diff options
author | Eric Anholt <anholt@FreeBSD.org> | 2003-09-03 22:12:51 +0000 |
---|---|---|
committer | Eric Anholt <anholt@FreeBSD.org> | 2003-09-03 22:12:51 +0000 |
commit | 97b4e7a649972e98bc31dd9b1b5ea2934ac3707e (patch) | |
tree | 7fd9ee2a4cff89bfc45ae738dafbc05096154ed6 /x11 | |
parent | Fix a build problem when WITH_XINE is used. (diff) |
Fixes for potential integer overflows in font libraries.
Obtained from: XFree86 CVS
Notes
Notes:
svn path=/head/; revision=88457
Diffstat (limited to 'x11')
-rw-r--r-- | x11/XFree86-4-libraries/Makefile | 2 | ||||
-rw-r--r-- | x11/XFree86-4-libraries/files/patch-libXfont | 369 |
2 files changed, 370 insertions, 1 deletions
diff --git a/x11/XFree86-4-libraries/Makefile b/x11/XFree86-4-libraries/Makefile index a6a8d6a7e2a8..2afe846c139d 100644 --- a/x11/XFree86-4-libraries/Makefile +++ b/x11/XFree86-4-libraries/Makefile @@ -7,7 +7,7 @@ PORTNAME= libraries PORTVERSION= 4.3.0 -PORTREVISION= 5 +PORTREVISION= 6 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XFREE:S/$/:x/} \ ${MASTER_SITE_LOCAL:S/$/:local/} diff --git a/x11/XFree86-4-libraries/files/patch-libXfont b/x11/XFree86-4-libraries/files/patch-libXfont new file mode 100644 index 000000000000..efd0c06cd01a --- /dev/null +++ b/x11/XFree86-4-libraries/files/patch-libXfont @@ -0,0 +1,369 @@ +Index: lib/FS/FSFontInfo.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSFontInfo.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSFontInfo.c 14 Dec 2001 19:53:32 -0000 1.2 ++++ lib/FS/FSFontInfo.c 29 Aug 2003 18:01:10 -0000 1.3 +@@ -65,7 +65,7 @@ + long nbytes; + int i, + j; +- int size = 0; ++ size_t size = 0; + FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0; + FSPropInfo **pi = (FSPropInfo **) 0; + FSPropOffset **po = (FSPropOffset **) 0; +@@ -123,8 +123,14 @@ + if (reply.nameLength == 0) /* got last reply in version 1 */ + break; + if ((i + reply.nReplies) >= size) { ++ ++ if (reply.nReplies > SIZE_T_MAX - i - 1) ++ goto badmem; + size = i + reply.nReplies + 1; + ++ if (size > SIZE_T_MAX / sizeof(char *)) ++ goto badmem; ++ + if (fhdr) { + FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **) + FSrealloc((char *) fhdr, +@@ -237,6 +243,9 @@ + pi[i]->num_offsets = local_pi.num_offsets; + pi[i]->data_len = local_pi.data_len; + ++ if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) ++ goto badmem; ++ + po[i] = (FSPropOffset *) + FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset)); + if (!po[i]) { +@@ -281,6 +290,10 @@ + + nbytes = pi[i]->data_len + reply.nameLength; + _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes)); ++ } ++ /* avoid integer overflow */ ++ if (i > INT_MAX - 1) { ++ goto badmem; + } + } + *info = fhdr; +Index: lib/FS/FSFtNames.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSFtNames.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSFtNames.c 14 Dec 2001 19:53:32 -0000 1.2 ++++ lib/FS/FSFtNames.c 29 Aug 2003 18:01:10 -0000 1.3 +@@ -78,7 +78,8 @@ + (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) + return (char **) 0; + +- if (rep.nFonts) { ++ if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *) ++ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) { + flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *)); + rlen = (rep.length << 2) - SIZEOF(fsListFontsReply); + c = (char *) FSmalloc((unsigned) (rlen + 1)); +Index: lib/FS/FSGetCats.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSGetCats.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSGetCats.c 14 Dec 2001 19:53:32 -0000 1.2 ++++ lib/FS/FSGetCats.c 29 Aug 2003 18:01:10 -0000 1.3 +@@ -72,9 +72,10 @@ + SyncHandle(); + return (char **) NULL; + } +- if (rep.num_catalogues) { ++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *) ++ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) { + list = (char **) +- FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); ++ FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); + rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply); + c = (char *) FSmalloc((unsigned) rlen + 1); + if ((!list) || (!c)) { +Index: lib/FS/FSListCats.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSListCats.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSListCats.c 14 Dec 2001 19:53:32 -0000 1.2 ++++ lib/FS/FSListCats.c 29 Aug 2003 18:01:10 -0000 1.3 +@@ -78,7 +78,8 @@ + (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) + return (char **) 0; + +- if (rep.num_catalogues) { ++ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *) ++ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) { + clist = (char **) + FSmalloc((unsigned) rep.num_catalogues * sizeof(char *)); + rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply); +Index: lib/FS/FSListExt.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSListExt.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSListExt.c 14 Dec 2001 19:53:32 -0000 1.2 ++++ lib/FS/FSListExt.c 29 Aug 2003 18:01:10 -0000 1.3 +@@ -72,7 +72,8 @@ + SyncHandle(); + return (char **) NULL; + } +- if (rep.nExtensions) { ++ if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *) ++ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) { + list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *))); + rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply); + c = (char *) FSmalloc((unsigned) rlen + 1); +Index: lib/FS/FSOpenServ.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSOpenServ.c,v +retrieving revision 1.6 +retrieving revision 1.7 +diff -u -u -r1.6 -r1.7 +--- lib/FS/FSOpenServ.c 14 Dec 2001 19:53:33 -0000 1.6 ++++ lib/FS/FSOpenServ.c 29 Aug 2003 18:01:11 -0000 1.7 +@@ -118,7 +118,7 @@ + AlternateServer *alts; + int altlen; + char *vendor_string; +- long setuplength; ++ unsigned long setuplength; + + if (server == NULL || *server == '\0') { + if ((server = getenv("FONTSERVER")) == NULL) { +@@ -153,7 +153,8 @@ + _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup)); + + setuplength = prefix.alternate_len << 2; +- if ((alt_data = (char *) ++ if (setuplength > (SIZE_T_MAX>>2) ++ || (alt_data = (char *) + (setup = FSmalloc((unsigned) setuplength))) == NULL) { + errno = ENOMEM; + FSfree((char *) svr); +@@ -162,6 +163,10 @@ + _FSRead(svr, (char *) alt_data, setuplength); + ad = alt_data; + ++ if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) { ++ errno = ENOMEM; ++ return (FSServer *) 0; ++ } + alts = (AlternateServer *) + FSmalloc(sizeof(AlternateServer) * prefix.num_alternates); + if (!alts) { +@@ -193,7 +198,8 @@ + svr->num_alternates = prefix.num_alternates; + + setuplength = prefix.auth_len << 2; +- if ((auth_data = (char *) ++ if (prefix.auth_len > (SIZE_T_MAX>>2) ++ || (auth_data = (char *) + (setup = FSmalloc((unsigned) setuplength))) == NULL) { + errno = ENOMEM; + FSfree((char *) svr); +Index: lib/FS/FSQGlyphs.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSQGlyphs.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSQGlyphs.c 14 Dec 2001 19:53:33 -0000 1.2 ++++ lib/FS/FSQGlyphs.c 29 Aug 2003 18:01:11 -0000 1.3 +@@ -85,12 +85,20 @@ + (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) + return FSBadAlloc; + ++ if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset)) ++ return FSBadAlloc; ++ + offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); + *offsets = offs; + if (!offs) + return FSBadAlloc; + left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply) + - (SIZEOF(fsOffset32) * reply.num_chars); ++ /* XXX This thest is incomplete */ ++ if (reply.length > (SIZE_T_MAX >> 2)) { ++ FSfree((char *) offs); ++ return FSBadAlloc; ++ } + gd = (unsigned char *) FSmalloc(left); + *glyphdata = gd; + if (!gd) { +@@ -141,6 +149,8 @@ + int i; + fsChar2b_version1 *swapped_str; + ++ if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1)) ++ return FSBadAlloc; + swapped_str = (fsChar2b_version1 *) + FSmalloc(SIZEOF(fsChar2b_version1) * str_len); + if (!swapped_str) +@@ -160,12 +170,19 @@ + fsFalse)) + return FSBadAlloc; + ++ if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset)) ++ return FSBadAlloc; + offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); + *offsets = offs; + if (!offs) + return FSBadAlloc; + left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply) + - (SIZEOF(fsOffset32) * reply.num_chars); ++ /* XXX - this test is incomplete */ ++ if (reply.length > (SIZE_T_MAX>>2)) { ++ FSfree((char *) offs); ++ return FSBadAlloc; ++ } + gd = (unsigned char *) FSmalloc(left); + *glyphdata = gd; + if (!gd) { +Index: lib/FS/FSQXExt.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXExt.c,v +retrieving revision 1.5 +retrieving revision 1.6 +diff -u -u -r1.5 -r1.6 +--- lib/FS/FSQXExt.c 14 Dec 2001 19:53:33 -0000 1.5 ++++ lib/FS/FSQXExt.c 29 Aug 2003 18:01:12 -0000 1.6 +@@ -92,6 +92,9 @@ + (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2, + fsFalse)) + return FSBadAlloc; ++ ++ if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo)) ++ return FSBadAlloc; + + ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); + *extents = ext; +@@ -147,6 +150,9 @@ + if (!_FSReply(svr, (fsReply *) & reply, + (SIZEOF(fsQueryXExtents16Reply) - SIZEOF(fsGenericReply)) >> 2, + fsFalse)) ++ return FSBadAlloc; ++ ++ if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo)) + return FSBadAlloc; + + ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); +Index: lib/FS/FSQXInfo.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXInfo.c,v +retrieving revision 1.2 +retrieving revision 1.3 +diff -u -u -r1.2 -r1.3 +--- lib/FS/FSQXInfo.c 14 Dec 2001 19:53:33 -0000 1.2 ++++ lib/FS/FSQXInfo.c 29 Aug 2003 18:01:12 -0000 1.3 +@@ -91,6 +91,9 @@ + props->num_offsets = local_pi.num_offsets; + props->data_len = local_pi.data_len; + ++ if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) ++ return FSBadAlloc; ++ + /* prepare for prop data */ + offset_data = (FSPropOffset *) + FSmalloc(props->num_offsets * sizeof(FSPropOffset)); +Index: lib/FS/FSlibint.h +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/FS/FSlibint.h,v +retrieving revision 3.7 +retrieving revision 3.8 +diff -u -u -r3.7 -r3.8 +--- lib/FS/FSlibint.h 14 Dec 2001 19:53:33 -0000 3.7 ++++ lib/FS/FSlibint.h 29 Aug 2003 18:01:12 -0000 3.8 +@@ -76,6 +76,11 @@ + #include "FSlibos.h" + #include <errno.h> + #include <stddef.h> ++ ++#include <limits.h> ++#ifndef SIZE_T_MAX ++#define SIZE_T_MAX UINT_MAX ++#endif + + typedef int (* FSIOErrorHandler)(FSServer *); + typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *); +Index: lib/font/fc/fsconvert.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/font/fc/fsconvert.c,v +retrieving revision 1.12 +retrieving revision 1.13 +diff -u -u -r1.12 -r1.13 +--- lib/font/fc/fsconvert.c 27 May 2003 22:26:48 -0000 1.12 ++++ lib/font/fc/fsconvert.c 29 Aug 2003 18:01:13 -0000 1.13 +@@ -102,6 +102,10 @@ + + nprops = pfi->nprops = pi->num_offsets; + ++ if (nprops < 0 ++ || nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char))) ++ return -1; ++ + dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops + + sizeof (char) * nprops); + if (!dprop) +Index: lib/font/fc/fserve.c +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/font/fc/fserve.c,v +retrieving revision 3.23 +retrieving revision 3.24 +diff -u -u -r3.23 -r3.24 +--- lib/font/fc/fserve.c 27 May 2003 22:26:48 -0000 3.23 ++++ lib/font/fc/fserve.c 29 Aug 2003 18:01:13 -0000 3.24 +@@ -1505,8 +1505,8 @@ + + if (conn->blockState & FS_GIVE_UP) + return BadFontName; +- +- if (namelen > sizeof (buf) - 1) ++ ++ if (namelen <= 0 || namelen > sizeof (buf) - 1) + return BadFontName; + + /* +Index: lib/font/fc/fslibos.h +=================================================================== +RCS file: /home/ncvs/xfree/xc/lib/font/fc/fslibos.h,v +retrieving revision 3.7 +retrieving revision 3.8 +diff -u -u -r3.7 -r3.8 +--- lib/font/fc/fslibos.h 31 May 2002 18:45:49 -0000 3.7 ++++ lib/font/fc/fslibos.h 29 Aug 2003 18:01:14 -0000 3.8 +@@ -48,13 +48,16 @@ + #ifndef FONT_OPEN_MAX + + #ifndef X_NOT_POSIX +-#ifdef _POSIX_SOURCE +-#include <limits.h> +-#else +-#define _POSIX_SOURCE +-#include <limits.h> +-#undef _POSIX_SOURCE ++# ifdef _POSIX_SOURCE ++# include <limits.h> ++# else ++# define _POSIX_SOURCE ++# include <limits.h> ++# undef _POSIX_SOURCE ++# endif + #endif ++#ifndef SIZE_T_MAX ++# define SIZE_T_MAX UINT_MAX + #endif + #ifndef OPEN_MAX + #if defined(SVR4) || defined(__UNIXOS2__) |