[meego-commits] 23899: Changes to MeeGo:1.1:Core:Update/fontforge

Fri Sep 16 02:38:19 UTC 2011

Hi,
I have made the following changes to fontforge in project MeeGo:1.1:Core:Update. Please review and accept ASAP.

Thank You,
jieyang

[This message was auto-generated]

---

Request #23899:

  submit:   MeeGo:1.1:Core:Update:Testing/fontforge(r2)(update) -> MeeGo:1.1:Core:Update/fontforge


Message:
    forward

State:   new          2011-09-15T19:28:18 jieyang
Comment: None



changes files:
--------------

--- fontforge.changes
+++ fontforge.changes
@@ -0,0 +1,3 @@
+* Wed Mar 09 2011 Ye Gang <gang.ye at intel.com> - 20100501
+- Add fontforge-CVE-2010-4259.patch to fix BMC #11158
+

new:
----
  fontforge-CVE-2010-4259.patch

spec files:
-----------
--- fontforge.spec
+++ fontforge.spec
@@ -24,6 +24,7 @@
 Patch0:     fontforge-20090224-pythondl.patch
 Patch1:     fontforge-20100501-splinesets.patch
 Patch2:     fontforge-20100501-python27.patch
+Patch3:     fontforge-CVE-2010-4259.patch
 Requires:   xdg-utils
 Requires:   autotrace
 Requires(post): /sbin/ldconfig
@@ -74,6 +75,8 @@
 %patch1 -p1
 # fontforge-20100501-python27.patch
 %patch2 -p1
+# fontforge-CVE-2010-4259.patch
+%patch3 -p1
 # >> setup
 mkdir htdocs
 tar xjf %{SOURCE2} -C htdocs

other changes:
--------------

++++++ fontforge-CVE-2010-4259.patch (new)
--- fontforge-CVE-2010-4259.patch
+++ fontforge-CVE-2010-4259.patch
+diff --git a/fontforge/fvimportbdf.c b/fontforge/fvimportbdf.c
+index 7872801..b04af90 100644
+--- a/fontforge/fvimportbdf.c
++++ b/fontforge/fvimportbdf.c
+@@ -560,7 +560,7 @@ static int slurp_header(FILE *bdf, int *_as, int *_ds, Encoding **_enc,
+ 	}
+     
+ 	if ( strcmp(tok,"FONT")==0 ) {
+-	    if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
++	    if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ 		char *pt=buf;
+ 		int dcnt=0;
+ 		while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
+@@ -616,26 +616,30 @@ static int slurp_header(FILE *bdf, int *_as, int *_ds, Encoding **_enc,
+ 	    sscanf(buf, "%d", &defs->metricsset );
+ 	else if ( strcmp(tok,"VVECTOR")==0 )
+ 	    sscanf(buf, "%*d %d", &defs->vertical_origin );
++	/* For foundry, fontname and encname, only copy up to the buffer size */
+ 	else if ( strcmp(tok,"FOUNDRY")==0 )
+-	    sscanf(buf, "%[^\"]", foundry );
++	    sscanf(buf, "%99[^\"]", foundry );
+ 	else if ( strcmp(tok,"FONT_NAME")==0 )
+-	    sscanf(buf, "%[^\"]", fontname );
++	    sscanf(buf, "%99[^\"]", fontname );
+ 	else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
+-	    sscanf(buf, "%[^\"]", encname );
++	    sscanf(buf, "%99[^\"]", encname );
+ 	else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
+ 	    enc = 0;
+ 	    if ( sscanf(buf, " %d", &enc )!=1 )
+ 		sscanf(buf, "%d", &enc );
++	/* These properties should be copied up to the buffer length too */
+ 	} else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
+-	    strcpy(family,buf);
++	    strncpy(family,buf,99);
+ 	} else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
+-	    strcpy(full,buf);
++	    strncpy(full,buf,99);
+ 	} else if ( strcmp(tok,"WEIGHT_NAME")==0 )
+-	    strcpy(weight,buf);
++	    strncpy(weight,buf,99);
+ 	else if ( strcmp(tok,"SLANT")==0 )
+-	    strcpy(italic,buf);
++	    strncpy(italic,buf,99);
+ 	else if ( strcmp(tok,"COPYRIGHT")==0 ) {
+-	    strcpy(comments,buf);
++		/* LS: Assume the size of the passed-in buffer is 1000, see below in
++  				 * COMMENT */
++	    strncpy(comments,buf,999);
+ 	    found_copyright = true;
+ 	} else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
+ 	    char *pt = comments+strlen(comments);

