!35 fix CVE-2023-2004

From: @zhouwenpei 
Reviewed-by: @leeffo 
Signed-off-by: @leeffo

CVE-2020-15999.patch

@@ -0,0 +1,45 @@
+From a3bab162b2ae616074c8877a04556932998aeacd Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 19 Oct 2020 23:45:28 +0200
+Subject: [sfnt] Fix heap buffer overflow (#59308).
+ This is CVE-2020-15999.
+ * src/sfnt/pngshim.c (Load_SBit_Png): Test bitmap size earlier.
+reference：https://git.savannah.gnu.org/cgit/freetype/freetype2.git/commit/?id=a3bab162b2ae616074c8877a04556932998aeacd
+---
+ src/sfnt/pngshim.c | 14 +++++++-------
+ 1 file changed, 7 insertions(+), 7 deletions(-)
+
+diff --git a/src/sfnt/pngshim.c b/src/sfnt/pngshim.c
+index 523b30a..5502108 100644
+--- a/src/sfnt/pngshim.c
++++ b/src/sfnt/pngshim.c
+@@ -328,6 +328,13 @@
+ 
+     if ( populate_map_and_metrics )
+     {
++      /* reject too large bitmaps similarly to the rasterizer */
++      if ( imgHeight > 0x7FFF || imgWidth > 0x7FFF )
++      {
++        error = FT_THROW( Array_Too_Large );
++        goto DestroyExit;
++      }
++
+       metrics->width  = (FT_UShort)imgWidth;
+       metrics->height = (FT_UShort)imgHeight;
+ 
+@@ -336,13 +343,6 @@
+       map->pixel_mode = FT_PIXEL_MODE_BGRA;
+       map->pitch      = (int)( map->width * 4 );
+       map->num_grays  = 256;
+-
+-      /* reject too large bitmaps similarly to the rasterizer */
+-      if ( map->rows > 0x7FFF || map->width > 0x7FFF )
+-      {
+-        error = FT_THROW( Array_Too_Large );
+-        goto DestroyExit;
+-      }
+     }
+ 
+     /* convert palette/gray image to rgb */
+-- 
+2.27.0

backport-0001-CVE-2022-27405.patch

@@ -0,0 +1,39 @@
+From 22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 06:40:17 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Properly guard
+ `face_index`.
+
+We must ensure that the cast to `FT_Int` doesn't change the sign.
+
+Fixes #1139.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/22a0cccb4d9d002f33c1ba7a4b36812c7d4f46b5
+---
+ src/base/ftobjs.c | 9 +++++++++
+ 1 file changed, 9 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 2c0f0e6c9..10952a6c6 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2527,6 +2527,15 @@
+ #endif
+ 
+ 
++    /* only use lower 31 bits together with sign bit */
++    if ( face_index > 0 )
++      face_index &= 0x7FFFFFFFL;
++    else
++    {
++      face_index &= 0x7FFFFFFFL;
++      face_index  = -face_index;
++    }
++
+ #ifdef FT_DEBUG_LEVEL_TRACE
+     FT_TRACE3(( "FT_Open_Face: " ));
+     if ( face_index < 0 )
+-- 
+GitLab
+

backport-0002-CVE-2022-27405.patch

@@ -0,0 +1,26 @@
+From d014387ad4a5dd04d8e7f99587c7dacb70261924 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:30:45 +0100
+Subject: [PATCH] * src/base/ftobjs.c (ft_open_face_internal): Thinko.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/d014387ad4a5dd04d8e7f99587c7dacb70261924
+---
+ src/base/ftobjs.c | 1 +
+ 1 file changed, 1 insertion(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 10952a6c6..6492a1517 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -2532,6 +2532,7 @@
+       face_index &= 0x7FFFFFFFL;
+     else
+     {
++      face_index  = -face_index;
+       face_index &= 0x7FFFFFFFL;
+       face_index  = -face_index;
+     }
+-- 
+GitLab
+

backport-CVE-2022-27404.patch

@@ -0,0 +1,45 @@
+From 53dfdcd8198d2b3201a23c4bad9190519ba918db Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Thu, 17 Mar 2022 19:24:16 +0100
+Subject: [PATCH] [sfnt] Avoid invalid face index.
+
+Fixes #1138.
+
+* src/sfnt/sfobjs.c (sfnt_init_face), src/sfnt/sfwoff2.c (woff2_open_font):
+Check `face_index` before decrementing.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/53dfdcd8198d2b3201a23c4bad9190519ba918db
+---
+ src/sfnt/sfobjs.c  | 2 +-
+ src/sfnt/sfwoff2.c | 2 +-
+ 2 files changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/sfnt/sfobjs.c b/src/sfnt/sfobjs.c
+index f9d4d3858..9771c35df 100644
+--- a/src/sfnt/sfobjs.c
++++ b/src/sfnt/sfobjs.c
+@@ -566,7 +566,7 @@
+     face_index = FT_ABS( face_instance_index ) & 0xFFFF;
+ 
+     /* value -(N+1) requests information on index N */
+-    if ( face_instance_index < 0 )
++    if ( face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= face->ttc_header.count )
+diff --git a/src/sfnt/sfwoff2.c b/src/sfnt/sfwoff2.c
+index cb1e0664a..165b875e5 100644
+--- a/src/sfnt/sfwoff2.c
++++ b/src/sfnt/sfwoff2.c
+@@ -2085,7 +2085,7 @@
+     /* Validate requested face index. */
+     *num_faces = woff2.num_fonts;
+     /* value -(N+1) requests information on index N */
+-    if ( *face_instance_index < 0 )
++    if ( *face_instance_index < 0 && face_index > 0 )
+       face_index--;
+ 
+     if ( face_index >= woff2.num_fonts )
+-- 
+GitLab

backport-CVE-2022-27406.patch

@@ -0,0 +1,30 @@
+From 0c2bdb01a2e1d24a3e592377a6d0822856e10df2 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Sat, 19 Mar 2022 09:37:28 +0100
+Subject: [PATCH] * src/base/ftobjs.c (FT_Request_Size): Guard `face->size`.
+
+Fixes #1140.
+
+Conflict:NA
+Reference:https://gitlab.freedesktop.org/freetype/freetype/-/commit/0c2bdb01a2e1d24a3e592377a6d0822856e10df2
+---
+ src/base/ftobjs.c | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
+index 6492a1517..282c9121a 100644
+--- a/src/base/ftobjs.c
++++ b/src/base/ftobjs.c
+@@ -3409,6 +3409,9 @@
+     if ( !face )
+       return FT_THROW( Invalid_Face_Handle );
+ 
++    if ( !face->size )
++      return FT_THROW( Invalid_Size_Handle );
++
+     if ( !req || req->width < 0 || req->height < 0 ||
+          req->type >= FT_SIZE_REQUEST_TYPE_MAX )
+       return FT_THROW( Invalid_Argument );
+-- 
+GitLab
+

backport-CVE-2023-2004.patch

@@ -0,0 +1,37 @@
+From e6fda039ad638866b7a6a5d046f03278ba1b7611 Mon Sep 17 00:00:00 2001
+From: Werner Lemberg <wl@gnu.org>
+Date: Mon, 14 Nov 2022 19:18:19 +0100
+Subject: [PATCH] * src/truetype/ttgxvar.c (tt_hvadvance_adjust): Integer
+ overflow.
+
+Reported as
+
+  https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=50462
+---
+ src/truetype/ttgxvar.c | 3 ++-
+ 1 file changed, 2 insertions(+), 1 deletion(-)
+
+diff --git a/src/truetype/ttgxvar.c b/src/truetype/ttgxvar.c
+index 110f24a..62dd1df 100644
+--- a/src/truetype/ttgxvar.c
++++ b/src/truetype/ttgxvar.c
+@@ -42,6 +42,7 @@
+ #include <ft2build.h>
+ #include FT_INTERNAL_DEBUG_H
+ #include FT_CONFIG_CONFIG_H
++#include <freetype/internal/ftcalc.h>
+ #include FT_INTERNAL_STREAM_H
+ #include FT_INTERNAL_SFNT_H
+ #include FT_TRUETYPE_TAGS_H
+@@ -1065,7 +1066,7 @@
+                 delta == 1 ? "" : "s",
+                 vertical ? "VVAR" : "HVAR" ));
+ 
+-    *avalue += delta;
++    *avalue = ADD_INT( *avalue, delta );
+ 
+   Exit:
+     return error;
+-- 
+2.33.0
+

backport-freetype-2.10.0-internal-outline.patch

@@ -1,3 +1,17 @@
+From 2e6bf149908d61c2b2121dad36f2caef260a2053 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: May 28 2019 12:56:55 +0000
+Subject: Keep FT_Outline_New_Internal() and FT_Outline_Done_Internal()
+for ABI compatibility but make them just throw
+Unimplemented_Feature error.
+
+Remove them once soname has been bumped!
+
+Resolves: #1689117
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/2e6bf149908d61c2b2121dad36f2caef260a2053
+
 --- freetype-2.10.0/include/freetype/ftoutln.h
 +++ freetype-2.10.0/include/freetype/ftoutln.h
 @@ -165,6 +165,15 @@ FT_BEGIN_HEADER

backport-freetype-2.10.1-debughook.patch

@@ -1,3 +1,11 @@
+From ac07a003d7f75321346188eb9618d418d2b2decb Mon Sep 17 00:00:00 2001
+From: Michael Kuhn <suraia@fedoraproject.org>
+Date: Oct 17 2019 19:06:50 +0000
+Subject: Revert FT_DebugHook_Func ABI/API changes
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/ac07a003d7f75321346188eb9618d418d2b2decb
+
 diff --git a/include/freetype/ftmodapi.h b/include/freetype/ftmodapi.h
 index 8d039c4f3..88488bfe8 100644
 --- a/include/freetype/ftmodapi.h

backport-freetype-2.2.1-enable-valid.patch

@@ -1,3 +1,12 @@
+From cbf2c99f7813750cb82deb367a37e50dbb709395 Mon Sep 17 00:00:00 2001
+From: besfahbo <besfahbo@fedoraproject.org>
+Date: Jul 08 2006 01:07:01 +0000
+Subject: - Enable modules gxvalid and otvalid
+
+Enable modules gxvalid and otvalid
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/cbf2c99f7813750cb82deb367a37e50dbb709395
 --- freetype-2.2.1/modules.cfg.orig	2006-07-07 21:01:09.000000000 -0400
 +++ freetype-2.2.1/modules.cfg	2006-07-07 21:01:54.000000000 -0400
 @@ -110,7 +110,7 @@

backport-freetype-2.3.0-enable-spr.patch

@@ -1,3 +1,11 @@
+From c1c64f8cf9264592bca747c9463814a805150346 Mon Sep 17 00:00:00 2001
+From: besfahbo <besfahbo@fedoraproject.org>
+Date: Jan 18 2007 19:42:34 +0000
+Subject: - Add without_subpixel_rendering.
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/c1c64f8cf9264592bca747c9463814a805150346
+
 --- freetype-2.3.0/include/freetype/config/ftoption.h.spf	2007-01-18 14:27:34.000000000 -0500
 +++ freetype-2.3.0/include/freetype/config/ftoption.h	2007-01-18 14:27:48.000000000 -0500
 @@ -92,7 +92,7 @@

backport-freetype-2.6.5-libtool.patch

@@ -1,3 +1,10 @@
+From 928ba6125d73435fddd73f9bf155e0f2a813bab7 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Aug 22 2016 13:08:48 +0000
+Subject: Don't show path of non-existing libtool file
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/928ba6125d73435fddd73f9bf155e0f2a813bab7
 --- freetype-2.8/builds/unix/freetype-config.in.orig	2017-03-30 12:20:23.000000001 +0200
 +++ freetype-2.8/builds/unix/freetype-config.in	2017-05-16 13:25:39.223041128 +0200
 @@ -205,7 +205,7 @@ if test "$echo_libs" = "yes" ; then

backport-freetype-2.8-multilib.patch

@@ -1,3 +1,14 @@
+From 1007098e54f9449281f83516f0272afa5d20ec29 Mon Sep 17 00:00:00 2001
+From: Marek Kasik <mkasik@redhat.com>
+Date: Oct 09 2017 11:57:11 +0000
+Subject: Fix multilib conflict
+
+Require pkgconf so we can make freetype-config multilib compatible again
+
+Resolves: #1497443
+
+Conflict:NA
+Reference:https://src.fedoraproject.org/rpms/freetype/c/1007098e54f9449281f83516f0272afa5d20ec29?branch=rawhide
 --- freetype-2.9/builds/unix/freetype-config.in
 +++ freetype-2.9/builds/unix/freetype-config.in
 @@ -13,45 +13,25 @@ LC_ALL=C

freetype.spec

@@ -3,29 +3,38 @@
 %{!?with_xfree86:%define with_xfree86 1}
 
 Name:           freetype
-Version:        2.10.1
-Release:        1
+Version:        2.10.2
+Release:        5
 Summary:        FreeType is a freely available software library to render fonts
 License:        (FTL or GPLv2+) and BSD and MIT and Public Domain and zlib with acknowledgement
 URL:            http://www.freetype.org
-Source0:        http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.gz
-Source1:        http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{version}.tar.gz
-Source2:        http://download.savannah.gnu.org/releases/freetype/ft2demos-%{version}.tar.gz
+Source0:        http://download.savannah.gnu.org/releases/freetype/freetype-%{version}.tar.xz
+Source1:        http://download.savannah.gnu.org/releases/freetype/freetype-doc-%{version}.tar.xz
+Source2:        http://download.savannah.gnu.org/releases/freetype/ft2demos-%{version}.tar.xz
 Source3:        ftconfig.h
 
-Patch6000:  	freetype-2.3.0-enable-spr.patch
-Patch6001:  	freetype-2.2.1-enable-valid.patch
-Patch6002:      freetype-2.5.2-more-demos.patch
-Patch6003:  	freetype-2.6.5-libtool.patch 
-Patch6004:  	freetype-2.8-multilib.patch
-Patch6005:  	freetype-2.10.0-internal-outline.patch
-Patch6006:  	freetype-2.10.1-debughook.patch
+Patch1:         freetype-2.5.2-more-demos.patch
+Patch2:         CVE-2020-15999.patch
+Patch6000:      backport-freetype-2.3.0-enable-spr.patch
+Patch6001:      backport-freetype-2.2.1-enable-valid.patch
+Patch6002:      backport-freetype-2.6.5-libtool.patch
+Patch6003:      backport-freetype-2.8-multilib.patch
+Patch6004:      backport-freetype-2.10.0-internal-outline.patch
+Patch6005:      backport-freetype-2.10.1-debughook.patch
+Patch6006:      backport-CVE-2022-27404.patch
+Patch6007:      backport-0001-CVE-2022-27405.patch
+Patch6008:      backport-0002-CVE-2022-27405.patch
+Patch6009:      backport-CVE-2022-27406.patch
+Patch6010:      backport-CVE-2023-2004.patch
 
 BuildRequires:  gcc libX11-devel libpng-devel zlib-devel bzip2-devel
 
-Provides:       %{name}-bytecode %{name}-demos = %{version}-%{release}
-Provides:       %{name}-subpixel 
-Obsoletes:      %{name}-demos < %{version}-%{release} freetype-freeworld < 2.9.1-2
+Provides:       %{name}-bytecode %{name}-demos
+%if %{?_with_subpixel_rendering:1}%{!?_with_subpixel_rendering:0}
+Provides:       %{name}-subpixel
+%endif
+
+Obsoletes:      %{name}-demos
 
 %description
 FreeType is written in C, designed to be small,efficient, highly customizable, and portable while capable of producing high-quality
@@ -49,17 +58,22 @@ Man pages and other related for freetype documents.
 
 %prep
 %setup   -q  -b 1 -a 2
-%patch6000 -p1
-%patch6001 -p1
 
 pushd ft2demos-%{version}
-%patch6002  -p1 -b .more-demos
+%patch1  -p1 -b .more-demos
 popd
-
+%patch2 -p1
+%patch6000 -p1
+%patch6001 -p1
+%patch6002 -p1
 %patch6003 -p1
 %patch6004 -p1
 %patch6005 -p1
 %patch6006 -p1
+%patch6007 -p1
+%patch6008 -p1
+%patch6009 -p1
+%patch6010 -p1
 
 %build
 %configure --disable-static --with-zlib=yes --with-bzip2=yes --with-png=yes --enable-freetype-config --with-harfbuzz=no
@@ -67,8 +81,10 @@ sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' builds/u
 sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' builds/unix/libtool
 %make_build
 
+%if %{with_xfree86}
 cd ft2demos-%{version}
 make TOP_DIR=".."
+%endif
 
 %install
 %make_install gnulocaledir=$RPM_BUILD_ROOT%{_datadir}/locale
@@ -77,9 +93,13 @@ make TOP_DIR=".."
       builds/unix/libtool --mode=install install -m 755 ft2demos-%{version}/bin/$ftdemo $RPM_BUILD_ROOT/%{_bindir}
   done
 }
-for ftdemo in ftdiff ftgamma ftgrid ftmulti ftstring fttimer ftview ; do
-     builds/unix/libtool --mode=install install -m 755 ft2demos-%{version}/bin/$ftdemo $RPM_BUILD_ROOT/%{_bindir}
-done
+%if %{with_xfree86}
+{
+  for ftdemo in ftdiff ftgamma ftgrid ftmulti ftstring fttimer ftview ; do
+      builds/unix/libtool --mode=install install -m 755 ft2demos-%{version}/bin/$ftdemo $RPM_BUILD_ROOT/%{_bindir}
+  done
+}
+%endif
 
 %define wordsize %{__isa_bits}
 
@@ -87,8 +107,6 @@ mv $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/config/ftconfig.h \
    $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/config/ftconfig-%{wordsize}.h
 install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/config/ftconfig.h
 
-%delete_la_and_a
-
 %triggerpostun -- freetype < 2.0.5-3
 {
   # ttmkfdir updated - as of 2.0.5-3, on upgrades we need xfs to regenerate
@@ -100,6 +118,9 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 }
 
 %ldconfig_scriptlets
+%post -p /sbin/ldconfig
+
+%postun  -p /sbin/ldconfig
 
 %files
 %defattr(-,root,root)
@@ -114,6 +135,7 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 %{_libdir}/libfreetype.so
 %{_libdir}/pkgconfig/freetype2.pc
 %{_bindir}/freetype-config
+%exclude %{_libdir}/*.{a,la}
 
 %files help
 %defattr(-,root,root)
@@ -126,6 +148,30 @@ install -p -m 644 %{SOURCE3} $RPM_BUILD_ROOT%{_includedir}/freetype2/freetype/co
 %{_mandir}/man1/*
 
 %changelog
+* Mon Apr 17 2023 zhouwenpei <zhouwenpei1@h-partners.com> - 2.10.2-5
+- fix CVE-2023-2004
+
+* Sat May 14 2022 wangkerong<wangkerong@h-partners.com> - 2.10.2-4
+- fix CVE-2022-27404,CVE-2022-27405,CVE-2022-27406
+
+* Tue Apr 13 2021 hanhui<hanhui15@huawei.com> - 2.10.2-3
+- Type:bugfix
+- CVE:NA
+- SUG:NA
+- DESC:add community patches
+
+* Tue Dec 08 2020 zhanzhimin <zhanzhimin@huawei.com> - 2.10.2-2
+- Type:CVE
+- CVE:CVE-2020-15999
+- SUG:NA
+- DESC:fix CVE-2020-15999
+
+* Thu Aug 20 2020 jinzhimin <jinzhimin2@huawei.com> - 2.10.2-1
+- Type:enhancement
+- Id:NA
+- SUG:NA
+- DESC:version update to 2.10.2
+
 * Mon Jun 15 2020 fuyangqing <fuyangqing@huawei.com> - 2.10.1-1
 - Type:enhancement
 - Id:NA