freetype: fix CVE-2017-{8105,8287} by upstream patches

vcunat · vcunat · commit 163dd01a3c82 · 2017-05-14T15:02:50.000+02:00
I copied the patches, as the changelog changes would certainly conflict. (cherry picked from commit b0d2de4)
diff --git a/pkgs/development/libraries/freetype/cve-2017-8105.patch b/pkgs/development/libraries/freetype/cve-2017-8105.patch
@@ -0,0 +1,27 @@
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=f958c48ee43
+
+diff --git a/src/psaux/t1decode.c b/src/psaux/t1decode.c
+index af7b465..7dd4513 100644
+--- a/src/psaux/t1decode.c
++++ b/src/psaux/t1decode.c
+@@ -780,10 +780,19 @@
+             /* point without adding any point to the outline    */
+             idx = decoder->num_flex_vectors++;
+             if ( idx > 0 && idx < 7 )
++            {
++              /* in malformed fonts it is possible to have other */
++              /* opcodes in the middle of a flex (which don't    */
++              /* increase `num_flex_vectors'); we thus have to   */
++              /* check whether we can add a point                */
++              if ( FT_SET_ERROR( t1_builder_check_points( builder, 1 ) ) )
++                goto Syntax_Error;
++
+               t1_builder_add_point( builder,
+                                     x,
+                                     y,
+                                     (FT_Byte)( idx == 3 || idx == 6 ) );
++            }
+           }
+           break;
+ 
+
diff --git a/pkgs/development/libraries/freetype/cve-2017-8287.patch b/pkgs/development/libraries/freetype/cve-2017-8287.patch
@@ -0,0 +1,22 @@
+http://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=3774fc08b
+
+diff --git a/src/psaux/psobjs.c b/src/psaux/psobjs.c
+index d18e821..0baf836 100644
+--- a/src/psaux/psobjs.c
++++ b/src/psaux/psobjs.c
+@@ -1718,6 +1718,14 @@
+     first = outline->n_contours <= 1
+             ? 0 : outline->contours[outline->n_contours - 2] + 1;
+ 
++    /* in malformed fonts it can happen that a contour was started */
++    /* but no points were added                                    */
++    if ( outline->n_contours && first == outline->n_points )
++    {
++      outline->n_contours--;
++      return;
++    }
++
+     /* We must not include the last point in the path if it */
+     /* is located on the first point.                       */
+     if ( outline->n_points > 1 )
+
diff --git a/pkgs/development/libraries/freetype/default.nix b/pkgs/development/libraries/freetype/default.nix
@@ -37,6 +37,9 @@ stdenv.mkDerivation rec {
       url = "http://pkgs.fedoraproject.org/cgit/rpms/freetype.git/plain/freetype-2.2.1-enable-valid.patch?id=9a81147af83b1166a5f301e379f85927cc610990";
       sha256 = "0zkgqhws2s0j8ywksclf391iijhidb1a406zszd7xbdjn28kmj2l";
     })
+    # remove the two CVE patches after updating to >= 2.8
+    ./cve-2017-8105.patch
+    ./cve-2017-8287.patch
   ] ++ optionals (!useInfinality && useEncumberedCode) [
     # Patch to enable subpixel rendering.
     # See https://www.freetype.org/freetype2/docs/reference/ft2-lcd_filtering.html.
