X Strike Force X.Org X11 SVN commit: r2853 - in branches/7.1/lib/libxfont/debian: . patches
Author: dparsons
Date: 2006-08-16 18:01:58 -0400 (Wed, 16 Aug 2006)
New Revision: 2853
Added:
branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch
branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch
Modified:
branches/7.1/lib/libxfont/debian/changelog
branches/7.1/lib/libxfont/debian/patches/series
Log:
* Apply upstream patch 10_pcf_font.patch (security vulnerability
CVE-2006-3467). Closes: #383353.
* Upload to unstable to ensure patch is propagated quickly.
* Apply patch 10_freetype_buffer_overflow.patch while we're
at it (no known exploits).
Modified: branches/7.1/lib/libxfont/debian/changelog
===================================================================
--- branches/7.1/lib/libxfont/debian/changelog 2006-08-16 05:05:47 UTC (rev 2852)
+++ branches/7.1/lib/libxfont/debian/changelog 2006-08-16 22:01:58 UTC (rev 2853)
@@ -1,3 +1,13 @@
+libxfont (1:1.2.0-2) unstable; urgency=high
+
+ * Apply upstream patch 10_pcf_font.patch (security vulnerability
+ CVE-2006-3467). Closes: #383353.
+ * Upload to unstable to ensure patch is propagated quickly.
+ * Apply patch 10_freetype_buffer_overflow.patch while we're at it
+ (no known exploits).
+
+ -- Drew Parsons <dparsons@debian.org> Thu, 17 Aug 2006 07:45:40 +1000
+
libxfont (1:1.2.0-1) experimental; urgency=low
* New upstream version. Closes: #364854.
Added: branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch
===================================================================
--- branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-08-16 05:05:47 UTC (rev 2852)
+++ branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-08-16 22:01:58 UTC (rev 2853)
@@ -0,0 +1,32 @@
+From: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Thu, 13 Jul 2006 14:18:38 +0000 (-0400)
+Subject: Bug #7397: Fix a buffer overflow in Freetype font support.
+X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=1bf657186d19887a0916340b544b5534e29da081
+
+Bug #7397: Fix a buffer overflow in Freetype font support.
+---
+
+--- a/src/FreeType/fttools.c
++++ b/src/FreeType/fttools.c
+@@ -77,7 +77,7 @@ FTu2a(int slen, FT_Byte *from, char *to,
+
+ n = 0;
+ for (i = 0; i < slen; i += 2) {
+- if(n >= max)
++ if(n >= max - 1)
+ break;
+ if(HIBYTE(from+i, byte)!=0)
+ *to++='?';
+@@ -143,9 +143,10 @@ FTGetEnglishName(FT_Face face, int nid,
+ /* Pretend that Apple Roman is ISO 8859-1. */
+ if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN, &name)) {
+ len = name.string_len;
+- if(len > name_len)
+- len = name_len;
++ if(len > name_len - 1)
++ len = name_len - 1;
+ memcpy(name_return, name.string, len);
++ name_return[len] = '\0'; /* ensure nul terminaison */
+ return len;
+ }
+
Added: branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch
===================================================================
--- branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch 2006-08-16 05:05:47 UTC (rev 2852)
+++ branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch 2006-08-16 22:01:58 UTC (rev 2853)
@@ -0,0 +1,109 @@
+From: Matthieu Herrb <matthieu.herrb@laas.fr>
+Date: Sun, 23 Jul 2006 20:42:43 +0000 (+0200)
+Subject: More check on PCF file reading. Bugzilla #7535
+X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=8d171fe61e564d8ed8f75034d4191062cecf190b
+
+More check on PCF file reading. Bugzilla #7535
+---
+
+--- a/src/bitmap/pcfread.c
++++ b/src/bitmap/pcfread.c
+@@ -45,6 +45,7 @@ from The Open Group.
+ #endif
+
+ #include <stdarg.h>
++#include <stdint.h>
+
+ void
+ pcfError(const char* message, ...)
+@@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp
+ return (PCFTablePtr) NULL;
+ count = pcfGetLSB32(file);
+ if (IS_EOF(file)) return (PCFTablePtr) NULL;
++ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) {
++ pcfError("pcfReadTOC(): invalid file format\n");
++ return NULL;
++ }
+ tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec));
+ if (!tables) {
+ pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec));
+@@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT))
+ goto Bail;
+ nprops = pcfGetINT32(file, format);
++ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) {
++ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec));
+ if (!props) {
+@@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ props[i].name = pcfGetINT32(file, format);
+ isStringProp[i] = pcfGetINT8(file, format);
+ props[i].value = pcfGetINT32(file, format);
++ if (props[i].name < 0
++ || (isStringProp[i] != 0 && isStringProp[i] != 1)
++ || (isStringProp[i] && props[i].value < 0)) {
++ pcfError("pcfGetProperties(): invalid file format %d %d %d\n",
++ props[i].name, isStringProp[i], props[i].value);
++ goto Bail;
++ }
+ if (IS_EOF(file)) goto Bail;
+ }
+ /* pad the property array */
+@@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo,
+ }
+ if (IS_EOF(file)) goto Bail;
+ string_size = pcfGetINT32(file, format);
++ if (string_size < 0) goto Bail;
+ if (IS_EOF(file)) goto Bail;
+ strings = (char *) xalloc(string_size);
+ if (!strings) {
+@@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pcfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
+@@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ nbitmaps = pcfGetINT32(file, format);
+ if (nbitmaps != nmetrics || IS_EOF(file))
+ goto Bail;
+-
++ /* nmetrics is alreadt ok, so nbitmap also is */
+ offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32));
+ if (!offsets) {
+ pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32));
+@@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ for (i = 0; i < GLYPHPADOPTIONS; i++) {
+ bitmapSizes[i] = pcfGetINT32(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (bitmapSizes[i] < 0) goto Bail;
+ }
+
+ sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
+@@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
+ if (IS_EOF(file)) goto Bail;
+ if (nink_metrics != nmetrics)
+ goto Bail;
++ /* nmetrics already checked */
+ ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo));
+ if (!ink_metrics) {
+ pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo));
+@@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f
+ else
+ nmetrics = pcfGetINT16(file, format);
+ if (IS_EOF(file)) goto Bail;
++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
++ pcfError("pmfReadFont(): invalid file format\n");
++ goto Bail;
++ }
+ metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
+ if (!metrics) {
+ pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
Modified: branches/7.1/lib/libxfont/debian/patches/series
===================================================================
--- branches/7.1/lib/libxfont/debian/patches/series 2006-08-16 05:05:47 UTC (rev 2852)
+++ branches/7.1/lib/libxfont/debian/patches/series 2006-08-16 22:01:58 UTC (rev 2853)
@@ -0,0 +1,2 @@
+10_freetype_buffer_overflow.patch
+10_pcf_font.patch
Reply to: