#1013094 libfreetype6: Multiple wild free when gzip and plain svgDoc are mixed in font.

Package:
libfreetype6
Source:
freetype
Description:
FreeType 2 font engine, shared library files
Submitter:
Ben Wagner
Date:
2022-06-19 12:36:03 UTC
Severity:
important
Tags:
#1013094#5
Date:
2022-06-16 21:32:33 UTC
From:
To:
With FreeType commit f93a897afedf4a634c74d3d2871519e675ee0d83 (which was
released in FreeType 2.12.0) support for OT-SVG was added. However, this
implementation contained a bug where if the `SVG ` table contained a mix of
compressed and uncompressed documents the uncompressed documents may be free'd
every time they are used. In general these documents were not malloc'ed so this
was also a wild free.

This issue has been fixed upstream with FreeType commit
c26872ed59cba3af2f407b5eefc92fcec92aa52b "[svg] Clear correct flags for doc
ownership" which landed after 2.12.1 was released (this commit is not yet in a
tagged release). The patch itself is almost trivial:

diff --git a/src/base/ftobjs.c b/src/base/ftobjs.c
index eeda69c3e..f66273f3d 100644
--- a/src/base/ftobjs.c
+++ b/src/base/ftobjs.c
@@ -605,7 +605,7 @@


         FT_FREE( doc->svg_document );
-        slot->internal->load_flags &= ~FT_GLYPH_OWN_GZIP_SVG;
+        slot->internal->flags &= ~FT_GLYPH_OWN_GZIP_SVG;
       }
     }
 #endif

and should be applied to the current 2.12.1 packages in bookworm and sid.
#1013094#8
Date:
2022-06-19 12:09:37 UTC
From:
To:
Hello,

Bug #1013094 in freetype reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/debian/freetype/-/commit/e46c8dc112ec6f24462b0c45e736d0a8e602b5be
------------------------------------------------------------------------
debian/patches: Add a patch to fix a wild free in certain OT-SVG fonts

Closes: #1013094
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1013094
#1013094#15
Date:
2022-06-19 12:33:52 UTC
From:
To:
We believe that the bug you reported is fixed in the latest version of
freetype, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1013094@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Hugh McMaster <hugh.mcmaster@outlook.com> (supplier of updated freetype package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
Format: 1.8
Date: Sun, 19 Jun 2022 21:55:46 +1000
Source: freetype
Architecture: source
Version: 2.12.1+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Hugh McMaster <hugh.mcmaster@outlook.com>
Changed-By: Hugh McMaster <hugh.mcmaster@outlook.com>
Closes: 1013094
Changes:
 freetype (2.12.1+dfsg-3) unstable; urgency=medium
 .
   * debian/control: Raise Standards-Version to 4.6.1 (no changes needed).
   * debian/patches:
     - ftbench: Exit if the number of glyphs is zero (CVE-2022-31782).
     - Fix a wild free in certain OT-SVG fonts (Closes: #1013094).
       Thanks to Ben Wagner for providing a patch.
     - Harden the demos by appending CPPFLAGS to CFLAGS.
Checksums-Sha1:
 0af98d7aac484568b9908e2a2aa8e90dede4c793 3713 freetype_2.12.1+dfsg-3.dsc
 19ee6d878b47ec7aba78ce18c789f0b80a65a8e4 44068 freetype_2.12.1+dfsg-3.debian.tar.xz
 655112d03a96f0f1bcd1bd71874612c1b5fb11d4 8720 freetype_2.12.1+dfsg-3_amd64.buildinfo
Checksums-Sha256:
 23a551d286339047ab29e270a780cc091d43a40e7ef83ffbeb8ccd011575d7c8 3713 freetype_2.12.1+dfsg-3.dsc
 aafab76c3bf3e024d70273bbca59cd2aa1164cfdf9876397a507b988b47d260b 44068 freetype_2.12.1+dfsg-3.debian.tar.xz
 2362ce2d9b061d732950cd10fdf6fb9bc3bb444a0ca49e24019cda9275ba0b2c 8720 freetype_2.12.1+dfsg-3_amd64.buildinfo
Files:
 eac5e6f8b3613f35e33c6d20ba05e5b4 3713 libs optional freetype_2.12.1+dfsg-3.dsc
 ee2e2c104bc448313056e51940d373df 44068 libs optional freetype_2.12.1+dfsg-3.debian.tar.xz
 3ba2330f240cfe6d9abd286159080936 8720 libs optional freetype_2.12.1+dfsg-3_amd64.buildinfo
-----BEGIN PGP SIGNATURE-----

iQJOBAEBCgA4FiEEOiCBPKV5RoaMUVIRWsYQdMXoG8QFAmKvEhMaHGh1Z2gubWNt
YXN0ZXJAb3V0bG9vay5jb20ACgkQWsYQdMXoG8Rftw/6AhPhEfR6KB5Ay786R3Uf
DOSNfYlc1uvobjSA1vbz8D073jApg+jOV2C55o/e2NF0OX3MMVktMGgcv2elOt3R
4XKUmqayL6N+VIeJw1hUxsdC+J6+LFQb112MaJGXCQQ5VKVlw3M0WztBTAM7Sve0
WgE0UIOZkU3BWGSPNRmBUdC7znOwLz1nTGkjylBIWocRe2pafkPfSs8tpKIlHu2s
9rIPz5P3QpxdP/T0SG16F1xKPBBWsC91q7MEWrGZGK3nApRTd4XG6TP8s4IPV6Kz
0lqLG+JZTrmdWkKmbI+tPk6qoLrj1/YQdCmttv4qy/P1sJF6JbPkVHZBjJ2Ww5Bw
4/pyKDyZt1Ym+RfHf8LHPCJHC27G+qDIPN7QXbpqX8RNwS+WKDxVdggHlOO4HcEL
X8fE039w870S0veOrpeOnHARIbij4LNJGo2BSNPYLTvCL7BOrvDRug4OmX2/dbDi
/gdClSKTTswLotYiQEs6Er9jtAwyZX87z9suVGrObw74nROC0bYzAIttZg/ddal1
gRZ5haKZJtTaN7X2EE44zVZHyYLMpbhyTEhH2enhP3+pieLNA5Z2os5Eie/C4G+B
K1I2v7e1uUfKC+m2/VmndP0D3LV2806aDLyOzYFWSO0kJQksO5Cs+CJuFmNMXak8
bFIgLwSILIyjqJPSPSUTNV8=
=sTn5
-----END PGP SIGNATURE-----