security fix: correct bugs 115788 and 150339 (Mozilla passes

requests for huge fonts, leading to loss of X (and probably VNC)
session)

Obtained from:	attachment 87432 on bugzilla.mozilla.org

3 files changed, 81 insertions, 2 deletions

diff --git a/www/mozilla/Makefile b/www/mozilla/Makefile
index 5b13a5fefa1a..1576e0ca5559 100644
--- a/www/mozilla/Makefile
+++ b/www/mozilla/Makefile
@@ -8,6 +8,7 @@
 PORTNAME=	mozilla
 PORTVERSION=	1.0
 PORTEPOCH=	1
+PORTREVISION=	1
 CATEGORIES=	www
 MASTER_SITES=	${MASTER_SITE_MOZILLA} \
 		http://people.FreeBSD.org/~sobomax/:local
@@ -18,8 +19,6 @@ DISTFILES=	${PORTNAME}-source-${PORTVERSION:S/.rc/rc/}${EXTRACT_SUFX} \
 
 MAINTAINER=	gnome@FreeBSD.org
 
-FORBIDDEN= 	"see http://bugzilla.mozilla.org/show_bug.cgi?id=150339 "
-
 BUILD_DEPENDS=	zip:${PORTSDIR}/archivers/zip \
 		freetype-config:${PORTSDIR}/print/freetype2
 LIB_DEPENDS=	ORBit.2:${PORTSDIR}/devel/ORBit \
diff --git a/www/mozilla/files/patch-nsFontMetricsGTK.cpp b/www/mozilla/files/patch-nsFontMetricsGTK.cpp
new file mode 100644
index 000000000000..3bab909b5a89
--- /dev/null
+++ b/www/mozilla/files/patch-nsFontMetricsGTK.cpp
@@ -0,0 +1,40 @@
+$FreeBSD$
+
+As reported by Mikko Rapeli and Tom Vogt at
+http://bugzilla.mozilla.org/show_bug.cgi?id=115788 and
+http://bugzilla.mozilla.org/show_bug.cgi?id=150339 the X server can
+abort when Mozilla requests a huge (scalable) font.  This is also
+likely to happen to the X font server, or to Xvnc.
+
+This patch is from
+http://bugzilla.mozilla.org/attachment.cgi?id=87432&action=view
+.
+
+--- gfx/src/gtk/nsFontMetricsGTK.cpp	Mon Jun 10 01:02:08 2002
++++ gfx/src/gtk/nsFontMetricsGTK.cpp	Thu Jun 13 00:06:33 2002
+@@ -87,6 +87,12 @@
+ #undef USER_DEFINED
+ #define USER_DEFINED "x-user-def"
+ 
++// This is the scaling factor that we keep fonts limited to against
++// the display size.  If a pixel size is requested that is more than
++// this factor larger than the height of the display, it's clamped to
++// that value instead of the requested size.
++#define FONT_MAX_FONT_SCALE 2
++
+ #undef NOISY_FONTS
+ #undef REALLY_NOISY_FONTS
+ 
+@@ -1276,7 +1282,12 @@
+ 
+   float app2dev;
+   mDeviceContext->GetAppUnitsToDevUnits(app2dev);
++
+   mPixelSize = NSToIntRound(app2dev * mFont->size);
++  // Make sure to clamp the pixel size to something reasonable so we
++  // don't make the X server blow up.
++  mPixelSize = PR_MIN(gdk_screen_height() * FONT_MAX_FONT_SCALE, mPixelSize);
++
+   mStretchIndex = 4; // normal
+   mStyleIndex = mFont->style;
+ 
diff --git a/www/mozilla/files/patch-nsFontMetricsXlib.cpp b/www/mozilla/files/patch-nsFontMetricsXlib.cpp
new file mode 100644
index 000000000000..fd470f66d234
--- /dev/null
+++ b/www/mozilla/files/patch-nsFontMetricsXlib.cpp
@@ -0,0 +1,40 @@
+$FreeBSD$
+
+As reported by Mikko Rapeli and Tom Vogt at
+http://bugzilla.mozilla.org/show_bug.cgi?id=115788 and
+http://bugzilla.mozilla.org/show_bug.cgi?id=150339 the X server can
+abort when Mozilla requests a huge (scalable) font.  This is also
+likely to happen to the X font server, or to Xvnc.
+
+This patch is from
+http://bugzilla.mozilla.org/attachment.cgi?id=87432&action=view
+.
+
+--- gfx/src/xlib/nsFontMetricsXlib.cpp	Tue Jun 11 16:20:31 2002
++++ gfx/src/xlib/nsFontMetricsXlib.cpp	Thu Jun 13 00:05:47 2002
+@@ -99,6 +99,12 @@
+ #undef USER_DEFINED
+ #define USER_DEFINED "x-user-def"
+ 
++// This is the scaling factor that we keep fonts limited to against
++// the display size.  If a pixel size is requested that is more than
++// this factor larger than the height of the display, it's clamped to
++// that value instead of the requested size.
++#define FONT_MAX_FONT_SCALE 2
++
+ #undef NOISY_FONTS
+ #undef REALLY_NOISY_FONTS
+ 
+@@ -1480,7 +1486,12 @@
+ 
+   float app2dev;
+   mDeviceContext->GetAppUnitsToDevUnits(app2dev);
++
+   mPixelSize = NSToIntRound(app2dev * mFont->size);
++  // Make sure to clamp the pixel size to something reasonable so we
++  // don't make the X server blow up.
++  mPixelSize = PR_MIN(XHeightOfScreen(xxlib_rgb_get_screen(gXlibRgbHandle)) * FONT_MAX_FONT_SCALE, mPixelSize);
++
+   mStretchIndex = 4; // Normal
+   mStyleIndex = mFont->style;
+