From 302e0815aab8ebe889872a260645bf7c886bf147 Mon Sep 17 00:00:00 2001 From: Mark H Weaver Date: Thu, 20 Apr 2017 15:10:54 -0400 Subject: [PATCH] gnu: graphite2: Add fixes for CVE-2017-5436 and other bugs. * gnu/packages/fontutils.scm (graphite2)[replacement]: New field. (graphite2/fixed): New variable. * gnu/packages/patches/graphite2-CVE-2017-5436.patch, gnu/packages/patches/graphite2-check-code-point-limit.patch, gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch, gnu/packages/patches/graphite2-non-linear-classes-even-number.patch: New files. * gnu/local.mk (dist_patch_DATA): Add them. --- gnu/local.mk | 4 + gnu/packages/fontutils.scm | 22 +++++ gnu/packages/patches/graphite2-CVE-2017-5436.patch | 25 ++++++ .../patches/graphite2-check-code-point-limit.patch | 50 ++++++++++++ .../graphite2-fix-32-bit-wrap-arounds.patch | 93 ++++++++++++++++++++++ .../graphite2-non-linear-classes-even-number.patch | 26 ++++++ 6 files changed, 220 insertions(+) create mode 100644 gnu/packages/patches/graphite2-CVE-2017-5436.patch create mode 100644 gnu/packages/patches/graphite2-check-code-point-limit.patch create mode 100644 gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch create mode 100644 gnu/packages/patches/graphite2-non-linear-classes-even-number.patch diff --git a/gnu/local.mk b/gnu/local.mk index 1fe24038d..ec27e8765 100644 --- a/gnu/local.mk +++ b/gnu/local.mk @@ -625,7 +625,11 @@ dist_patch_DATA = \ %D%/packages/patches/gobject-introspection-absolute-shlib-path.patch \ %D%/packages/patches/gobject-introspection-cc.patch \ %D%/packages/patches/gobject-introspection-girepository.patch \ + %D%/packages/patches/graphite2-CVE-2017-5436.patch \ + %D%/packages/patches/graphite2-check-code-point-limit.patch \ %D%/packages/patches/graphite2-ffloat-store.patch \ + %D%/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch \ + %D%/packages/patches/graphite2-non-linear-classes-even-number.patch \ %D%/packages/patches/grep-timing-sensitive-test.patch \ %D%/packages/patches/grub-CVE-2015-8370.patch \ %D%/packages/patches/grub-gets-undeclared.patch \ diff --git a/gnu/packages/fontutils.scm b/gnu/packages/fontutils.scm index 7e7234960..cc6d1df59 100644 --- a/gnu/packages/fontutils.scm +++ b/gnu/packages/fontutils.scm @@ -376,6 +376,7 @@ applications should be.") (package (name "graphite2") (version "1.3.9") + (replacement graphite2/fixed) (source (origin (method url-fetch) @@ -400,6 +401,27 @@ and returns a sequence of positioned glyphids from the font.") (license license:lgpl2.1+) (home-page "https://github.com/silnrsi/graphite"))) +(define graphite2/fixed + (package + (inherit graphite2) + (name "graphite2") + (version "1.3.9") + (replacement #f) + (source + (origin + (method url-fetch) + (uri (string-append "https://github.com/silnrsi/graphite/releases/" + "download/" version "/" name "-" version ".tgz")) + (patches (search-patches + "graphite2-ffloat-store.patch" + "graphite2-check-code-point-limit.patch" + "graphite2-CVE-2017-5436.patch" + "graphite2-fix-32-bit-wrap-arounds.patch" + "graphite2-non-linear-classes-even-number.patch")) + (sha256 + (base32 + "0rs5h7m340z75kygx8d72cps0q6yvvqa9i788vym7585cfv8a0gc")))))) + (define-public potrace (package (name "potrace") diff --git a/gnu/packages/patches/graphite2-CVE-2017-5436.patch b/gnu/packages/patches/graphite2-CVE-2017-5436.patch new file mode 100644 index 000000000..d7383ec8d --- /dev/null +++ b/gnu/packages/patches/graphite2-CVE-2017-5436.patch @@ -0,0 +1,25 @@ +From 1ce331d5548b98ed8b818532b2556d6f2c7a3b83 Mon Sep 17 00:00:00 2001 +From: Martin Hosken +Date: Thu, 9 Mar 2017 22:04:04 +0000 +Subject: [PATCH] Ensure features have enough space. Fix from Mozilla + +--- + src/FeatureMap.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/src/FeatureMap.cpp b/src/FeatureMap.cpp +index b8c8405..83bd5f6 100644 +--- a/src/FeatureMap.cpp ++++ b/src/FeatureMap.cpp +@@ -275,7 +275,7 @@ bool FeatureRef::applyValToFeature(uint32 val, Features & pDest) const + else + if (pDest.m_pMap!=&m_pFace->theSill().theFeatureMap()) + return false; //incompatible +- pDest.reserve(m_index); ++ pDest.reserve(m_index+1); + pDest[m_index] &= ~m_mask; + pDest[m_index] |= (uint32(val) << m_bits); + return true; +-- +2.12.2 + diff --git a/gnu/packages/patches/graphite2-check-code-point-limit.patch b/gnu/packages/patches/graphite2-check-code-point-limit.patch new file mode 100644 index 000000000..a9b6caf53 --- /dev/null +++ b/gnu/packages/patches/graphite2-check-code-point-limit.patch @@ -0,0 +1,50 @@ +From 348c11e4571b534efdbd58a575bbea979c880b2f Mon Sep 17 00:00:00 2001 +From: Tim Eves +Date: Wed, 1 Mar 2017 14:23:46 +0700 +Subject: [PATCH] Fix decoding of USV greater than U+110000 + +Add test cases too +--- + src/inc/UtfCodec.h | 4 ++-- + tests/utftest/utftest.cpp | 3 +++ + 2 files changed, 5 insertions(+), 2 deletions(-) + +diff --git a/src/inc/UtfCodec.h b/src/inc/UtfCodec.h +index 3417bac..9dc760f 100644 +--- a/src/inc/UtfCodec.h ++++ b/src/inc/UtfCodec.h +@@ -124,7 +124,7 @@ struct _utf_codec<8> + private: + static const int8 sz_lut[16]; + static const byte mask_lut[5]; +- ++ static const uchar_t limit = 0x110000; + + public: + typedef uint8 codeunit_t; +@@ -157,7 +157,7 @@ public: + case 0: l = -1; return 0xFFFD; + } + +- if (l != seq_sz || toolong) ++ if (l != seq_sz || toolong || u >= limit) + { + l = -l; + return 0xFFFD; +diff --git a/tests/utftest/utftest.cpp b/tests/utftest/utftest.cpp +index 21cb188..a23553a 100644 +--- a/tests/utftest/utftest.cpp ++++ b/tests/utftest/utftest.cpp +@@ -8,6 +8,9 @@ struct test8 + unsigned char str[12]; + }; + struct test8 tests8[] = { ++ { 0, 0, {0xF4, 0x90, 0x80, 0x80, 0, 0, 0, 0, 0, 0, 0, 0} }, // bad(4) [U+110000] ++ { 0, 0, {0xC0, 0x80, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }, // bad(4) [U+110000] ++ { 0, 0, {0xA0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0} }, // bad(4) [U+110000] + { 4, -1, {0x7F, 0xDF, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF, 0xBF, 0, 0} }, // U+7F, U+7FF, U+FFFF, U+10FFF + { 2, 3, {0x7F, 0xDF, 0xBF, 0xF0, 0x8F, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF, 0xBF, 0} }, // U+7F, U+7FF, long(U+FFFF), U+10FFF + { 1, 1, {0x7F, 0xE0, 0x9F, 0xBF, 0xEF, 0xBF, 0xBF, 0xF4, 0x8F, 0xBF, 0xBF, 0} }, // U+7F, long(U+7FF), U+FFFF, U+10FFF +-- +2.12.2 + diff --git a/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch b/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch new file mode 100644 index 000000000..57d4ce2c6 --- /dev/null +++ b/gnu/packages/patches/graphite2-fix-32-bit-wrap-arounds.patch @@ -0,0 +1,93 @@ +This patch incorporates the following 6 consecutive commits from the upstream +graphite2 repository: + +75b83cd..: Martin Hosken 2017-03-28 Fix 32-bit wrap arounds +1f97e36..: Martin Hosken 2017-03-28 balance comparisons in decompressor +9493785..: Martin Hosken 2017-03-29 Speculative rounding fix +09af043..: Tim Eves 2017-03-31 Move a MINMATCH to rhs of a comparisio +28cc60d..: Tim Eves 2017-03-31 Deal with similar wrap around in literal_len +8afc7d0..: Martin Hosken 2017-04-03 Fix 32-bit rollover in decompressor, again + +This diff was generated by the following command: + + git diff 1ce331d5548b98ed..8afc7d0081959866 + + +diff --git a/src/Decompressor.cpp b/src/Decompressor.cpp +index 084570f..56d531f 100644 +--- a/src/Decompressor.cpp ++++ b/src/Decompressor.cpp +@@ -51,7 +51,7 @@ bool read_sequence(u8 const * &src, u8 const * const end, u8 const * &literal, u + literal = src; + src += literal_len; + +- if (src > end - 2) ++ if (src > end - 2 || src < literal) + return false; + + match_dist = *src++; +@@ -85,7 +85,7 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size) + { + // Copy in literal. At this point the last full sequence must be at + // least MINMATCH + 5 from the end of the output buffer. +- if (dst + align(literal_len) > dst_end - (MINMATCH+5)) ++ if (align(literal_len) > unsigned(dst_end - dst - (MINMATCH+5)) || dst_end - dst < MINMATCH + 5) + return -1; + dst = overrun_copy(dst, literal, literal_len); + } +@@ -94,7 +94,8 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size) + // decoded output. + u8 const * const pcpy = dst - match_dist; + if (pcpy < static_cast(out) +- || dst + match_len + MINMATCH > dst_end - 5) ++ || match_len > unsigned(dst_end - dst - (MINMATCH+5)) ++ || dst_end - dst < MINMATCH + 5) + return -1; + if (dst > pcpy+sizeof(unsigned long) + && dst + align(match_len + MINMATCH) <= dst_end) +@@ -103,8 +104,8 @@ int lz4::decompress(void const *in, size_t in_size, void *out, size_t out_size) + dst = safe_copy(dst, pcpy, match_len + MINMATCH); + } + +- if (literal + literal_len > src_end +- || dst + literal_len > dst_end) ++ if (literal_len > src_end - literal ++ || literal_len > dst_end - dst) + return -1; + dst = fast_copy(dst, literal, literal_len); + +diff --git a/src/Pass.cpp b/src/Pass.cpp +index a4bac2e..683143c 100644 +--- a/src/Pass.cpp ++++ b/src/Pass.cpp +@@ -171,7 +171,7 @@ bool Pass::readPass(const byte * const pass_start, size_t pass_length, size_t su + const uint16 * const o_actions = reinterpret_cast(p); + be::skip(p, m_numRules + 1); + const byte * const states = p; +- if (e.test(p + 2u*m_numTransition*m_numColumns >= pass_end, E_BADPASSLENGTH)) return face.error(e); ++ if (e.test(2u*m_numTransition*m_numColumns >= (unsigned)(pass_end - p), E_BADPASSLENGTH)) return face.error(e); + be::skip(p, m_numTransition*m_numColumns); + be::skip(p); + if (e.test(p != pcCode, E_BADPASSCCODEPTR)) return face.error(e); +@@ -192,7 +192,7 @@ bool Pass::readPass(const byte * const pass_start, size_t pass_length, size_t su + m_cPConstraint = vm::Machine::Code(true, pcCode, pcCode + pass_constraint_len, + precontext[0], be::peek(sort_keys), *m_silf, face, PASS_TYPE_UNKNOWN); + if (e.test(!m_cPConstraint, E_OUTOFMEM) +- || e.test(!m_cPConstraint, m_cPConstraint.status() + E_CODEFAILURE)) ++ || e.test(m_cPConstraint.status() != Code::loaded, m_cPConstraint.status() + E_CODEFAILURE)) + return face.error(e); + face.error_context(face.error_context() - 1); + } +diff --git a/src/Silf.cpp b/src/Silf.cpp +index 72a22cd..d661992 100644 +--- a/src/Silf.cpp ++++ b/src/Silf.cpp +@@ -191,7 +191,7 @@ bool Silf::readGraphite(const byte * const silf_start, size_t lSilf, Face& face, + + const size_t clen = readClassMap(p, passes_start - p, version, e); + m_passes = new Pass[m_numPasses]; +- if (e || e.test(p + clen > passes_start, E_BADPASSESSTART) ++ if (e || e.test(clen > unsigned(passes_start - p), E_BADPASSESSTART) + || e.test(!m_passes, E_OUTOFMEM)) + { releaseBuffers(); return face.error(e); } + diff --git a/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch new file mode 100644 index 000000000..2bb1c9f94 --- /dev/null +++ b/gnu/packages/patches/graphite2-non-linear-classes-even-number.patch @@ -0,0 +1,26 @@ +From 0646e4ee471183994f78a759269f0505617711f3 Mon Sep 17 00:00:00 2001 +From: Martin Hosken +Date: Tue, 18 Apr 2017 13:17:14 +0100 +Subject: [PATCH] Ensure non linear classes have even number of elements + +--- + src/Silf.cpp | 3 ++- + 1 file changed, 2 insertions(+), 1 deletion(-) + +diff --git a/src/Silf.cpp b/src/Silf.cpp +index d661992..9f2f954 100644 +--- a/src/Silf.cpp ++++ b/src/Silf.cpp +@@ -293,7 +293,8 @@ size_t Silf::readClassMap(const byte *p, size_t data_len, uint32 version, Error + if (e.test(*o + 4 > max_off, E_HIGHCLASSOFFSET) // LookupClass doesn't stretch over max_off + || e.test(lookup[0] == 0 // A LookupClass with no looks is a suspicious thing ... + || lookup[0] * 2 + *o + 4 > max_off // numIDs lookup pairs fits within (start of LookupClass' lookups array, max_off] +- || lookup[3] + lookup[1] != lookup[0], E_BADCLASSLOOKUPINFO)) // rangeShift: numIDs - searchRange ++ || lookup[3] + lookup[1] != lookup[0], E_BADCLASSLOOKUPINFO) // rangeShift: numIDs - searchRange ++ || e.test(((o[1] - *o) & 1) != 0, ERROROFFSET)) // glyphs are in pairs so difference must be even. + return ERROROFFSET; + } + +-- +2.12.2 + -- 2.12.2