- Fix security problems

Note:
An integer overflow error within the "cff_charset_compute_cids()"
function in cff/cffload.c can be exploited to potentially cause
a heap-based buffer overflow via a specially crafted font.

Multiple integer overflow errors within validation functions in
sfnt/ttcmap.c can be exploited to bypass length validations and
potentially cause buffer overflows via specially crafted fonts.

An integer overflow error within the "ft_smooth_render_generic()"
function in smooth/ftsmooth.c can be exploited to potentially cause
a heap-based buffer overflow via a specially crafted font.

Approved by:	portmgr (pav)
Obtained from:	freetype git repo
Security:	http://www.vuxml.org/freebsd/20b4f284-2bfc-11de-bdeb-0030843d3802.html

print/freetype2/Makefile

@@ -8,6 +8,7 @@
 
 PORTNAME=	freetype2
 PORTVERSION=	2.3.9
+PORTREVISION=	1
 CATEGORIES=	print
 MASTER_SITES=	${MASTER_SITE_SOURCEFORGE:S,%SUBDIR%,freetype,} \
 		http://sunsite.cnlab-switch.ch/ftp/mirror/freetype/%SUBDIR%/ \

print/freetype2/files/patch-src-cff_cffload.c

@@ -0,0 +1,47 @@
+diff --git a/src/cff/cffload.c b/src/cff/cffload.c
+index 22163fb..24b899d 100644
+--- src/cff/cffload.c
++++ src/cff/cffload.c
+@@ -842,7 +842,20 @@
+             goto Exit;
+ 
+           for ( j = 1; j < num_glyphs; j++ )
+-            charset->sids[j] = FT_GET_USHORT();
++          {
++            FT_UShort sid = FT_GET_USHORT();
++
++
++            /* this constant is given in the CFF specification */
++            if ( sid < 65000 )
++              charset->sids[j] = sid;
++            else
++            {
++              FT_ERROR(( "cff_charset_load:"
++                         " invalid SID value %d set to zero\n", sid ));
++              charset->sids[j] = 0;
++            }
++          }
+ 
+           FT_FRAME_EXIT();
+         }
+@@ -875,6 +888,20 @@
+                 goto Exit;
+             }
+ 
++            /* check whether the range contains at least one valid glyph; */
++            /* the constant is given in the CFF specification             */
++            if ( glyph_sid >= 65000 ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range\n" ));
++              error = CFF_Err_Invalid_File_Format;
++              goto Exit;
++            }
++
++            /* try to rescue some of the SIDs if `nleft' is too large */
++            if ( nleft > 65000 - 1 || glyph_sid >= 65000 - nleft ) {
++              FT_ERROR(( "cff_charset_load: invalid SID range trimmed\n" ));
++              nleft = 65000 - 1 - glyph_sid;
++            }
++
+             /* Fill in the range of sids -- `nleft + 1' glyphs. */
+             for ( i = 0; j < num_glyphs && i <= nleft; i++, j++, glyph_sid++ )
+               charset->sids[j] = glyph_sid;

print/freetype2/files/patch-src-lzw_ftzopen.c

@@ -0,0 +1,14 @@
+diff --git a/src/lzw/ftzopen.c b/src/lzw/ftzopen.c
+index fc78315..c0483de 100644
+--- src/lzw/ftzopen.c
++++ src/lzw/ftzopen.c
+@@ -332,6 +332,9 @@
+ 
+           while ( code >= 256U )
+           {
++            if ( !state->prefix )
++              goto Eof;
++
+             FTLZW_STACK_PUSH( state->suffix[code - 256] );
+             code = state->prefix[code - 256];
+           }

print/freetype2/files/patch-src-sfnt_ttcmap.c

@@ -0,0 +1,52 @@
+diff --git a/src/sfnt/ttcmap.c b/src/sfnt/ttcmap.c
+index 6830391..1bd2ce7 100644
+--- src/sfnt/ttcmap.c
++++ src/sfnt/ttcmap.c
+@@ -1635,7 +1635,7 @@
+       FT_INVALID_TOO_SHORT;
+ 
+     length = TT_NEXT_ULONG( p );
+-    if ( table + length > valid->limit || length < 8208 )
++    if ( length > (FT_UInt32)( valid->limit - table ) || length < 8192 + 16 )
+       FT_INVALID_TOO_SHORT;
+ 
+     is32       = table + 12;
+@@ -1863,7 +1863,8 @@
+     p      = table + 16;
+     count  = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 20 + count * 2 )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 20 + count * 2                     )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check glyph indices */
+@@ -2048,7 +2049,8 @@
+     p          = table + 12;
+     num_groups = TT_NEXT_ULONG( p );
+ 
+-    if ( table + length > valid->limit || length < 16 + 12 * num_groups )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 16 + 12 * num_groups               )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check groups, they must be in increasing order */
+@@ -2429,7 +2431,8 @@
+     FT_ULong  num_selectors = TT_NEXT_ULONG( p );
+ 
+ 
+-    if ( table + length > valid->limit || length < 10 + 11 * num_selectors )
++    if ( length > (FT_ULong)( valid->limit - table ) ||
++         length < 10 + 11 * num_selectors            )
+       FT_INVALID_TOO_SHORT;
+ 
+     /* check selectors, they must be in increasing order */
+@@ -2491,7 +2494,7 @@
+           FT_ULong  i, lastUni = 0;
+ 
+ 
+-          if ( ndp + numMappings * 4 > valid->limit )
++          if ( numMappings * 4 > (FT_ULong)( valid->limit - ndp ) )
+             FT_INVALID_TOO_SHORT;
+ 
+           for ( i = 0; i < numMappings; ++i )

print/freetype2/files/patch-src-smooth_ftsmooth.c

@@ -0,0 +1,27 @@
+diff --git a/src/smooth/ftsmooth.c b/src/smooth/ftsmooth.c
+index a6db504..cacc490 100644
+--- src/smooth/ftsmooth.c
++++ src/smooth/ftsmooth.c
+@@ -153,7 +153,7 @@
+       slot->internal->flags &= ~FT_GLYPH_OWN_BITMAP;
+     }
+ 
+-    /* allocate new one, depends on pixel format */
++    /* allocate new one */
+     pitch = width;
+     if ( hmul )
+     {
+@@ -194,6 +194,13 @@
+ 
+ #endif
+ 
++    if ( pitch > 0xFFFF || height > 0xFFFF )
++    {
++      FT_ERROR(( "ft_smooth_render_generic: glyph too large: %d x %d\n",
++                 width, height ));
++      return Smooth_Err_Raster_Overflow;
++    }
++
+     bitmap->pixel_mode = FT_PIXEL_MODE_GRAY;
+     bitmap->num_grays  = 256;
+     bitmap->width      = width;