From 82d331556ce73de07c16afd51a865ba1ff806a65 Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Sun, 11 Oct 2020 21:56:50 -0400 Subject: [PATCH 1/5] Unnest markdown. --- include/freetype/ftimage.h | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/include/freetype/ftimage.h b/include/freetype/ftimage.h index b125ce980..74911620d 100644 --- a/include/freetype/ftimage.h +++ b/include/freetype/ftimage.h @@ -1020,7 +1020,7 @@ FT_BEGIN_HEADER * is generated. The `target` should have appropriate pixel mode and its * dimensions define the clipping region. * - * If both `( @FT_RASTER_FLAG_AA | @FT_RASTER_FLAG_DIRECT )` bit flags + * If both @FT_RASTER_FLAG_AA and @FT_RASTER_FLAG_DIRECT bit flags * are set in `flags`, the raster calls an @FT_SpanFunc callback * `gray_spans` with `user` data as an argument ignoring `target`. This * allows direct composition over a pre-existing user surface to perform From a93f50b61150605745771e95e8f522c2cb714ff9 Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Sat, 17 Oct 2020 21:58:50 -0400 Subject: [PATCH 2/5] * src/sfnt/sfwoff2.c (Read255UShort): Tweak types to please VC++. --- ChangeLog | 4 ++++ src/sfnt/sfwoff2.c | 8 ++++---- 2 files changed, 8 insertions(+), 4 deletions(-) diff --git a/ChangeLog b/ChangeLog index 969e3f5ae..79d899b3e 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2020-10-17 Alexei Podtelezhnikov + + * src/sfnt/sfwoff2.c (Read255UShort): Tweak types to please VC++. + 2020-10-10 Werner Lemberg * Version 2.10.3 released. diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c index 73d19f513..5c8202f82 100644 --- a/src/sfnt/sfwoff2.c +++ b/src/sfnt/sfwoff2.c @@ -125,10 +125,10 @@ Read255UShort( FT_Stream stream, FT_UShort* value ) { - static const FT_Int oneMoreByteCode1 = 255; - static const FT_Int oneMoreByteCode2 = 254; - static const FT_Int wordCode = 253; - static const FT_Int lowestUCode = 253; + const FT_Byte oneMoreByteCode1 = 255; + const FT_Byte oneMoreByteCode2 = 254; + const FT_Byte wordCode = 253; + const FT_UShort lowestUCode = 253; FT_Error error = FT_Err_Ok; FT_Byte code; From 840ce58f94bafdd24a138a9f7920becb5a30695f Mon Sep 17 00:00:00 2001 From: Alexei Podtelezhnikov Date: Sun, 18 Oct 2020 07:36:57 -0400 Subject: [PATCH 3/5] * src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++. --- ChangeLog | 4 ++++ src/sfnt/ttcolr.c | 6 +++--- src/sfnt/ttcpal.c | 12 ++++++------ 3 files changed, 13 insertions(+), 9 deletions(-) diff --git a/ChangeLog b/ChangeLog index 79d899b3e..e89f4c9e7 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,7 @@ +2020-10-17 Alexei Podtelezhnikov + + * src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++. + 2020-10-17 Alexei Podtelezhnikov * src/sfnt/sfwoff2.c (Read255UShort): Tweak types to please VC++. diff --git a/src/sfnt/ttcolr.c b/src/sfnt/ttcolr.c index 7476c426a..9025e356c 100644 --- a/src/sfnt/ttcolr.c +++ b/src/sfnt/ttcolr.c @@ -39,9 +39,9 @@ /* NOTE: These are the table sizes calculated through the specs. */ -#define BASE_GLYPH_SIZE 6 -#define LAYER_SIZE 4 -#define COLR_HEADER_SIZE 14 +#define BASE_GLYPH_SIZE 6U +#define LAYER_SIZE 4U +#define COLR_HEADER_SIZE 14U typedef struct BaseGlyphRecord_ diff --git a/src/sfnt/ttcpal.c b/src/sfnt/ttcpal.c index bdf7bfa30..9c514bafe 100644 --- a/src/sfnt/ttcpal.c +++ b/src/sfnt/ttcpal.c @@ -39,8 +39,8 @@ /* NOTE: These are the table sizes calculated through the specs. */ -#define CPAL_V0_HEADER_BASE_SIZE 12 -#define COLOR_SIZE 4 +#define CPAL_V0_HEADER_BASE_SIZE 12U +#define COLOR_SIZE 4U /* all data from `CPAL' not covered in FT_Palette_Data */ @@ -139,7 +139,7 @@ 3U * 4 > table_size ) goto InvalidTable; - p += face->palette_data.num_palettes * 2; + p += face->palette_data.num_palettes * 2U; type_offset = FT_NEXT_ULONG( p ); label_offset = FT_NEXT_ULONG( p ); @@ -149,7 +149,7 @@ { if ( type_offset >= table_size ) goto InvalidTable; - if ( face->palette_data.num_palettes * 2 > + if ( face->palette_data.num_palettes * 2U > table_size - type_offset ) goto InvalidTable; @@ -170,7 +170,7 @@ { if ( label_offset >= table_size ) goto InvalidTable; - if ( face->palette_data.num_palettes * 2 > + if ( face->palette_data.num_palettes * 2U > table_size - label_offset ) goto InvalidTable; @@ -191,7 +191,7 @@ { if ( entry_label_offset >= table_size ) goto InvalidTable; - if ( face->palette_data.num_palette_entries * 2 > + if ( face->palette_data.num_palette_entries * 2U > table_size - entry_label_offset ) goto InvalidTable; From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Mon, 19 Oct 2020 23:45:28 +0200 Subject: [PATCH 4/5] [sfnt] Fix heap buffer overflow (#59308). This is CVE-2020-15999. * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. --- ChangeLog | 8 ++++++++ src/sfnt/pngshim.c | 14 +++++++------- 2 files changed, 15 insertions(+), 7 deletions(-) diff --git a/ChangeLog b/ChangeLog index e89f4c9e7..7c4b057a8 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,11 @@ +2020-10-19 Werner Lemberg + + [sfnt] Fix heap buffer overflow (#59308). + + This is CVE-2020-15999. + + * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier. + 2020-10-17 Alexei Podtelezhnikov * src/sfnt/tt{colr,cpal}.c: Fix signedness warnings from VC++. diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c index 2e64e5846..f55016122 100644 --- a/src/sfnt/pngshim.c +++ b/src/sfnt/pngshim.c @@ -332,6 +332,13 @@ if ( populate_map_and_metrics ) { + /* reject too large bitmaps similarly to the rasterizer */ + if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF ) + { + error = FT_THROW( Array_Too_Large ); + goto DestroyExit; + } + metrics->width = (FT_UShort)imgWidth; metrics->height = (FT_UShort)imgHeight; @@ -340,13 +347,6 @@ map->pixel_mode = FT_PIXEL_MODE_BGRA; map->pitch = (int)( map->width * 4 ); map->num_grays = 256; - - /* reject too large bitmaps similarly to the rasterizer */ - if ( map->rows > 0x7FFF || map->width > 0x7FFF ) - { - error = FT_THROW( Array_Too_Large ); - goto DestroyExit; - } } /* convert palette/gray image to rgb */ From 6a2b3e4007e794bfc6c91030d0ed987f925164a8 Mon Sep 17 00:00:00 2001 From: Werner Lemberg Date: Tue, 20 Oct 2020 07:10:27 +0200 Subject: [PATCH 5/5] * Version 2.10.4 released. ========================== Tag sources with `VER-2-10-4'. * docs/VERSION.TXT: Add entry for version 2.10.4. * docs/CHANGES: Updated. * README, src/base/ftver.rc, builds/windows/vc2010/index.html, builds/windows/visualc/index.html, builds/windows/visualce/index.html, builds/wince/vc2005-ce/index.html, builds/wince/vc2008-ce/index.html, docs/freetype-config.1: s/2.10.3/2.10.4/, s/2103/2104/. * include/freetype/freetype.h (FREETYPE_PATCH): Set to 4. * builds/unix/configure.raw (version_info): Set to 23:4:17. * CMakeLists.txt (VERSION_PATCH): Set to 4. --- CMakeLists.txt | 2 +- ChangeLog | 23 +++++++++++++++++++++++ README | 8 ++++---- builds/unix/configure.raw | 2 +- builds/wince/vc2005-ce/index.html | 2 +- builds/wince/vc2008-ce/index.html | 2 +- builds/windows/vc2010/index.html | 2 +- builds/windows/visualc/index.html | 2 +- builds/windows/visualce/index.html | 2 +- docs/CHANGES | 15 +++++++++++++++ docs/VERSIONS.TXT | 1 + docs/freetype-config.1 | 2 +- include/freetype/freetype.h | 2 +- src/base/ftver.rc | 4 ++-- 14 files changed, 54 insertions(+), 15 deletions(-) diff --git a/CMakeLists.txt b/CMakeLists.txt index 5d13417be..3ed55aad7 100644 --- a/CMakeLists.txt +++ b/CMakeLists.txt @@ -147,7 +147,7 @@ project(freetype C) set(VERSION_MAJOR "2") set(VERSION_MINOR "10") -set(VERSION_PATCH "3") +set(VERSION_PATCH "4") # Generate LIBRARY_VERSION and LIBRARY_SOVERSION. set(LIBTOOL_REGEX "version_info='([0-9]+):([0-9]+):([0-9]+)'") diff --git a/ChangeLog b/ChangeLog index 7c4b057a8..42f7c34ba 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,3 +1,26 @@ +2020-10-20 Werner Lemberg + + * Version 2.10.4 released. + ========================== + + + Tag sources with `VER-2-10-4'. + + * docs/VERSION.TXT: Add entry for version 2.10.4. + * docs/CHANGES: Updated. + + * README, src/base/ftver.rc, builds/windows/vc2010/index.html, + builds/windows/visualc/index.html, + builds/windows/visualce/index.html, + builds/wince/vc2005-ce/index.html, + builds/wince/vc2008-ce/index.html, docs/freetype-config.1: + s/2.10.3/2.10.4/, s/2103/2104/. + + * include/freetype/freetype.h (FREETYPE_PATCH): Set to 4. + + * builds/unix/configure.raw (version_info): Set to 23:4:17. + * CMakeLists.txt (VERSION_PATCH): Set to 4. + 2020-10-19 Werner Lemberg [sfnt] Fix heap buffer overflow (#59308). diff --git a/README b/README index 2e2e9e2f8..e4c8cf1c5 100644 --- a/README +++ b/README @@ -1,4 +1,4 @@ - FreeType 2.10.3 + FreeType 2.10.4 =============== Homepage: https://www.freetype.org @@ -27,9 +27,9 @@ and download one of the following files. - freetype-doc-2.10.3.tar.xz - freetype-doc-2.10.3.tar.gz - ftdoc2103.zip + freetype-doc-2.10.4.tar.xz + freetype-doc-2.10.4.tar.gz + ftdoc2104.zip To view the documentation online, go to diff --git a/builds/unix/configure.raw b/builds/unix/configure.raw index 7ac44fb85..bc65e452a 100644 --- a/builds/unix/configure.raw +++ b/builds/unix/configure.raw @@ -17,7 +17,7 @@ AC_CONFIG_SRCDIR([ftconfig.h.in]) # Don't forget to update `docs/VERSIONS.TXT'! -version_info='23:3:17' +version_info='23:4:17' AC_SUBST([version_info]) ft_version=`echo $version_info | tr : .` AC_SUBST([ft_version]) diff --git a/builds/wince/vc2005-ce/index.html b/builds/wince/vc2005-ce/index.html index 9fdf09153..6936a8909 100644 --- a/builds/wince/vc2005-ce/index.html +++ b/builds/wince/vc2005-ce/index.html @@ -21,7 +21,7 @@

  • PPC/SP WM6 (Windows Mobile 6)
    • -It compiles the following libraries from the FreeType 2.10.3 sources:

    +It compiles the following libraries from the FreeType 2.10.4 sources:

      diff --git a/builds/wince/vc2008-ce/index.html b/builds/wince/vc2008-ce/index.html
index b90214fa7..ee385af86 100644
--- a/builds/wince/vc2008-ce/index.html
+++ b/builds/wince/vc2008-ce/index.html
@@ -21,7 +21,7 @@ 
      
   
    • PPC/SP WM6 (Windows Mobile 6)
      •
    -It compiles the following libraries from the FreeType 2.10.3 sources:

    +It compiles the following libraries from the FreeType 2.10.4 sources:

      diff --git a/builds/windows/vc2010/index.html b/builds/windows/vc2010/index.html
index 91ffa2084..3b60c5fe1 100644
--- a/builds/windows/vc2010/index.html
+++ b/builds/windows/vc2010/index.html
@@ -12,7 +12,7 @@ 
      
 
      This directory contains solution and project files for
 Visual C++ 2010 or newer, named freetype.sln,
 and freetype.vcxproj.  It compiles the following libraries
-from the FreeType 2.10.3 sources:
      
+from the FreeType 2.10.4 sources:
      
 
 
        
   
      • freetype.dll using 'Release' or 'Debug' configurations
        • 
diff --git a/builds/windows/visualc/index.html b/builds/windows/visualc/index.html
index e8986d071..cec26d27a 100644
--- a/builds/windows/visualc/index.html
+++ b/builds/windows/visualc/index.html
@@ -12,7 +12,7 @@ 
        
 
        This directory contains project files freetype.dsp for
 Visual C++ 6.0, and freetype.vcproj for Visual C++ 2002
 through 2008, which you might need to upgrade automatically.
-It compiles the following libraries from the FreeType 2.10.3 sources:
        
+It compiles the following libraries from the FreeType 2.10.4 sources:
        
 
 
          
   
        • freetype.dll using 'Release' or 'Debug' configurations
          • 
diff --git a/builds/windows/visualce/index.html b/builds/windows/visualce/index.html
index 733dff691..474e85c37 100644
--- a/builds/windows/visualce/index.html
+++ b/builds/windows/visualce/index.html
@@ -21,7 +21,7 @@ 
          
   
        • PPC/SP WM6 (Windows Mobile 6)
          • 
 
        
 
-It compiles the following libraries from the FreeType 2.10.3 sources:
        
+It compiles the following libraries from the FreeType 2.10.4 sources:
        
 
 
          
   
          diff --git a/docs/CHANGES b/docs/CHANGES
index a2f6d87fd..3bd5291ae 100644
--- a/docs/CHANGES
+++ b/docs/CHANGES
@@ -1,3 +1,18 @@
+CHANGES BETWEEN 2.10.3 and 2.10.4
+
+  I. IMPORTANT BUG FIXES
+
+  - A heap buffer overflow has been found  in the handling of embedded
+    PNG bitmaps, introduced in FreeType version 2.6.
+
+      https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-15999
+
+    If you  use option  FT_CONFIG_OPTION_USE_PNG  you  should  upgrade
+    immediately.
+
+
+======================================================================
+
 CHANGES BETWEEN 2.10.2 and 2.10.3
 
   I. IMPORTANT CHANGES
diff --git a/docs/VERSIONS.TXT b/docs/VERSIONS.TXT
index 60fac1524..4e281a725 100644
--- a/docs/VERSIONS.TXT
+++ b/docs/VERSIONS.TXT
@@ -60,6 +60,7 @@ found on _most_ systems, but not all of them:
 
     release     libtool     so
   -------------------------------
+     2.10.4     23.4.17   6.17.4
      2.10.3     23.3.17   6.17.3
      2.10.2     23.2.17   6.17.2
      2.10.1     23.1.17   6.17.1
diff --git a/docs/freetype-config.1 b/docs/freetype-config.1
index 1b048e46d..7dea66afa 100644
--- a/docs/freetype-config.1
+++ b/docs/freetype-config.1
@@ -1,4 +1,4 @@
-.TH FREETYPE-CONFIG 1 "October 2020" "FreeType 2.10.3"
+.TH FREETYPE-CONFIG 1 "October 2020" "FreeType 2.10.4"
 .
 .
 .SH NAME
diff --git a/include/freetype/freetype.h b/include/freetype/freetype.h
index ffde9669d..be191f5aa 100644
--- a/include/freetype/freetype.h
+++ b/include/freetype/freetype.h
@@ -4767,7 +4767,7 @@ FT_BEGIN_HEADER
    */
 #define FREETYPE_MAJOR  2
 #define FREETYPE_MINOR  10
-#define FREETYPE_PATCH  3
+#define FREETYPE_PATCH  4
 
 
   /**************************************************************************
diff --git a/src/base/ftver.rc b/src/base/ftver.rc
index 15dda7f4f..0b92e9b89 100644
--- a/src/base/ftver.rc
+++ b/src/base/ftver.rc
@@ -18,8 +18,8 @@
 
 #include
 
-#define FT_VERSION      2,10,3,0
-#define FT_VERSION_STR  "2.10.3"
+#define FT_VERSION      2,10,4,0
+#define FT_VERSION_STR  "2.10.4"
 
 VS_VERSION_INFO      VERSIONINFO
 FILEVERSION          FT_VERSION