aboutsummaryrefslogtreecommitdiffstats
path: root/x11-servers/xorg-server
diff options
context:
space:
mode:
authorlesi <lesi@FreeBSD.org>2006-08-26 05:52:49 +0800
committerlesi <lesi@FreeBSD.org>2006-08-26 05:52:49 +0800
commit39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2 (patch)
tree68b227b3d477b30145873c776655ea78d534c94c /x11-servers/xorg-server
parentf885ca39b593c9ff9921228eae6bbdc9dc0c7cc6 (diff)
downloadfreebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.tar.gz
freebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.tar.zst
freebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.zip
Fix crash by bad pcf font.
Obtained from: X.org bugzilla #7535 Security: CVE-2006-3467
Diffstat (limited to 'x11-servers/xorg-server')
-rw-r--r--x11-servers/xorg-server/Makefile2
-rw-r--r--x11-servers/xorg-server/Makefile.inc1
-rw-r--r--x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c101
3 files changed, 103 insertions, 1 deletions
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile
index 3f0cd081daf6..a8201dbe3596 100644
--- a/x11-servers/xorg-server/Makefile
+++ b/x11-servers/xorg-server/Makefile
@@ -7,7 +7,7 @@
PORTNAME= xorg-server
PORTVERSION= 6.9.0
-PORTREVISION= 4
+PORTREVISION= 5
CATEGORIES= x11-servers
MASTER_SITES= ${MASTER_SITE_XORG}
MASTER_SITE_SUBDIR= X11R${PORTVERSION}/src
diff --git a/x11-servers/xorg-server/Makefile.inc b/x11-servers/xorg-server/Makefile.inc
index 1c5223b55c63..4cb271384125 100644
--- a/x11-servers/xorg-server/Makefile.inc
+++ b/x11-servers/xorg-server/Makefile.inc
@@ -44,6 +44,7 @@ CF_PATCHES= ${PORTSDIR}/x11-servers/xorg-server/files/patch-FreeBSD.cf \
SERVER_PATCHES= ${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-Imakefile \
${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-Xext-xvmc.c \
${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-os-xprintf.c \
+ ${PORTSDIR}/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c \
${PORTSDIR}/x11-servers/xorg-server/files/patch-mitri.c \
${PORTSDIR}/x11-servers/xorg-server/files/patch-servermd.h \
${PORTSDIR}/x11-servers/xorg-server/files/patch-xf86sym.c
diff --git a/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c b/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c
new file mode 100644
index 000000000000..c676e1934de0
--- /dev/null
+++ b/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c
@@ -0,0 +1,101 @@
+--- lib/font/bitmap/pcfread.c.orig Sat Jul 9 08:36:12 2005
++++ lib/font/bitmap/pcfread.c Thu Aug 24 21:56:56 2006
+@@ -45,6 +45,7 @@
+ #endif
+
+ #include <stdarg.h>
++#include <stdint.h>
+
+ void
+ pcfError(const char* message, ...)
+@@ -133,6 +134,10 @@
+ return (PCFTablePtr) NULL;
+ count = pcfGetLSB32(file);
+ if (IS_EOF(file)) return (PCFTablePtr) NULL;
++ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) {
++ pcfError("pcfReadTOC(): invalid file format\n");
++ return NULL;
++ }
+ tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec));
+ if (!tables) {
+ pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec));
+@@ -252,6 +257,10 @@
+ if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT))
+ goto Bail;
+ nprops = pcfGetINT32(file, format);
++ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) {
++ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec));
+ if (!props) {
+@@ -267,6 +276,13 @@
+ props[i].name = pcfGetINT32(file, format);
+ isStringProp[i] = pcfGetINT8(file, format);
+ props[i].value = pcfGetINT32(file, format);
++ if (props[i].name < 0
++ || (isStringProp[i] != 0 && isStringProp[i] != 1)
++ || (isStringProp[i] && props[i].value < 0)) {
++ pcfError("pcfGetProperties(): invalid file format %d %d %d\n",
++ props[i].name, isStringProp[i], props[i].value);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ }
+ /* pad the property array */
+@@ -282,6 +298,7 @@
+ }
+ if (IS_EOF(file)) goto Bail;
+ string_size = pcfGetINT32(file, format);
++ if (string_size < 0) goto Bail;
+ if (IS_EOF(file)) goto Bail;
+ strings = (char *) xalloc(string_size);
+ if (!strings) {
+@@ -422,6 +439,10 @@
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pcfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
+@@ -447,7 +468,7 @@
+ nbitmaps = pcfGetINT32(file, format);
+ if (nbitmaps != nmetrics || IS_EOF(file))
+ goto Bail;
+-
++ /* nmetrics is alreadt ok, so nbitmap also is */
+ offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32));
+ if (!offsets) {
+ pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32));
+@@ -461,6 +482,7 @@
+ for (i = 0; i < GLYPHPADOPTIONS; i++) {
+ bitmapSizes[i] = pcfGetINT32(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (bitmapSizes[i] < 0) goto Bail;
+ }
+
+ sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
+@@ -536,6 +558,7 @@
+ if (IS_EOF(file)) goto Bail;
+ if (nink_metrics != nmetrics)
+ goto Bail;
++ /* nmetrics already checked */
+ ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo));
+ if (!ink_metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo));
+@@ -809,6 +832,10 @@
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pmfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));