Pullup ticket #3308 - requested by drochner
security updates for freetype2

Revisions pulled up:
 - pkgsrc/graphics/freetype2/Makefile	1.75-1.77
 - pkgsrc/graphics/freetype2/distinfo	1.37-1.39

Files added:
 - pkgsrc/graphics/freetype2/patches/patch-ab	1.14, 1.15
 - pkgsrc/graphics/freetype2/patches/patch-ac	1.6

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Fri Oct 22 16:14:13 UTC 2010

   Modified Files:
           pkgsrc/graphics/freetype2: Makefile distinfo

   Log Message:
   update to 2.4.3
   changes:
   A rendering regression of S-shaped cubic arcs (introduced in
   version 2.4.0) has been fixed. Besides that, a bunch
   of fixes have been applied to improve handling of broken fonts.

   To generate a diff of this commit:
   cvs rdiff -u -r1.74 -r1.75 pkgsrc/graphics/freetype2/Makefile
   cvs rdiff -u -r1.36 -r1.37 pkgsrc/graphics/freetype2/distinfo

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Nov  3 11:56:37 UTC 2010

   Modified Files:
           pkgsrc/graphics/freetype2: Makefile distinfo
   Added Files:
           pkgsrc/graphics/freetype2/patches: patch-ab

   Log Message:
   add patch from upstream CVS to fix a possible buffer overflow
   when processing TrueType GX fonts (SA41738), bump PKGREVISION

   To generate a diff of this commit:
   cvs rdiff -u -r1.75 -r1.76 pkgsrc/graphics/freetype2/Makefile
   cvs rdiff -u -r1.37 -r1.38 pkgsrc/graphics/freetype2/distinfo
   cvs rdiff -u -r0 -r1.14 pkgsrc/graphics/freetype2/patches/patch-ab

-------------------------------------------------------------------------
   Module Name:    pkgsrc
   Committed By:   drochner
   Date:           Wed Nov 24 18:44:55 UTC 2010

   Modified Files:
           pkgsrc/graphics/freetype2: Makefile distinfo
           pkgsrc/graphics/freetype2/patches: patch-ab
   Added Files:
           pkgsrc/graphics/freetype2/patches: patch-ac

   Log Message:
   add patch from upstream CVS to fix handling the "SHZ" bytecode instruction
   which could be exploited to cause a crash and potentially execute
   arbitrary code via a specially crafted font (CVE-2010-3814)
   bump PKGREV
   being here, add CVE reference to an older patch

   To generate a diff of this commit:
   cvs rdiff -u -r1.76 -r1.77 pkgsrc/graphics/freetype2/Makefile
   cvs rdiff -u -r1.38 -r1.39 pkgsrc/graphics/freetype2/distinfo
   cvs rdiff -u -r1.14 -r1.15 pkgsrc/graphics/freetype2/patches/patch-ab
   cvs rdiff -u -r0 -r1.6 pkgsrc/graphics/freetype2/patches/patch-ac


(sbd)

$NetBSD: patch-ab,v 1.15.2.2 2010/12/19 03:47:00 sbd Exp $

CVE-2010-3855

--- src/truetype/ttgxvar.c.orig	2010-07-12 19:03:49.000000000 +0000
+++ src/truetype/ttgxvar.c
@@ -154,7 +154,7 @@
         runcnt = runcnt & GX_PT_POINT_RUN_COUNT_MASK;
         first  = points[i++] = FT_GET_USHORT();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         /* first point not included in runcount */
@@ -165,7 +165,7 @@
       {
         first = points[i++] = FT_GET_BYTE();
 
-        if ( runcnt < 1 )
+        if ( runcnt < 1 || i + runcnt >= n )
           goto Exit;
 
         for ( j = 0; j < runcnt; ++j )

$NetBSD: patch-ac,v 1.6.2.2 2010/12/19 03:47:00 sbd Exp $

CVE-2010-3814

--- src/truetype/ttinterp.c.orig	2010-10-01 06:08:19.000000000 +0000
+++ src/truetype/ttinterp.c
@@ -5795,7 +5795,16 @@
     if ( CUR.GS.gep2 == 0 && CUR.zp2.n_points > 0 )
       last_point = (FT_UShort)( CUR.zp2.n_points - 1 );
     else if ( CUR.GS.gep2 == 1 && CUR.zp2.n_contours > 0 )
+    {
       last_point = (FT_UShort)( CUR.zp2.contours[CUR.zp2.n_contours - 1] );
+
+      if ( BOUNDS( last_point, CUR.zp2.n_points ) )
+      {
+        if ( CUR.pedantic_hinting )
+          CUR.error = TT_Err_Invalid_Reference;
+        return;
+      }
+    }
     else
       last_point = 0;