diff options
author | lesi <lesi@FreeBSD.org> | 2006-08-26 05:52:49 +0800 |
---|---|---|
committer | lesi <lesi@FreeBSD.org> | 2006-08-26 05:52:49 +0800 |
commit | 39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2 (patch) | |
tree | 68b227b3d477b30145873c776655ea78d534c94c /x11-servers/xorg-server | |
parent | f885ca39b593c9ff9921228eae6bbdc9dc0c7cc6 (diff) | |
download | freebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.tar.gz freebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.tar.zst freebsd-ports-gnome-39c7b6a8b09e233a6f7e5f09b3ba5a45cf9454f2.zip |
Fix crash by bad pcf font.
Obtained from: X.org bugzilla #7535
Security: CVE-2006-3467
Diffstat (limited to 'x11-servers/xorg-server')
-rw-r--r-- | x11-servers/xorg-server/Makefile | 2 | ||||
-rw-r--r-- | x11-servers/xorg-server/Makefile.inc | 1 | ||||
-rw-r--r-- | x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c | 101 |
3 files changed, 103 insertions, 1 deletions
diff --git a/x11-servers/xorg-server/Makefile b/x11-servers/xorg-server/Makefile index 3f0cd081daf6..a8201dbe3596 100644 --- a/x11-servers/xorg-server/Makefile +++ b/x11-servers/xorg-server/Makefile @@ -7,7 +7,7 @@ PORTNAME= xorg-server PORTVERSION= 6.9.0 -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= x11-servers MASTER_SITES= ${MASTER_SITE_XORG} MASTER_SITE_SUBDIR= X11R${PORTVERSION}/src diff --git a/x11-servers/xorg-server/Makefile.inc b/x11-servers/xorg-server/Makefile.inc index 1c5223b55c63..4cb271384125 100644 --- a/x11-servers/xorg-server/Makefile.inc +++ b/x11-servers/xorg-server/Makefile.inc @@ -44,6 +44,7 @@ CF_PATCHES= ${PORTSDIR}/x11-servers/xorg-server/files/patch-FreeBSD.cf \ SERVER_PATCHES= ${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-Imakefile \ ${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-Xext-xvmc.c \ ${PORTSDIR}/x11-servers/xorg-server/files/patch-Xserver-os-xprintf.c \ + ${PORTSDIR}/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c \ ${PORTSDIR}/x11-servers/xorg-server/files/patch-mitri.c \ ${PORTSDIR}/x11-servers/xorg-server/files/patch-servermd.h \ ${PORTSDIR}/x11-servers/xorg-server/files/patch-xf86sym.c diff --git a/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c b/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c new file mode 100644 index 000000000000..c676e1934de0 --- /dev/null +++ b/x11-servers/xorg-server/files/patch-font-bitmap-pcfread.c @@ -0,0 +1,101 @@ +--- lib/font/bitmap/pcfread.c.orig Sat Jul 9 08:36:12 2005 ++++ lib/font/bitmap/pcfread.c Thu Aug 24 21:56:56 2006 +@@ -45,6 +45,7 @@ + #endif + + #include <stdarg.h> ++#include <stdint.h> + + void + pcfError(const char* message, ...) +@@ -133,6 +134,10 @@ + return (PCFTablePtr) NULL; + count = pcfGetLSB32(file); + if (IS_EOF(file)) return (PCFTablePtr) NULL; ++ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) { ++ pcfError("pcfReadTOC(): invalid file format\n"); ++ return NULL; ++ } + tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec)); + if (!tables) { + pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec)); +@@ -252,6 +257,10 @@ + if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT)) + goto Bail; + nprops = pcfGetINT32(file, format); ++ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) { ++ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops); ++ goto Bail; ++ } + if (IS_EOF(file)) goto Bail; + props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec)); + if (!props) { +@@ -267,6 +276,13 @@ + props[i].name = pcfGetINT32(file, format); + isStringProp[i] = pcfGetINT8(file, format); + props[i].value = pcfGetINT32(file, format); ++ if (props[i].name < 0 ++ || (isStringProp[i] != 0 && isStringProp[i] != 1) ++ || (isStringProp[i] && props[i].value < 0)) { ++ pcfError("pcfGetProperties(): invalid file format %d %d %d\n", ++ props[i].name, isStringProp[i], props[i].value); ++ goto Bail; ++ } + if (IS_EOF(file)) goto Bail; + } + /* pad the property array */ +@@ -282,6 +298,7 @@ + } + if (IS_EOF(file)) goto Bail; + string_size = pcfGetINT32(file, format); ++ if (string_size < 0) goto Bail; + if (IS_EOF(file)) goto Bail; + strings = (char *) xalloc(string_size); + if (!strings) { +@@ -422,6 +439,10 @@ + else + nmetrics = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { ++ pcfError("pcfReadFont(): invalid file format\n"); ++ goto Bail; ++ } + metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); + if (!metrics) { + pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); +@@ -447,7 +468,7 @@ + nbitmaps = pcfGetINT32(file, format); + if (nbitmaps != nmetrics || IS_EOF(file)) + goto Bail; +- ++ /* nmetrics is alreadt ok, so nbitmap also is */ + offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32)); + if (!offsets) { + pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32)); +@@ -461,6 +482,7 @@ + for (i = 0; i < GLYPHPADOPTIONS; i++) { + bitmapSizes[i] = pcfGetINT32(file, format); + if (IS_EOF(file)) goto Bail; ++ if (bitmapSizes[i] < 0) goto Bail; + } + + sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)]; +@@ -536,6 +558,7 @@ + if (IS_EOF(file)) goto Bail; + if (nink_metrics != nmetrics) + goto Bail; ++ /* nmetrics already checked */ + ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo)); + if (!ink_metrics) { + pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo)); +@@ -809,6 +832,10 @@ + else + nmetrics = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { ++ pcfError("pmfReadFont(): invalid file format\n"); ++ goto Bail; ++ } + metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); + if (!metrics) { + pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); |