X Strike Force X.Org X11 SVN commit: r3205 - in trunk/lib/libxfont/debian: . patches
Author: dparsons
Date: 2006-09-13 03:52:44 -0400 (Wed, 13 Sep 2006)
New Revision: 3205
Removed:
trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch
trunk/lib/libxfont/debian/patches/10_pcf_font.patch
Modified:
trunk/lib/libxfont/debian/changelog
trunk/lib/libxfont/debian/patches/series
Log:
* New upstream version.
- closes security bug in CID encoded fonts (iDefense CVE-ID
2006-3739, 2006-3740)
- applies patches 10_freetype_buffer_overflow.patch, 10_pcf_font.patch
Modified: trunk/lib/libxfont/debian/changelog
===================================================================
--- trunk/lib/libxfont/debian/changelog 2006-09-13 07:40:37 UTC (rev 3204)
+++ trunk/lib/libxfont/debian/changelog 2006-09-13 07:52:44 UTC (rev 3205)
@@ -1,9 +1,12 @@
-libxfont (1:1.2.0-3) unstable; urgency=low
+libxfont (1:1.2.2-1) unstable; urgency=high
- [ Drew Parsons ]
+ * New upstream version.
+ - closes security bug in CID encoded fonts (iDefense CVE-ID
+ 2006-3739, 2006-3740)
+ - applies patches 10_freetype_buffer_overflow.patch, 10_pcf_font.patch
* dbg package has priority extra.
- -- David Nusinow <dnusinow@debian.org> Wed, 30 Aug 2006 18:54:09 -0400
+ -- Drew Parsons <dparsons@debian.org> Wed, 13 Sep 2006 17:50:06 +1000
libxfont (1:1.2.0-2) unstable; urgency=high
Deleted: trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch
===================================================================
--- trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-09-13 07:40:37 UTC (rev 3204)
+++ trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-09-13 07:52:44 UTC (rev 3205)
@@ -1,32 +0,0 @@
-From: Matthieu Herrb <matthieu.herrb@laas.fr>
-Date: Thu, 13 Jul 2006 14:18:38 +0000 (-0400)
-Subject: Bug #7397: Fix a buffer overflow in Freetype font support.
-X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=1bf657186d19887a0916340b544b5534e29da081
-
-Bug #7397: Fix a buffer overflow in Freetype font support.
----
-
---- a/src/FreeType/fttools.c
-+++ b/src/FreeType/fttools.c
-@@ -77,7 +77,7 @@ FTu2a(int slen, FT_Byte *from, char *to,
-
- n = 0;
- for (i = 0; i < slen; i += 2) {
-- if(n >= max)
-+ if(n >= max - 1)
- break;
- if(HIBYTE(from+i, byte)!=0)
- *to++='?';
-@@ -143,9 +143,10 @@ FTGetEnglishName(FT_Face face, int nid,
- /* Pretend that Apple Roman is ISO 8859-1. */
- if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN, &name)) {
- len = name.string_len;
-- if(len > name_len)
-- len = name_len;
-+ if(len > name_len - 1)
-+ len = name_len - 1;
- memcpy(name_return, name.string, len);
-+ name_return[len] = '\0'; /* ensure nul terminaison */
- return len;
- }
-
Deleted: trunk/lib/libxfont/debian/patches/10_pcf_font.patch
===================================================================
--- trunk/lib/libxfont/debian/patches/10_pcf_font.patch 2006-09-13 07:40:37 UTC (rev 3204)
+++ trunk/lib/libxfont/debian/patches/10_pcf_font.patch 2006-09-13 07:52:44 UTC (rev 3205)
@@ -1,109 +0,0 @@
-From: Matthieu Herrb <matthieu.herrb@laas.fr>
-Date: Sun, 23 Jul 2006 20:42:43 +0000 (+0200)
-Subject: More check on PCF file reading. Bugzilla #7535
-X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=8d171fe61e564d8ed8f75034d4191062cecf190b
-
-More check on PCF file reading. Bugzilla #7535
----
-
---- a/src/bitmap/pcfread.c
-+++ b/src/bitmap/pcfread.c
-@@ -45,6 +45,7 @@ from The Open Group.
- #endif
-
- #include <stdarg.h>
-+#include <stdint.h>
-
- void
- pcfError(const char* message, ...)
-@@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp
- return (PCFTablePtr) NULL;
- count = pcfGetLSB32(file);
- if (IS_EOF(file)) return (PCFTablePtr) NULL;
-+ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) {
-+ pcfError("pcfReadTOC(): invalid file format\n");
-+ return NULL;
-+ }
- tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec));
- if (!tables) {
- pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec));
-@@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo,
- if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT))
- goto Bail;
- nprops = pcfGetINT32(file, format);
-+ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) {
-+ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops);
-+ goto Bail;
-+ }
- if (IS_EOF(file)) goto Bail;
- props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec));
- if (!props) {
-@@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo,
- props[i].name = pcfGetINT32(file, format);
- isStringProp[i] = pcfGetINT8(file, format);
- props[i].value = pcfGetINT32(file, format);
-+ if (props[i].name < 0
-+ || (isStringProp[i] != 0 && isStringProp[i] != 1)
-+ || (isStringProp[i] && props[i].value < 0)) {
-+ pcfError("pcfGetProperties(): invalid file format %d %d %d\n",
-+ props[i].name, isStringProp[i], props[i].value);
-+ goto Bail;
-+ }
- if (IS_EOF(file)) goto Bail;
- }
- /* pad the property array */
-@@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo,
- }
- if (IS_EOF(file)) goto Bail;
- string_size = pcfGetINT32(file, format);
-+ if (string_size < 0) goto Bail;
- if (IS_EOF(file)) goto Bail;
- strings = (char *) xalloc(string_size);
- if (!strings) {
-@@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
- else
- nmetrics = pcfGetINT16(file, format);
- if (IS_EOF(file)) goto Bail;
-+ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
-+ pcfError("pcfReadFont(): invalid file format\n");
-+ goto Bail;
-+ }
- metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
- if (!metrics) {
- pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
-@@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
- nbitmaps = pcfGetINT32(file, format);
- if (nbitmaps != nmetrics || IS_EOF(file))
- goto Bail;
--
-+ /* nmetrics is alreadt ok, so nbitmap also is */
- offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32));
- if (!offsets) {
- pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32));
-@@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
- for (i = 0; i < GLYPHPADOPTIONS; i++) {
- bitmapSizes[i] = pcfGetINT32(file, format);
- if (IS_EOF(file)) goto Bail;
-+ if (bitmapSizes[i] < 0) goto Bail;
- }
-
- sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
-@@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
- if (IS_EOF(file)) goto Bail;
- if (nink_metrics != nmetrics)
- goto Bail;
-+ /* nmetrics already checked */
- ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo));
- if (!ink_metrics) {
- pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo));
-@@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f
- else
- nmetrics = pcfGetINT16(file, format);
- if (IS_EOF(file)) goto Bail;
-+ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
-+ pcfError("pmfReadFont(): invalid file format\n");
-+ goto Bail;
-+ }
- metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
- if (!metrics) {
- pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
Modified: trunk/lib/libxfont/debian/patches/series
===================================================================
--- trunk/lib/libxfont/debian/patches/series 2006-09-13 07:40:37 UTC (rev 3204)
+++ trunk/lib/libxfont/debian/patches/series 2006-09-13 07:52:44 UTC (rev 3205)
@@ -1,2 +0,0 @@
-10_freetype_buffer_overflow.patch
-10_pcf_font.patch
Reply to: