X Strike Force XFree86 SVN commit: r2243 - in trunk/debian: . patches
Author: branden
Date: 2005-05-05 22:12:21 -0500 (Thu, 05 May 2005)
New Revision: 2243
Modified:
trunk/debian/CHANGESETS
trunk/debian/TODO
trunk/debian/changelog
trunk/debian/patches/000_stolen_from_HEAD.diff
trunk/debian/patches/099v_fontserver_fix_SEGV.diff
Log:
Grab patches by Chisato Yamauchi, David Dawes, and Marc Aurele La France
from xfree86 CVS (none later than 2004-01-12), to perform bounds checking
on font metrics and avoid SEGVs in xfs and the X server. Resync patch
#099v. (Closes: #284448)
Modified: trunk/debian/CHANGESETS
===================================================================
--- trunk/debian/CHANGESETS 2005-05-06 02:10:52 UTC (rev 2242)
+++ trunk/debian/CHANGESETS 2005-05-06 03:12:21 UTC (rev 2243)
@@ -102,4 +102,10 @@
(Closes: #285807)
2242
+Grab patches by Chisato Yamauchi, David Dawes, and Marc Aurele La France
+from xfree86 CVS (none later than 2004-01-12), to perform bounds checking
+on font metrics and avoid SEGVs in xfs and the X server. Resync patch
+#099v. (Closes: #284448)
+ 2243
+
vim:set ai et sts=4 sw=4 tw=80:
Modified: trunk/debian/TODO
===================================================================
--- trunk/debian/TODO 2005-05-06 02:10:52 UTC (rev 2242)
+++ trunk/debian/TODO 2005-05-06 03:12:21 UTC (rev 2243)
@@ -16,7 +16,6 @@
4.3.0.dfsg.1-13
---------------
-* #284448: add bounds checking and fix SEGV in font server code
* Grab small-scale, non-disruptive fixes to the xserver-xfree86 debconfage from
branches/debconf-overhaul.
+ New mouse stanza handling:
Modified: trunk/debian/changelog
===================================================================
--- trunk/debian/changelog 2005-05-06 02:10:52 UTC (rev 2242)
+++ trunk/debian/changelog 2005-05-06 03:12:21 UTC (rev 2243)
@@ -83,8 +83,13 @@
neither is a good trait in a setuid root program like the X server.
(Closes: #285807)
- -- Branden Robinson <branden@debian.org> Thu, 5 May 2005 19:25:36 -0500
+ * Grab patches by Chisato Yamauchi, David Dawes, and Marc Aurele La France
+ from xfree86 CVS (none later than 2004-01-12), to perform bounds checking
+ on font metrics and avoid SEGVs in xfs and the X server. Resync patch
+ #099v. (Closes: #284448)
+ -- Branden Robinson <branden@debian.org> Thu, 5 May 2005 21:28:32 -0500
+
xfree86 (4.3.0.dfsg.1-12) unstable; urgency=medium
* Urgency set to medium due to fix for release-critical bug #295175
Modified: trunk/debian/patches/000_stolen_from_HEAD.diff
===================================================================
--- trunk/debian/patches/000_stolen_from_HEAD.diff 2005-05-06 02:10:52 UTC (rev 2242)
+++ trunk/debian/patches/000_stolen_from_HEAD.diff 2005-05-06 03:12:21 UTC (rev 2243)
@@ -650,6 +650,16 @@
Marco Antonio Alvarez).
[David Dawes]
+xc/lib/font/fc/fserve.c @ 3.25
+ 603. Add font bounds checking to the X server side of the font server
+ interface (Chisato Yamauchi, David Dawes).
+
+xc/lib/font/fc/fserve.c @ 3.26
+ Combine two sets of bounds tests into one. (Chisato Yamauchi)
+
+xc/lib/font/fc/fserve.c @ 3.27
+ Fix potential segfault. [Marc Aurele La France]
+
diff -urN xc.orig/config/imake/imake.c xc/config/imake/imake.c
--- xc.orig/config/imake/imake.c 2002-12-17 09:48:27.000000000 +1100
+++ xc/config/imake/imake.c 2003-04-09 01:58:14.000000000 +1000
@@ -23639,3 +23649,236 @@
640,480, 1001,60000))
goto fail;
p->norm[p->nenc] = 6;
+Index: xc/lib/font/fc/fserve.c
+===================================================================
+RCS file: /cvs/xc/lib/font/fc/fserve.c,v
+retrieving revision 3.22.2.1
+retrieving revision 3.27
+diff -u -r3.22.2.1 -r3.27
+--- xc/lib/font/fc/fserve.c 29 Aug 2003 18:05:09 -0000 3.22.2.1
++++ xc/lib/font/fc/fserve.c 12 Jan 2004 17:19:30 -0000 3.27
+@@ -24,7 +24,7 @@
+ in this Software without prior written authorization from The Open Group.
+
+ */
+-/* $XFree86: xc/lib/font/fc/fserve.c,v 3.22.2.1 2003/08/29 18:05:09 herrb Exp $ */
++/* $XFree86: xc/lib/font/fc/fserve.c,v 3.27 2004/01/12 17:19:30 tsi Exp $ */
+
+ /*
+ * Copyright 1990 Network Computing Devices
+@@ -87,13 +87,13 @@
+ (pci)->descent || \
+ (pci)->characterWidth)
+
++extern void ErrorF(const char *f, ...);
+
+ static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+ static int fs_read_list ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
+ static int fs_read_list_info ( FontPathElementPtr fpe,
+ FSBlockDataPtr blockrec );
+
+-static int fs_font_type;
+ extern fd_set _fs_fd_mask;
+
+ static void fs_block_handler ( pointer data, OSTimePtr wt,
+@@ -952,6 +952,7 @@
+ CharInfoPtr ci, pCI;
+ char *fsci;
+ fsXCharInfo fscilocal;
++ FontInfoRec *fi = &bfont->pfont->info;
+
+ rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
+ if (!rep || rep->type == FS_Error)
+@@ -997,6 +998,21 @@
+ {
+ memcpy(&fscilocal, fsci, SIZEOF(fsXCharInfo)); /* align it */
+ _fs_convert_char_info(&fscilocal, &ci->metrics);
++ /* Bounds check. */
++ if (ci->metrics.ascent > fi->maxbounds.ascent)
++ {
++ ErrorF("fserve: warning: %s %s ascent (%d) > maxascent (%d)\n",
++ fpe->name, fsd->name,
++ ci->metrics.ascent, fi->maxbounds.ascent);
++ ci->metrics.ascent = fi->maxbounds.ascent;
++ }
++ if (ci->metrics.descent > fi->maxbounds.descent)
++ {
++ ErrorF("fserve: warning: %s %s descent (%d) > maxdescent (%d)\n",
++ fpe->name, fsd->name,
++ ci->metrics.descent, fi->maxbounds.descent);
++ ci->metrics.descent = fi->maxbounds.descent;
++ }
+ fsci = fsci + SIZEOF(fsXCharInfo);
+ /* Initialize the bits field for later glyph-caching use */
+ if (NONZEROMETRICS(&ci->metrics))
+@@ -1022,7 +1038,6 @@
+ /* build bitmap metrics, ImageRectMax style */
+ if (haveInk)
+ {
+- FontInfoRec *fi = &bfont->pfont->info;
+ CharInfoPtr ii;
+
+ ci = fsfont->encoding;
+@@ -1042,6 +1057,23 @@
+ {
+ ci->metrics = ii->metrics;
+ }
++ /* Bounds check. */
++ if (ci->metrics.ascent > fi->maxbounds.ascent)
++ {
++ ErrorF("fserve: warning: %s %s ascent (%d) "
++ "> maxascent (%d)\n",
++ fpe->name, fsd->name,
++ ci->metrics.ascent, fi->maxbounds.ascent);
++ ci->metrics.ascent = fi->maxbounds.ascent;
++ }
++ if (ci->metrics.descent > fi->maxbounds.descent)
++ {
++ ErrorF("fserve: warning: %s %s descent (%d) "
++ "> maxdescent (%d)\n",
++ fpe->name, fsd->name,
++ ci->metrics.descent, fi->maxbounds.descent);
++ ci->metrics.descent = fi->maxbounds.descent;
++ }
+ }
+ }
+ {
+@@ -1498,7 +1530,6 @@
+ FSBlockDataPtr blockrec = NULL;
+ FSBlockedFontPtr bfont;
+ FSFontDataPtr fsd;
+- FSFontPtr fsfont;
+ fsOpenBitmapFontReq openreq;
+ fsQueryXInfoReq inforeq;
+ fsQueryXExtents16Req extreq;
+@@ -1522,7 +1553,6 @@
+
+ font = *ppfont;
+ fsd = (FSFontDataPtr)font->fpePrivate;
+- fsfont = (FSFontPtr)font->fontPrivate;
+ /* This is an attempt to reopen a font. Did the font have a
+ NAME property? */
+ if ((nameatom = MakeAtom("FONT", 4, 0)) != None)
+@@ -1550,7 +1580,6 @@
+ return AllocError;
+
+ fsd = (FSFontDataPtr)font->fpePrivate;
+- fsfont = (FSFontPtr)font->fontPrivate;
+ }
+
+ /* make a new block record, and add it to the end of the list */
+@@ -1793,7 +1822,7 @@
+ err;
+ int nranges = 0;
+ int ret;
+- fsRange *ranges, *nextrange = 0;
++ fsRange *nextrange = 0;
+ unsigned long minchar, maxchar;
+
+ rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
+@@ -1818,7 +1847,7 @@
+ if (blockrec->type == FS_LOAD_GLYPHS)
+ {
+ nranges = bglyph->num_expected_ranges;
+- nextrange = ranges = bglyph->expected_ranges;
++ nextrange = bglyph->expected_ranges;
+ }
+
+ /* place the incoming glyphs */
+@@ -2185,7 +2214,7 @@
+ xfree(ranges);
+
+ /* Now try to reopen the font. */
+- return fs_send_open_font(client, (FontPathElementPtr)0,
++ return fs_send_open_font(client, pfont->fpe,
+ (Mask)FontReopen, (char *)0, 0,
+ (fsBitmapFormat)0, (fsBitmapFormatMask)0,
+ (XID)0, &pfont);
+@@ -2291,7 +2320,6 @@
+ {
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ FSBlockDataPtr blockrec;
+- FSBlockedListPtr blockedlist;
+ int err;
+
+ /* see if the result is already there */
+@@ -2302,7 +2330,6 @@
+ err = blockrec->errcode;
+ if (err == StillWorking)
+ return Suspended;
+- blockedlist = (FSBlockedListPtr) blockrec->data;
+ _fs_remove_block_rec(conn, blockrec);
+ return err;
+ }
+@@ -3143,21 +3170,21 @@
+ void
+ fs_register_fpe_functions(void)
+ {
+- fs_font_type = RegisterFPEFunctions(fs_name_check,
+- fs_init_fpe,
+- fs_free_fpe,
+- fs_reset_fpe,
+- fs_open_font,
+- fs_close_font,
+- fs_list_fonts,
+- fs_start_list_with_info,
+- fs_next_list_with_info,
+- (WakeupFpeFunc)fs_wakeup,
+- fs_client_died,
+- _fs_load_glyphs,
+- NULL,
+- NULL,
+- NULL);
++ RegisterFPEFunctions(fs_name_check,
++ fs_init_fpe,
++ fs_free_fpe,
++ fs_reset_fpe,
++ fs_open_font,
++ fs_close_font,
++ fs_list_fonts,
++ fs_start_list_with_info,
++ fs_next_list_with_info,
++ fs_wakeup,
++ fs_client_died,
++ _fs_load_glyphs,
++ NULL,
++ NULL,
++ NULL);
+ }
+
+ static int
+@@ -3210,19 +3237,19 @@
+ void
+ check_fs_register_fpe_functions(void)
+ {
+- fs_font_type = RegisterFPEFunctions(fs_name_check,
+- fs_init_fpe,
+- fs_free_fpe,
+- fs_reset_fpe,
+- check_fs_open_font,
+- fs_close_font,
+- check_fs_list_fonts,
+- check_fs_start_list_with_info,
+- check_fs_next_list_with_info,
+- (WakeupFpeFunc)fs_wakeup,
+- fs_client_died,
+- _fs_load_glyphs,
+- NULL,
+- NULL,
+- NULL);
++ RegisterFPEFunctions(fs_name_check,
++ fs_init_fpe,
++ fs_free_fpe,
++ fs_reset_fpe,
++ check_fs_open_font,
++ fs_close_font,
++ check_fs_list_fonts,
++ check_fs_start_list_with_info,
++ check_fs_next_list_with_info,
++ fs_wakeup,
++ fs_client_died,
++ _fs_load_glyphs,
++ NULL,
++ NULL,
++ NULL);
+ }
Modified: trunk/debian/patches/099v_fontserver_fix_SEGV.diff
===================================================================
--- trunk/debian/patches/099v_fontserver_fix_SEGV.diff 2005-05-06 02:10:52 UTC (rev 2242)
+++ trunk/debian/patches/099v_fontserver_fix_SEGV.diff 2005-05-06 03:12:21 UTC (rev 2243)
@@ -11,8 +11,8 @@
Not submitted to XFree86 or X.Org yet.
--- xc/lib/font/fc/fserve.c~ 2005-02-09 03:27:04.000000000 -0500
-+++ xc/lib/font/fc/fserve.c 2005-02-09 03:27:48.000000000 -0500
-@@ -2332,7 +2332,7 @@
++++ xc/lib/font/fc/fserve.c 2005-05-05 21:39:45.000000000 -0500
+@@ -2359,7 +2359,7 @@
_fs_free_props (&binfo->info);
rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
Reply to: