType 2.10.3
+  FreeType 2.10.4
   ===============
 
   Homepage: https://www.freetype.org
@@ -27,9 +27,9 @@
 
   and download one of the following files.
 
-    freetype-doc-2.10.3.tar.xz
-    freetype-doc-2.10.3.tar.gz
-    ftdoc2103.zip
+    freetype-doc-2.10.4.tar.xz
+    freetype-doc-2.10.4.tar.gz
+    ftdoc2104.zip
 
   To view the documentation online, go to
 

builds/unix/configure.raw

@@ -17,7 +17,7 @@ AC_CONFIG_SRCDIR([ftconfig.h.in])
 
 # Don't forget to update `docs/VERSIONS.TXT'!
 
-version_info='23:3:17'
+version_info='23:4:17'
 AC_SUBST([version_info])
 ft_version=`echo $version_info | tr : .`
 AC_SUBST([ft_version])

builds/wince/vc2005-ce/index.html

@@ -21,7 +21,7 @@ <h1>
   <li>PPC/SP WM6 (Windows Mobile 6)</li>
 </ul>
 
-It compiles the following libraries from the FreeType 2.10.3 sources:</p>
+It compiles the following libraries from the FreeType 2.10.4 sources:</p>
 
 <ul>
   <pre>

builds/wince/vc2008-ce/index.html

@@ -21,7 +21,7 @@ <h1>
   <li>PPC/SP WM6 (Windows Mobile 6)</li>
 </ul>
 
-It compiles the following libraries from the FreeType 2.10.3 sources:</p>
+It compiles the following libraries from the FreeType 2.10.4 sources:</p>
 
 <ul>
   <pre>

builds/windows/vc2010/index.html

@@ -12,7 +12,7 @@ <h1>
 <p>This directory contains solution and project files for
 Visual&nbsp;C++&nbsp;2010 or newer, named <tt>freetype.sln</tt>,
 and <tt>freetype.vcxproj</tt>.  It compiles the following libraries
-from the FreeType 2.10.3 sources:</p>
+from the FreeType 2.10.4 sources:</p>
 
 <ul>
   <li>freetype.dll using 'Release' or 'Debug' configurations</li>

builds/windows/visualc/index.html

@@ -12,7 +12,7 @@ <h1>
 <p>This directory contains project files <tt>freetype.dsp</tt> for
 Visual C++ 6.0, and <tt>freetype.vcproj</tt> for Visual C++ 2002
 through 2008, which you might need to upgrade automatically.
-It compiles the following libraries from the FreeType 2.10.3 sources:</p>
+It compiles the following libraries from the FreeType 2.10.4 sources:</p>
 
 <ul>
   <li>freetype.dll using 'Release' or 'Debug' configurations</li>

builds/windows/visualce/index.html

@@ -21,7 +21,7 @@ <h1>
   <li>PPC/SP WM6 (Windows Mobile 6)</li>
 </ul>
 
-It compiles the following libraries from the FreeType 2.10.3 sources:</p>
+It compiles the following libraries from the FreeType 2.10.4 sources:</p>
 
 <ul>
   <pre>

docs/CHANGES

@@ -1,3 +1,18 @@
+CHANGES BETWEEN 2.10.3 and 2.10.4
+
+  I. IMPORTANT BUG FIXES
+
+  - A heap buffer overflow has been found  in the handling of embedded
+    PNG bitmaps, introduced in FreeType version 2.6.
+
+      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
+
+    If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
+    immediately.
+
+
+======================================================================
+
 CHANGES BETWEEN 2.10.2 and 2.10.3
 
   I. IMPORTANT CHANGES

docs/VERSIONS.TXT

@@ -60,6 +60,7 @@ found on _most_ systems, but not all of them:
 
     release     libtool     so
   -------------------------------
+     2.10.4     23.4.17   6.17.4
      2.10.3     23.3.17   6.17.3
      2.10.2     23.2.17   6.17.2
      2.10.1     23.1.17   6.17.1

docs/freetype-config.1

@@ -1,4 +1,4 @@
-.TH FREETYPE-CONFIG 1 "October 2020" "FreeType 2.10.3"
+.TH FREETYPE-CONFIG 1 "October 2020" "FreeType 2.10.4"
 .
 .
 .SH NAME

include/freetype/freetype.h

@@ -4767,7 +4767,7 @@ FT_BEGIN_HEADER
    */
 #define FREETYPE_MAJOR  2
 #define FREETYPE_MINOR  10
-#define FREETYPE_PATCH  3
+#define FREETYPE_PATCH  4
 
 
   /**************************************************************************

include/freetype/ftimage.h

@@ -1020,7 +1020,7 @@ FT_BEGIN_HEADER
    *   is generated.  The `target` should have appropriate pixel mode and its
    *   dimensions define the clipping region.
    *
-   *   If both `( @FT_RASTER_FLAG_AA | @FT_RASTER_FLAG_DIRECT )` bit flags
+   *   If both @FT_RASTER_FLAG_AA and @FT_RASTER_FLAG_DIRECT bit flags
    *   are set in `flags`, the raster calls an @FT_SpanFunc callback
    *   `gray_spans` with `user` data as an argument ignoring `target`.  This
    *   allows direct composition over a pre-existing user surface to perform

src/base/ftver.rc

@@ -18,8 +18,8 @@
 
 #include<windows.h>
 
-#define FT_VERSION      2,10,3,0
-#define FT_VERSION_STR  "2.10.3"
+#define FT_VERSION      2,10,4,0
+#define FT_VERSION_STR  "2.10.4"
 
 VS_VERSION_INFO      VERSIONINFO
 FILEVERSION          FT_VERSION

src/sfnt/pngshim.c

@@ -332,6 +332,13 @@
 
     if ( populate_map_and_metrics )
     {
+      /* reject too large bitmaps similarly to the rasterizer */
+      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
+      {
+        error = FT_THROW( Array_Too_Large );
+        goto DestroyExit;
+      }
+
       metrics->width  = (FT_UShort)imgWidth;
       metrics->height = (FT_UShort)imgHeight;
 
@@ -340,13 +347,6 @@
       map->pixel_mode = FT_PIXEL_MODE_BGRA;
       map->pitch      = (int)( map->width * 4 );
       map->num_grays  = 256;
-
-      /* reject too large bitmaps similarly to the rasterizer */
-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
-      {
-        error = FT_THROW( Array_Too_Large );
-        goto DestroyExit;
-      }
     }
 
     /* convert palette/gray image to rgb */

src/sfnt/sfwoff2.c

@@ -125,10 +125,10 @@
   Read255UShort( FT_Stream   stream,
                  FT_UShort*  value )
   {
-    static const FT_Int  oneMoreByteCode1 = 255;
-    static const FT_Int  oneMoreByteCode2 = 254;
-    static const FT_Int  wordCode         = 253;
-    static const FT_Int  lowestUCode      = 253;
+    const FT_Byte    oneMoreByteCode1 = 255;
+    const FT_Byte    oneMoreByteCode2 = 254;
+    const FT_Byte    wordCode         = 253;
+    const FT_UShort  lowestUCode      = 253;
 
     FT_Error   error        = FT_Err_Ok;
     FT_Byte    code;

src/sfnt/ttcolr.c

@@ -39,9 +39,9 @@
 
 
   /* NOTE: These are the table sizes calculated through the specs. */
-#define BASE_GLYPH_SIZE            6
-#define LAYER_SIZE                 4
-#define COLR_HEADER_SIZE          14
+#define BASE_GLYPH_SIZE            6U
+#define LAYER_SIZE                 4U
+#define COLR_HEADER_SIZE          14U
 
 
   typedef struct BaseGlyphRecord_

src/sfnt/ttcpal.c

@@ -39,8 +39,8 @@
 
 
   /* NOTE: These are the table sizes calculated through the specs. */
-#define CPAL_V0_HEADER_BASE_SIZE  12
-#define COLOR_SIZE                 4
+#define CPAL_V0_HEADER_BASE_SIZE  12U
+#define COLOR_SIZE                 4U
 
 
   /* all data from `CPAL' not covered in FT_Palette_Data */
@@ -139,7 +139,7 @@
            3U * 4                               > table_size )
         goto InvalidTable;
 
-      p += face->palette_data.num_palettes * 2;
+      p += face->palette_data.num_palettes * 2U;
 
       type_offset        = FT_NEXT_ULONG( p );
       label_offset       = FT_NEXT_ULONG( p );
@@ -149,7 +149,7 @@
       {
         if ( type_offset >= table_size )
           goto InvalidTable;
-        if ( face->palette_data.num_palettes * 2 >
+        if ( face->palette_data.num_palettes * 2U >
                table_size - type_offset )
           goto InvalidTable;
 
@@ -170,7 +170,7 @@
       {
         if ( label_offset >= table_size )
           goto InvalidTable;
-        if ( face->palette_data.num_palettes * 2 >
+        if ( face->palette_data.num_palettes * 2U >
                table_size - label_offset )
           goto InvalidTable;
 
@@ -191,7 +191,7 @@
       {
         if ( entry_label_offset >= table_size )
           goto InvalidTable;
-        if ( face->palette_data.num_palette_entries * 2 >
+        if ( face->palette_data.num_palette_entries * 2U >
                table_size - entry_label_offset )
           goto InvalidTable;