From 08378e8a8b967531a03127e0a00404705649c2cd Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@tummy.com>
Date: Dec 04 2010 22:28:23 +0000
Subject: Add patch to fix CVE-2010-4259 (fixes #659359)


---

diff --git a/fontforge-20061025-CVE-2010-4259.patch b/fontforge-20061025-CVE-2010-4259.patch
new file mode 100644
index 0000000..0719761
--- /dev/null
+++ b/fontforge-20061025-CVE-2010-4259.patch
@@ -0,0 +1,50 @@
+--- fontforge/fontforge/fvimportbdf.c	15 Apr 2010 10:47:36 -0000	1.58
++++ fontforge/fontforge/fvimportbdf.c	3 Dec 2010 21:03:38 -0000
+@@ -560,7 +560,7 @@
+ 	}
+     
+ 	if ( strcmp(tok,"FONT")==0 ) {
+-	    if ( sscanf(buf,"-%*[^-]-%[^-]-%[^-]-%[^-]-%*[^-]-", family, weight, italic )!=0 ) {
++	    if ( sscanf(buf,"-%*[^-]-%99[^-]-%99[^-]-%99[^-]-%*[^-]-", family, weight, italic )!=0 ) {
+ 		char *pt=buf;
+ 		int dcnt=0;
+ 		while ( *pt=='-' && dcnt<7 ) { ++pt; ++dcnt; }
+@@ -616,26 +616,30 @@
+ 	    sscanf(buf, "%d", &defs->metricsset );
+ 	else if ( strcmp(tok,"VVECTOR")==0 )
+ 	    sscanf(buf, "%*d %d", &defs->vertical_origin );
++	/* For foundry, fontname and encname, only copy up to the buffer size */
+ 	else if ( strcmp(tok,"FOUNDRY")==0 )
+-	    sscanf(buf, "%[^\"]", foundry );
++	    sscanf(buf, "%99[^\"]", foundry );
+ 	else if ( strcmp(tok,"FONT_NAME")==0 )
+-	    sscanf(buf, "%[^\"]", fontname );
++	    sscanf(buf, "%99[^\"]", fontname );
+ 	else if ( strcmp(tok,"CHARSET_REGISTRY")==0 )
+-	    sscanf(buf, "%[^\"]", encname );
++	    sscanf(buf, "%99[^\"]", encname );
+ 	else if ( strcmp(tok,"CHARSET_ENCODING")==0 ) {
+ 	    enc = 0;
+ 	    if ( sscanf(buf, " %d", &enc )!=1 )
+ 		sscanf(buf, "%d", &enc );
++	/* These properties should be copied up to the buffer length too */
+ 	} else if ( strcmp(tok,"FAMILY_NAME")==0 ) {
+-	    strcpy(family,buf);
++	    strncpy(family,buf,99);
+ 	} else if ( strcmp(tok,"FULL_NAME")==0 || strcmp(tok,"FACE_NAME")==0 ) {
+-	    strcpy(full,buf);
++	    strncpy(full,buf,99);
+ 	} else if ( strcmp(tok,"WEIGHT_NAME")==0 )
+-	    strcpy(weight,buf);
++	    strncpy(weight,buf,99);
+ 	else if ( strcmp(tok,"SLANT")==0 )
+-	    strcpy(italic,buf);
++	    strncpy(italic,buf,99);
+ 	else if ( strcmp(tok,"COPYRIGHT")==0 ) {
+-	    strcpy(comments,buf);
++		/* LS: Assume the size of the passed-in buffer is 1000, see below in
++		 * COMMENT */
++	    strncpy(comments,buf,999);
+ 	    found_copyright = true;
+ 	} else if ( strcmp(tok,"COMMENT")==0 && !found_copyright ) {
+ 	    char *pt = comments+strlen(comments);
diff --git a/fontforge.spec b/fontforge.spec
index 947aa92..4dbd365 100644
--- a/fontforge.spec
+++ b/fontforge.spec
@@ -3,7 +3,7 @@
 
 Name:           fontforge
 Version:        20061025
-Release:        2%{?dist}
+Release:        3%{?dist}
 Summary:        Outline and bitmap font editor
 
 Group:          Applications/Publishing
@@ -14,6 +14,7 @@ Source1:        fontforge.desktop
 Source2:        http://dl.sf.net/fontforge/fontforge_htdocs-%{docs_version}.tar.bz2
 Patch1:         fontforge-20061025-usFirstCharIndex.patch
 Patch2:         fontforge-20061025-fsSel.patch
+Patch3:		fontforge-20061025-CVE-2010-4259.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 
 Requires:       htmlview
@@ -116,6 +117,9 @@ rm -rf $RPM_BUILD_ROOT
 
 
 %changelog
+* Sat Dec 04 2010 Kevin Fenzi <kevin@tummy.com> - 20061025-3
+- Add patch to fix CVE-2010-4259 (fixes #659359)
+
 * Sat Dec 09 2006 Roozbeh Pournader <roozbeh@farsiweb.info> - 20061025-2
 - Add patch to fix fsSelection problem with DejaVu ExtraLight