summaryrefslogtreecommitdiff
path: root/x11
diff options
context:
space:
mode:
authorEric Anholt <anholt@FreeBSD.org>2003-09-03 22:12:51 +0000
committerEric Anholt <anholt@FreeBSD.org>2003-09-03 22:12:51 +0000
commit97b4e7a649972e98bc31dd9b1b5ea2934ac3707e (patch)
tree7fd9ee2a4cff89bfc45ae738dafbc05096154ed6 /x11
parentFix a build problem when WITH_XINE is used. (diff)
Fixes for potential integer overflows in font libraries.
Obtained from: XFree86 CVS
Notes
Notes: svn path=/head/; revision=88457
Diffstat (limited to 'x11')
-rw-r--r--x11/XFree86-4-libraries/Makefile2
-rw-r--r--x11/XFree86-4-libraries/files/patch-libXfont369
2 files changed, 370 insertions, 1 deletions
diff --git a/x11/XFree86-4-libraries/Makefile b/x11/XFree86-4-libraries/Makefile
index a6a8d6a7e2a8..2afe846c139d 100644
--- a/x11/XFree86-4-libraries/Makefile
+++ b/x11/XFree86-4-libraries/Makefile
@@ -7,7 +7,7 @@
PORTNAME= libraries
PORTVERSION= 4.3.0
-PORTREVISION= 5
+PORTREVISION= 6
CATEGORIES= x11
MASTER_SITES= ${MASTER_SITE_XFREE:S/$/:x/} \
${MASTER_SITE_LOCAL:S/$/:local/}
diff --git a/x11/XFree86-4-libraries/files/patch-libXfont b/x11/XFree86-4-libraries/files/patch-libXfont
new file mode 100644
index 000000000000..efd0c06cd01a
--- /dev/null
+++ b/x11/XFree86-4-libraries/files/patch-libXfont
@@ -0,0 +1,369 @@
+Index: lib/FS/FSFontInfo.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSFontInfo.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSFontInfo.c 14 Dec 2001 19:53:32 -0000 1.2
++++ lib/FS/FSFontInfo.c 29 Aug 2003 18:01:10 -0000 1.3
+@@ -65,7 +65,7 @@
+ long nbytes;
+ int i,
+ j;
+- int size = 0;
++ size_t size = 0;
+ FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
+ FSPropInfo **pi = (FSPropInfo **) 0;
+ FSPropOffset **po = (FSPropOffset **) 0;
+@@ -123,8 +123,14 @@
+ if (reply.nameLength == 0) /* got last reply in version 1 */
+ break;
+ if ((i + reply.nReplies) >= size) {
++
++ if (reply.nReplies > SIZE_T_MAX - i - 1)
++ goto badmem;
+ size = i + reply.nReplies + 1;
+
++ if (size > SIZE_T_MAX / sizeof(char *))
++ goto badmem;
++
+ if (fhdr) {
+ FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
+ FSrealloc((char *) fhdr,
+@@ -237,6 +243,9 @@
+ pi[i]->num_offsets = local_pi.num_offsets;
+ pi[i]->data_len = local_pi.data_len;
+
++ if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
++ goto badmem;
++
+ po[i] = (FSPropOffset *)
+ FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
+ if (!po[i]) {
+@@ -281,6 +290,10 @@
+
+ nbytes = pi[i]->data_len + reply.nameLength;
+ _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
++ }
++ /* avoid integer overflow */
++ if (i > INT_MAX - 1) {
++ goto badmem;
+ }
+ }
+ *info = fhdr;
+Index: lib/FS/FSFtNames.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSFtNames.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSFtNames.c 14 Dec 2001 19:53:32 -0000 1.2
++++ lib/FS/FSFtNames.c 29 Aug 2003 18:01:10 -0000 1.3
+@@ -78,7 +78,8 @@
+ (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return (char **) 0;
+
+- if (rep.nFonts) {
++ if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
++ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
+ flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
+ rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
+ c = (char *) FSmalloc((unsigned) (rlen + 1));
+Index: lib/FS/FSGetCats.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSGetCats.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSGetCats.c 14 Dec 2001 19:53:32 -0000 1.2
++++ lib/FS/FSGetCats.c 29 Aug 2003 18:01:10 -0000 1.3
+@@ -72,9 +72,10 @@
+ SyncHandle();
+ return (char **) NULL;
+ }
+- if (rep.num_catalogues) {
++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
++ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
+ list = (char **)
+- FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
++ FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+ rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
+ c = (char *) FSmalloc((unsigned) rlen + 1);
+ if ((!list) || (!c)) {
+Index: lib/FS/FSListCats.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSListCats.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSListCats.c 14 Dec 2001 19:53:32 -0000 1.2
++++ lib/FS/FSListCats.c 29 Aug 2003 18:01:10 -0000 1.3
+@@ -78,7 +78,8 @@
+ (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return (char **) 0;
+
+- if (rep.num_catalogues) {
++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
++ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
+ clist = (char **)
+ FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
+ rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
+Index: lib/FS/FSListExt.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSListExt.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSListExt.c 14 Dec 2001 19:53:32 -0000 1.2
++++ lib/FS/FSListExt.c 29 Aug 2003 18:01:10 -0000 1.3
+@@ -72,7 +72,8 @@
+ SyncHandle();
+ return (char **) NULL;
+ }
+- if (rep.nExtensions) {
++ if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
++ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
+ list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
+ rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
+ c = (char *) FSmalloc((unsigned) rlen + 1);
+Index: lib/FS/FSOpenServ.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSOpenServ.c,v
+retrieving revision 1.6
+retrieving revision 1.7
+diff -u -u -r1.6 -r1.7
+--- lib/FS/FSOpenServ.c 14 Dec 2001 19:53:33 -0000 1.6
++++ lib/FS/FSOpenServ.c 29 Aug 2003 18:01:11 -0000 1.7
+@@ -118,7 +118,7 @@
+ AlternateServer *alts;
+ int altlen;
+ char *vendor_string;
+- long setuplength;
++ unsigned long setuplength;
+
+ if (server == NULL || *server == '\0') {
+ if ((server = getenv("FONTSERVER")) == NULL) {
+@@ -153,7 +153,8 @@
+ _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
+
+ setuplength = prefix.alternate_len << 2;
+- if ((alt_data = (char *)
++ if (setuplength > (SIZE_T_MAX>>2)
++ || (alt_data = (char *)
+ (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ errno = ENOMEM;
+ FSfree((char *) svr);
+@@ -162,6 +163,10 @@
+ _FSRead(svr, (char *) alt_data, setuplength);
+ ad = alt_data;
+
++ if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
++ errno = ENOMEM;
++ return (FSServer *) 0;
++ }
+ alts = (AlternateServer *)
+ FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
+ if (!alts) {
+@@ -193,7 +198,8 @@
+ svr->num_alternates = prefix.num_alternates;
+
+ setuplength = prefix.auth_len << 2;
+- if ((auth_data = (char *)
++ if (prefix.auth_len > (SIZE_T_MAX>>2)
++ || (auth_data = (char *)
+ (setup = FSmalloc((unsigned) setuplength))) == NULL) {
+ errno = ENOMEM;
+ FSfree((char *) svr);
+Index: lib/FS/FSQGlyphs.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSQGlyphs.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSQGlyphs.c 14 Dec 2001 19:53:33 -0000 1.2
++++ lib/FS/FSQGlyphs.c 29 Aug 2003 18:01:11 -0000 1.3
+@@ -85,12 +85,20 @@
+ (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
+ return FSBadAlloc;
+
++ if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset))
++ return FSBadAlloc;
++
+ offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+ *offsets = offs;
+ if (!offs)
+ return FSBadAlloc;
+ left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
+ - (SIZEOF(fsOffset32) * reply.num_chars);
++ /* XXX This thest is incomplete */
++ if (reply.length > (SIZE_T_MAX >> 2)) {
++ FSfree((char *) offs);
++ return FSBadAlloc;
++ }
+ gd = (unsigned char *) FSmalloc(left);
+ *glyphdata = gd;
+ if (!gd) {
+@@ -141,6 +149,8 @@
+ int i;
+ fsChar2b_version1 *swapped_str;
+
++ if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1))
++ return FSBadAlloc;
+ swapped_str = (fsChar2b_version1 *)
+ FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
+ if (!swapped_str)
+@@ -160,12 +170,19 @@
+ fsFalse))
+ return FSBadAlloc;
+
++ if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
++ return FSBadAlloc;
+ offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
+ *offsets = offs;
+ if (!offs)
+ return FSBadAlloc;
+ left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
+ - (SIZEOF(fsOffset32) * reply.num_chars);
++ /* XXX - this test is incomplete */
++ if (reply.length > (SIZE_T_MAX>>2)) {
++ FSfree((char *) offs);
++ return FSBadAlloc;
++ }
+ gd = (unsigned char *) FSmalloc(left);
+ *glyphdata = gd;
+ if (!gd) {
+Index: lib/FS/FSQXExt.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXExt.c,v
+retrieving revision 1.5
+retrieving revision 1.6
+diff -u -u -r1.5 -r1.6
+--- lib/FS/FSQXExt.c 14 Dec 2001 19:53:33 -0000 1.5
++++ lib/FS/FSQXExt.c 29 Aug 2003 18:01:12 -0000 1.6
+@@ -92,6 +92,9 @@
+ (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
+ fsFalse))
+ return FSBadAlloc;
++
++ if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo))
++ return FSBadAlloc;
+
+ ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+ *extents = ext;
+@@ -147,6 +150,9 @@
+ if (!_FSReply(svr, (fsReply *) & reply,
+ (SIZEOF(fsQueryXExtents16Reply) - SIZEOF(fsGenericReply)) >> 2,
+ fsFalse))
++ return FSBadAlloc;
++
++ if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo))
+ return FSBadAlloc;
+
+ ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
+Index: lib/FS/FSQXInfo.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXInfo.c,v
+retrieving revision 1.2
+retrieving revision 1.3
+diff -u -u -r1.2 -r1.3
+--- lib/FS/FSQXInfo.c 14 Dec 2001 19:53:33 -0000 1.2
++++ lib/FS/FSQXInfo.c 29 Aug 2003 18:01:12 -0000 1.3
+@@ -91,6 +91,9 @@
+ props->num_offsets = local_pi.num_offsets;
+ props->data_len = local_pi.data_len;
+
++ if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
++ return FSBadAlloc;
++
+ /* prepare for prop data */
+ offset_data = (FSPropOffset *)
+ FSmalloc(props->num_offsets * sizeof(FSPropOffset));
+Index: lib/FS/FSlibint.h
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/FS/FSlibint.h,v
+retrieving revision 3.7
+retrieving revision 3.8
+diff -u -u -r3.7 -r3.8
+--- lib/FS/FSlibint.h 14 Dec 2001 19:53:33 -0000 3.7
++++ lib/FS/FSlibint.h 29 Aug 2003 18:01:12 -0000 3.8
+@@ -76,6 +76,11 @@
+ #include "FSlibos.h"
+ #include <errno.h>
+ #include <stddef.h>
++
++#include <limits.h>
++#ifndef SIZE_T_MAX
++#define SIZE_T_MAX UINT_MAX
++#endif
+
+ typedef int (* FSIOErrorHandler)(FSServer *);
+ typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *);
+Index: lib/font/fc/fsconvert.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/font/fc/fsconvert.c,v
+retrieving revision 1.12
+retrieving revision 1.13
+diff -u -u -r1.12 -r1.13
+--- lib/font/fc/fsconvert.c 27 May 2003 22:26:48 -0000 1.12
++++ lib/font/fc/fsconvert.c 29 Aug 2003 18:01:13 -0000 1.13
+@@ -102,6 +102,10 @@
+
+ nprops = pfi->nprops = pi->num_offsets;
+
++ if (nprops < 0
++ || nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char)))
++ return -1;
++
+ dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
+ sizeof (char) * nprops);
+ if (!dprop)
+Index: lib/font/fc/fserve.c
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/font/fc/fserve.c,v
+retrieving revision 3.23
+retrieving revision 3.24
+diff -u -u -r3.23 -r3.24
+--- lib/font/fc/fserve.c 27 May 2003 22:26:48 -0000 3.23
++++ lib/font/fc/fserve.c 29 Aug 2003 18:01:13 -0000 3.24
+@@ -1505,8 +1505,8 @@
+
+ if (conn->blockState & FS_GIVE_UP)
+ return BadFontName;
+-
+- if (namelen > sizeof (buf) - 1)
++
++ if (namelen <= 0 || namelen > sizeof (buf) - 1)
+ return BadFontName;
+
+ /*
+Index: lib/font/fc/fslibos.h
+===================================================================
+RCS file: /home/ncvs/xfree/xc/lib/font/fc/fslibos.h,v
+retrieving revision 3.7
+retrieving revision 3.8
+diff -u -u -r3.7 -r3.8
+--- lib/font/fc/fslibos.h 31 May 2002 18:45:49 -0000 3.7
++++ lib/font/fc/fslibos.h 29 Aug 2003 18:01:14 -0000 3.8
+@@ -48,13 +48,16 @@
+ #ifndef FONT_OPEN_MAX
+
+ #ifndef X_NOT_POSIX
+-#ifdef _POSIX_SOURCE
+-#include <limits.h>
+-#else
+-#define _POSIX_SOURCE
+-#include <limits.h>
+-#undef _POSIX_SOURCE
++# ifdef _POSIX_SOURCE
++# include <limits.h>
++# else
++# define _POSIX_SOURCE
++# include <limits.h>
++# undef _POSIX_SOURCE
++# endif
+ #endif
++#ifndef SIZE_T_MAX
++# define SIZE_T_MAX UINT_MAX
+ #endif
+ #ifndef OPEN_MAX
+ #if defined(SVR4) || defined(__UNIXOS2__)