1119169 - Update to freetype 2.5.5

Status: RESOLVED FIXED

(Core :: Graphics: Text, defect)

Description

[Michael Wu [:mwu]]

Freetype 2.5.5 was released on Dec 30, 2014. We're currently on 2.5.3 and 2.5.4 had a security fix.

Comment 1

[Michael Wu [:mwu]]

Attachment: Update to freetype 2.5.5

Relatively straightforward. I dropped in the new freetype and updated README.moz-patches. Seems to build/work ok on B2G. We'll see what try thinks of it.

Comment 2

[Michael Wu [:mwu]]

https://treeherder.mozilla.org/ui/#/jobs?repo=try&revision=aed0fd9d9c48

Comment 3

[Jonathan Kew [:jfkthame]]

Comment on attachment 8546040 [details] [diff] [review]
Update to freetype 2.5.5

Review of attachment 8546040 [details] [diff] [review]:
-----------------------------------------------------------------

Looks fine; rs=me, provided tryserver agrees.

Comment 4

[Michael Wu [:mwu]]

Try server seems happy.

Comment 5

[Michael Wu [:mwu]]

https://hg.mozilla.org/integration/mozilla-inbound/rev/f359670a036d

Comment 6

[Carsten Book [:Tomcat]]

https://hg.mozilla.org/mozilla-central/rev/f359670a036d

Comment 7

[Michael Wu [:mwu]]

Jonathan, does the security issue here affect us? Seems like something we might check for already.. http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-2240

I'll request uplift if this does affect us.

Comment 8

[Jonathan Kew [:jfkthame]]

Hmm - CVE-2014-2240 was originally supposed to be fixed in 2.5.3, but then the FreeType notes say that 2.5.4 had a further fix for it.

However, AFAICT we should be protected from this anyhow (for downloadable fonts, which would be the main cause for concern) because OTS explicitly checks the number of stem hints and will reject the font if there are more than the spec allows.

So I think it's fine for this to just ride the usual trains.