From 64c03a02adf61c00cc5e5d4f85e9205709e0b97b Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Dag-Erling=20Sm=C3=B8rgrav?= Date: Thu, 12 Feb 2004 20:16:05 +0000 Subject: Fix several buffer overflow issues in the fontpath handling code. Remove an earlier patch which only partially addressed these issues. Approved by: so --- x11-servers/XFree86-4-Server-snap/Makefile | 2 +- .../XFree86-4-Server-snap/files/patch-dirfile.c | 13 -- .../files/patch-xc::lib::font::fontfile | 185 +++++++++++++++++++++ x11-servers/XFree86-4-Server/Makefile | 4 +- x11-servers/XFree86-4-Server/files/patch-dirfile.c | 13 -- .../files/patch-xc::lib::font::fontfile | 185 +++++++++++++++++++++ 6 files changed, 373 insertions(+), 29 deletions(-) delete mode 100644 x11-servers/XFree86-4-Server-snap/files/patch-dirfile.c create mode 100644 x11-servers/XFree86-4-Server-snap/files/patch-xc::lib::font::fontfile delete mode 100644 x11-servers/XFree86-4-Server/files/patch-dirfile.c create mode 100644 x11-servers/XFree86-4-Server/files/patch-xc::lib::font::fontfile (limited to 'x11-servers') diff --git a/x11-servers/XFree86-4-Server-snap/Makefile b/x11-servers/XFree86-4-Server-snap/Makefile index ccd8a0f89e7b..c2d3e1ba6624 100644 --- a/x11-servers/XFree86-4-Server-snap/Makefile +++ b/x11-servers/XFree86-4-Server-snap/Makefile @@ -7,7 +7,7 @@ PORTNAME= Server PORTVERSION= 4.3.99.15 -PORTREVISION= 1 +PORTREVISION= 2 CATEGORIES= x11-servers MASTER_SITES= ${MASTER_SITE_XFREE:S|source/||:S/$/:x/} \ ${MASTER_SITE_LOCAL:S/$/:local/} diff --git a/x11-servers/XFree86-4-Server-snap/files/patch-dirfile.c b/x11-servers/XFree86-4-Server-snap/files/patch-dirfile.c deleted file mode 100644 index b0891cdd6ea8..000000000000 --- a/x11-servers/XFree86-4-Server-snap/files/patch-dirfile.c +++ /dev/null @@ -1,13 +0,0 @@ ---- lib/font/fontfile/dirfile.c.orig Fri May 31 20:45:50 2002 -+++ lib/font/fontfile/dirfile.c Thu Feb 5 00:19:57 2004 -@@ -286,6 +286,10 @@ - status = AllocError; - break; - case NAME: -+ if (strlen(lexToken) >= sizeof(alias)) { -+ status = BadFontPath; -+ break; -+ } - strcpy(alias, lexToken); - token = lexAlias(file, &lexToken); - switch (token) { diff --git a/x11-servers/XFree86-4-Server-snap/files/patch-xc::lib::font::fontfile b/x11-servers/XFree86-4-Server-snap/files/patch-xc::lib::font::fontfile new file mode 100644 index 000000000000..def6a519f7c1 --- /dev/null +++ b/x11-servers/XFree86-4-Server-snap/files/patch-xc::lib::font::fontfile @@ -0,0 +1,185 @@ +Index: lib/font/fontfile/dirfile.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/dirfile.c,v +retrieving revision 3.15 +diff -u -r3.15 dirfile.c +--- dirfile.c 31 May 2002 18:45:50 -0000 3.15 ++++ dirfile.c 11 Feb 2004 21:17:20 -0000 +@@ -68,6 +68,9 @@ + + FontDirectoryPtr dir = NullFontDirectory; + ++ if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file)) ++ return BadFontPath; ++ + #ifdef FONTDIRATTRIB + /* Check for font directory attributes */ + #ifndef __UNIXOS2__ +@@ -154,6 +157,9 @@ + char dir_file[MAXFONTFILENAMELEN]; + struct stat statb; + ++ if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file)) ++ return FALSE; ++ + strcpy (dir_file, dir->directory); + strcat (dir_file, FontDirFile); + if (stat (dir_file, &statb) == -1) +@@ -202,6 +208,8 @@ + continue; + + len = strlen (fileName) - renderer->fileSuffixLen; ++ if (len >= sizeof(copy)) ++ continue; + CopyISOLatin1Lowered (copy, fileName, len); + copy[len] = '\0'; + name.name = copy; +@@ -251,9 +259,13 @@ + int status = Successful; + struct stat statb; + ++ if (strlen(directory) >= sizeof(alias_file)) ++ return BadFontPath; + dir = *pdir; + strcpy(alias_file, directory); + if (!isFile) { ++ if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file)) ++ return BadFontPath; + if (directory[strlen(directory) - 1] != '/') + strcat(alias_file, "/"); + strcat(alias_file, FontAliasFile); +@@ -286,6 +298,10 @@ + status = AllocError; + break; + case NAME: ++ if (strlen(lexToken) >= sizeof(alias)) { ++ status = BadFontPath; ++ break; ++ } + strcpy(alias, lexToken); + token = lexAlias(file, &lexToken); + switch (token) { +@@ -302,6 +318,10 @@ + status = AllocError; + break; + case NAME: ++ if (strlen(lexToken) >= sizeof(font_name)) { ++ status = BadFontPath; ++ break; ++ } + CopyISOLatin1Lowered(alias, alias, strlen(alias)); + CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken)); + if (!FontFileAddFontAlias (dir, alias, font_name)) +Index: lib/font/fontfile/encparse.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/encparse.c,v +retrieving revision 1.18 +diff -u -r1.18 encparse.c +--- encparse.c 2 Nov 2001 03:06:40 -0000 1.18 ++++ encparse.c 11 Feb 2004 21:17:20 -0000 +@@ -833,6 +833,7 @@ + char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN], + buf[MAXFONTFILENAMELEN]; + int count, n; ++ static char format[24] = ""; + + /* As we don't really expect to open encodings that often, we don't + take the trouble of caching encodings directories. */ +@@ -848,8 +849,12 @@ + } + + encoding = NULL; ++ if (!format[0]) { ++ sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1, ++ sizeof(file_name) - 1); ++ } + for(;;) { +- count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name); ++ count = fscanf(file, format, encoding_name, file_name); + if(count == EOF) + break; + if(count != 2) +Index: lib/font/fontfile/fontfile.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/fontfile.c,v +retrieving revision 3.16 +diff -u -r3.16 fontfile.c +--- fontfile.c 31 May 2002 18:45:50 -0000 3.16 ++++ fontfile.c 11 Feb 2004 21:17:20 -0000 +@@ -424,11 +424,16 @@ + vals.ranges = ranges; + vals.nranges = nranges; + +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->OpenScalable) (fpe, pFont, ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->OpenScalable) (fpe, pFont, + flags, entry, fileName, &vals, format, fmask, + non_cachable_font); ++ } + + /* In case rasterizer does something bad because of + charset subsetting... */ +@@ -497,6 +502,8 @@ + + dir = (FontDirectoryPtr) fpe->private; + bitmap = &entry->u.bitmap; ++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) ++ return BadFontName; + strcpy (fileName, dir->directory); + strcat (fileName, bitmap->fileName); + ret = (*bitmap->renderer->OpenBitmap) +@@ -530,6 +537,8 @@ + + dir = (FontDirectoryPtr) fpe->private; + bitmap = &entry->u.bitmap; ++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) ++ return BadFontName; + strcpy (fileName, dir->directory); + strcat (fileName, bitmap->fileName); + ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName); +@@ -891,10 +900,15 @@ + vals.ranges = FontParseRanges(origName, &vals.nranges); + ranges = vals.ranges; + /* Make a new scaled instance */ +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->GetInfoScalable) +- (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->GetInfoScalable) ++ (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); ++ } + if (ranges) xfree(ranges); + } + } +@@ -931,10 +945,15 @@ + bc = &entry->u.bc; + entry = bc->entry; + /* Make a new scaled instance */ +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->GetInfoScalable) ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->GetInfoScalable) + (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals); ++ } + break; + #endif + default: diff --git a/x11-servers/XFree86-4-Server/Makefile b/x11-servers/XFree86-4-Server/Makefile index ad0cd4d35251..75f2abd0bd94 100644 --- a/x11-servers/XFree86-4-Server/Makefile +++ b/x11-servers/XFree86-4-Server/Makefile @@ -7,7 +7,7 @@ PORTNAME= Server PORTVERSION= 4.3.0 -PORTREVISION= 13 +PORTREVISION= 14 CATEGORIES= x11-servers MASTER_SITES= ${MASTER_SITE_XFREE:S/$/:x/} \ ${MASTER_SITE_LOCAL:S/$/:local/} @@ -36,7 +36,6 @@ EXTRA_PATCHES+= \ ${FILESDIR}/patch-bus-Imakefile \ ${FILESDIR}/patch-bus_Imakefile \ ${FILESDIR}/patch-compiler.h \ - ${FILESDIR}/patch-dirfile.c \ ${FILESDIR}/patch-elfloader.c \ ${FILESDIR}/patch-freebsdPci.c \ ${FILESDIR}/patch-ftfuncs.c \ @@ -57,6 +56,7 @@ EXTRA_PATCHES+= \ ${FILESDIR}/patch-savage-pci-id \ ${FILESDIR}/patch-smi \ ${FILESDIR}/patch-sunffb_Imakefile \ + ${FILESDIR}/patch-xc::lib::font::fontfile \ ${FILESDIR}/patch-xf86-common-Imakefile \ ${FILESDIR}/patch-xf86Events.c \ ${FILESDIR}/patch-xf86Sbus.h \ diff --git a/x11-servers/XFree86-4-Server/files/patch-dirfile.c b/x11-servers/XFree86-4-Server/files/patch-dirfile.c deleted file mode 100644 index b0891cdd6ea8..000000000000 --- a/x11-servers/XFree86-4-Server/files/patch-dirfile.c +++ /dev/null @@ -1,13 +0,0 @@ ---- lib/font/fontfile/dirfile.c.orig Fri May 31 20:45:50 2002 -+++ lib/font/fontfile/dirfile.c Thu Feb 5 00:19:57 2004 -@@ -286,6 +286,10 @@ - status = AllocError; - break; - case NAME: -+ if (strlen(lexToken) >= sizeof(alias)) { -+ status = BadFontPath; -+ break; -+ } - strcpy(alias, lexToken); - token = lexAlias(file, &lexToken); - switch (token) { diff --git a/x11-servers/XFree86-4-Server/files/patch-xc::lib::font::fontfile b/x11-servers/XFree86-4-Server/files/patch-xc::lib::font::fontfile new file mode 100644 index 000000000000..def6a519f7c1 --- /dev/null +++ b/x11-servers/XFree86-4-Server/files/patch-xc::lib::font::fontfile @@ -0,0 +1,185 @@ +Index: lib/font/fontfile/dirfile.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/dirfile.c,v +retrieving revision 3.15 +diff -u -r3.15 dirfile.c +--- dirfile.c 31 May 2002 18:45:50 -0000 3.15 ++++ dirfile.c 11 Feb 2004 21:17:20 -0000 +@@ -68,6 +68,9 @@ + + FontDirectoryPtr dir = NullFontDirectory; + ++ if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file)) ++ return BadFontPath; ++ + #ifdef FONTDIRATTRIB + /* Check for font directory attributes */ + #ifndef __UNIXOS2__ +@@ -154,6 +157,9 @@ + char dir_file[MAXFONTFILENAMELEN]; + struct stat statb; + ++ if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file)) ++ return FALSE; ++ + strcpy (dir_file, dir->directory); + strcat (dir_file, FontDirFile); + if (stat (dir_file, &statb) == -1) +@@ -202,6 +208,8 @@ + continue; + + len = strlen (fileName) - renderer->fileSuffixLen; ++ if (len >= sizeof(copy)) ++ continue; + CopyISOLatin1Lowered (copy, fileName, len); + copy[len] = '\0'; + name.name = copy; +@@ -251,9 +259,13 @@ + int status = Successful; + struct stat statb; + ++ if (strlen(directory) >= sizeof(alias_file)) ++ return BadFontPath; + dir = *pdir; + strcpy(alias_file, directory); + if (!isFile) { ++ if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file)) ++ return BadFontPath; + if (directory[strlen(directory) - 1] != '/') + strcat(alias_file, "/"); + strcat(alias_file, FontAliasFile); +@@ -286,6 +298,10 @@ + status = AllocError; + break; + case NAME: ++ if (strlen(lexToken) >= sizeof(alias)) { ++ status = BadFontPath; ++ break; ++ } + strcpy(alias, lexToken); + token = lexAlias(file, &lexToken); + switch (token) { +@@ -302,6 +318,10 @@ + status = AllocError; + break; + case NAME: ++ if (strlen(lexToken) >= sizeof(font_name)) { ++ status = BadFontPath; ++ break; ++ } + CopyISOLatin1Lowered(alias, alias, strlen(alias)); + CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken)); + if (!FontFileAddFontAlias (dir, alias, font_name)) +Index: lib/font/fontfile/encparse.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/encparse.c,v +retrieving revision 1.18 +diff -u -r1.18 encparse.c +--- encparse.c 2 Nov 2001 03:06:40 -0000 1.18 ++++ encparse.c 11 Feb 2004 21:17:20 -0000 +@@ -833,6 +833,7 @@ + char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN], + buf[MAXFONTFILENAMELEN]; + int count, n; ++ static char format[24] = ""; + + /* As we don't really expect to open encodings that often, we don't + take the trouble of caching encodings directories. */ +@@ -848,8 +849,12 @@ + } + + encoding = NULL; ++ if (!format[0]) { ++ sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1, ++ sizeof(file_name) - 1); ++ } + for(;;) { +- count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name); ++ count = fscanf(file, format, encoding_name, file_name); + if(count == EOF) + break; + if(count != 2) +Index: lib/font/fontfile/fontfile.c +=================================================================== +RCS file: /home/x-cvs/xc/lib/font/fontfile/fontfile.c,v +retrieving revision 3.16 +diff -u -r3.16 fontfile.c +--- fontfile.c 31 May 2002 18:45:50 -0000 3.16 ++++ fontfile.c 11 Feb 2004 21:17:20 -0000 +@@ -424,11 +424,16 @@ + vals.ranges = ranges; + vals.nranges = nranges; + +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->OpenScalable) (fpe, pFont, ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->OpenScalable) (fpe, pFont, + flags, entry, fileName, &vals, format, fmask, + non_cachable_font); ++ } + + /* In case rasterizer does something bad because of + charset subsetting... */ +@@ -497,6 +502,8 @@ + + dir = (FontDirectoryPtr) fpe->private; + bitmap = &entry->u.bitmap; ++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) ++ return BadFontName; + strcpy (fileName, dir->directory); + strcat (fileName, bitmap->fileName); + ret = (*bitmap->renderer->OpenBitmap) +@@ -530,6 +537,8 @@ + + dir = (FontDirectoryPtr) fpe->private; + bitmap = &entry->u.bitmap; ++ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) ++ return BadFontName; + strcpy (fileName, dir->directory); + strcat (fileName, bitmap->fileName); + ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName); +@@ -891,10 +900,15 @@ + vals.ranges = FontParseRanges(origName, &vals.nranges); + ranges = vals.ranges; + /* Make a new scaled instance */ +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->GetInfoScalable) +- (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->GetInfoScalable) ++ (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); ++ } + if (ranges) xfree(ranges); + } + } +@@ -931,10 +945,15 @@ + bc = &entry->u.bc; + entry = bc->entry; + /* Make a new scaled instance */ +- strcpy (fileName, dir->directory); +- strcat (fileName, scalable->fileName); +- ret = (*scalable->renderer->GetInfoScalable) ++ if (strlen(dir->directory) + strlen(scalable->fileName) >= ++ sizeof(fileName)) { ++ ret = BadFontName; ++ } else { ++ strcpy (fileName, dir->directory); ++ strcat (fileName, scalable->fileName); ++ ret = (*scalable->renderer->GetInfoScalable) + (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals); ++ } + break; + #endif + default: -- cgit v1.2.3