libxfont: Changes to 'upstream-unstable'
configure.ac | 5
src/FreeType/Makefile.am | 2
src/FreeType/ftsystem.c | 331 -----------------------------------------------
src/bitmap/pcfread.c | 6
src/builtins/dir.c | 18 +-
src/builtins/file.c | 3
src/fontfile/catalogue.c | 2
7 files changed, 19 insertions(+), 348 deletions(-)
New commits:
commit 0fd2a1428df56d8b29e148b08dcec2dfed9302fa
Author: Adam Jackson <ajax@redhat.com>
Date: Wed Mar 5 22:04:06 2008 -0500
libXfont 1.3.2
diff --git a/configure.ac b/configure.ac
index 63737ad..7d7ba75 100644
--- a/configure.ac
+++ b/configure.ac
@@ -1,6 +1,3 @@
-dnl
-dnl $Id$
-dnl
dnl Copyright © 2003 Keith Packard
dnl
dnl Permission to use, copy, modify, distribute, and sell this software and its
@@ -26,7 +23,7 @@ dnl Process this file with autoconf to create configure.
AC_PREREQ([2.57])
AC_INIT([libXfont],
- 1.3.1,
+ 1.3.2,
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg],
libXfont)
dnl
commit b76df66d2c507898472bba0f9986ef5700029a36
Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu Jan 17 15:30:37 2008 +0100
Fix for CVE-2008-0006 - PCF Font parser buffer overflow.
diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
index fd41849..c5db255 100644
--- a/src/bitmap/pcfread.c
+++ b/src/bitmap/pcfread.c
@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
pFont->info.lastRow = pcfGetINT16(file, format);
pFont->info.defaultCh = pcfGetINT16(file, format);
if (IS_EOF(file)) goto Bail;
+ if (pFont->info.firstCol > pFont->info.lastCol ||
+ pFont->info.firstRow > pFont->info.lastRow ||
+ pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail;
nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, FontFilePtr file)
pFontInfo->lastRow = pcfGetINT16(file, format);
pFontInfo->defaultCh = pcfGetINT16(file, format);
if (IS_EOF(file)) goto Bail;
+ if (pFontInfo->firstCol > pFontInfo->lastCol ||
+ pFontInfo->firstRow > pFontInfo->lastRow ||
+ pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail;
nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
(pFontInfo->lastRow - pFontInfo->firstRow + 1);
commit 2297c6390a1609fe810c2cd5b3443f3722610944
Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Thu Oct 18 21:46:49 2007 +0200
ftsystem.c is not needed anymore.
diff --git a/src/FreeType/Makefile.am b/src/FreeType/Makefile.am
index a138314..8e67837 100644
--- a/src/FreeType/Makefile.am
+++ b/src/FreeType/Makefile.am
@@ -13,5 +13,3 @@ libft_la_SOURCES = \
ftfuncs.c \
fttools.c \
xttcap.c
-
-EXTRA_DIST = ftsystem.c
diff --git a/src/FreeType/ftsystem.c b/src/FreeType/ftsystem.c
deleted file mode 100644
index ae5aa00..0000000
--- a/src/FreeType/ftsystem.c
+++ /dev/null
@@ -1,331 +0,0 @@
-/***************************************************************************/
-/* */
-/* ftsystem.c */
-/* */
-/* ANSI-specific FreeType low-level system interface (body). */
-/* */
-/* Copyright 1996-2001, 2002 by */
-/* David Turner, Robert Wilhelm, and Werner Lemberg. */
-/* */
-/* Modified for XFree86. */
-/* */
-/* This file is part of the FreeType project, and may only be used, */
-/* modified, and distributed under the terms of the FreeType project */
-/* license, LICENSE.TXT. By continuing to use, modify, or distribute */
-/* this file you indicate that you have read the license and */
-/* understand and accept it fully. */
-/* */
-/***************************************************************************/
-
-/* Modified for XFree86 */
-/* $XFree86$ */
-
- /*************************************************************************/
- /* */
- /* This file contains the default interface used by FreeType to access */
- /* low-level, i.e. memory management, i/o access as well as thread */
- /* synchronisation. It can be replaced by user-specific routines if */
- /* necessary. */
- /* */
- /*************************************************************************/
-
-
-#ifdef HAVE_CONFIG_H
-#include <config.h>
-#endif
-#include <ft2build.h>
-#include FT_CONFIG_CONFIG_H
-#include FT_SYSTEM_H
-#include FT_ERRORS_H
-#include FT_TYPES_H
-
-#ifndef FONTMODULE
-#include <stdio.h>
-#include <stdlib.h>
-#else
-#include "Xmd.h"
-#define _XTYPEDEF_BOOL
-#include "Xdefs.h"
-#define DONT_DEFINE_WRAPPERS
-#include "xf86_ansic.h"
-#undef DONT_DEFINE_WRAPPERS
-#define malloc(x) xf86malloc(x)
-#define realloc(x, y) xf86realloc(x, y)
-#define free(x) xf86free(x)
-#define FILE XF86FILE
-#define fopen(x, y) xf86fopen(x, y)
-#define fclose(x) xf86fclose(x)
-#define fseek(x, y, z) xf86fseek(x, y, z)
-#define ftell(x) xf86ftell(x)
-#define SEEK_SET XF86_SEEK_SET
-#define SEEK_END XF86_SEEK_END
-#define fread(x, y, z, t) xf86fread(x, y, z, t)
-#endif
-
-
- /*************************************************************************/
- /* */
- /* MEMORY MANAGEMENT INTERFACE */
- /* */
- /*************************************************************************/
-
- /*************************************************************************/
- /* */
- /* It is not necessary to do any error checking for the */
- /* allocation-related functions. This will be done by the higher level */
- /* routines like FT_Alloc() or FT_Realloc(). */
- /* */
- /*************************************************************************/
-
-
- /*************************************************************************/
- /* */
- /* <Function> */
- /* ft_alloc */
- /* */
- /* <Description> */
- /* The memory allocation function. */
- /* */
- /* <Input> */
- /* memory :: A pointer to the memory object. */
- /* */
- /* size :: The requested size in bytes. */
- /* */
- /* <Return> */
- /* The address of newly allocated block. */
- /* */
- FT_CALLBACK_DEF( void* )
- ft_alloc( FT_Memory memory,
- long size )
- {
- FT_UNUSED( memory );
-
- return malloc( size );
- }
-
-
- /*************************************************************************/
- /* */
- /* <Function> */
- /* ft_realloc */
- /* */
- /* <Description> */
- /* The memory reallocation function. */
- /* */
- /* <Input> */
- /* memory :: A pointer to the memory object. */
- /* */
- /* cur_size :: The current size of the allocated memory block. */
- /* */
- /* new_size :: The newly requested size in bytes. */
- /* */
- /* block :: The current address of the block in memory. */
- /* */
- /* <Return> */
- /* The address of the reallocated memory block. */
- /* */
- FT_CALLBACK_DEF( void* )
- ft_realloc( FT_Memory memory,
- long cur_size,
- long new_size,
- void* block )
- {
- FT_UNUSED( memory );
- FT_UNUSED( cur_size );
-
- return realloc( block, new_size );
- }
-
-
- /*************************************************************************/
- /* */
- /* <Function> */
- /* ft_free */
- /* */
- /* <Description> */
- /* The memory release function. */
- /* */
- /* <Input> */
- /* memory :: A pointer to the memory object. */
- /* */
- /* block :: The address of block in memory to be freed. */
- /* */
- FT_CALLBACK_DEF( void )
- ft_free( FT_Memory memory,
- void* block )
- {
- FT_UNUSED( memory );
-
- free( block );
- }
-
-
- /*************************************************************************/
- /* */
- /* RESOURCE MANAGEMENT INTERFACE */
- /* */
- /*************************************************************************/
-
-
- /*************************************************************************/
- /* */
- /* The macro FT_COMPONENT is used in trace mode. It is an implicit */
- /* parameter of the FT_TRACE() and FT_ERROR() macros, used to print/log */
- /* messages during execution. */
- /* */
-#undef FT_COMPONENT
-#define FT_COMPONENT trace_io
-
- /* We use the macro STREAM_FILE for convenience to extract the */
- /* system-specific stream handle from a given FreeType stream object */
-#define STREAM_FILE( stream ) ( (FILE*)stream->descriptor.pointer )
-
-
- /*************************************************************************/
- /* */
- /* <Function> */
- /* ft_ansi_stream_close */
- /* */
- /* <Description> */
- /* The function to close a stream. */
- /* */
- /* <Input> */
- /* stream :: A pointer to the stream object. */
- /* */
- FT_CALLBACK_DEF( void )
- ft_ansi_stream_close( FT_Stream stream )
- {
- fclose( STREAM_FILE( stream ) );
-
- stream->descriptor.pointer = NULL;
- stream->size = 0;
- stream->base = 0;
- }
-
-
- /*************************************************************************/
- /* */
- /* <Function> */
- /* ft_ansi_stream_io */
- /* */
- /* <Description> */
- /* The function to open a stream. */
- /* */
- /* <Input> */
- /* stream :: A pointer to the stream object. */
- /* */
- /* offset :: The position in the data stream to start reading. */
- /* */
- /* buffer :: The address of buffer to store the read data. */
- /* */
- /* count :: The number of bytes to read from the stream. */
- /* */
- /* <Return> */
- /* The number of bytes actually read. */
- /* */
- FT_CALLBACK_DEF( unsigned long )
- ft_ansi_stream_io( FT_Stream stream,
- unsigned long offset,
- unsigned char* buffer,
- unsigned long count )
- {
- FILE* file;
-
-
- file = STREAM_FILE( stream );
-
- fseek( file, offset, SEEK_SET );
-
- return (unsigned long)fread( buffer, 1, count, file );
- }
-
-
- /* documentation is in ftobjs.h */
-
- FT_EXPORT_DEF( FT_Error )
- FT_Stream_Open( FT_Stream stream,
- const char* filepathname )
- {
- FILE* file;
-
-
- if ( !stream )
- return FT_Err_Invalid_Stream_Handle;
-
- file = fopen( filepathname, "rb" );
- if ( !file )
- {
- FT_ERROR(( "FT_Stream_Open:" ));
- FT_ERROR(( " could not open `%s'\n", filepathname ));
-
- return FT_Err_Cannot_Open_Resource;
- }
-
- fseek( file, 0, SEEK_END );
- stream->size = ftell( file );
- fseek( file, 0, SEEK_SET );
-
- stream->descriptor.pointer = file;
- stream->pathname.pointer = (char*)filepathname;
- stream->pos = 0;
-
- stream->read = ft_ansi_stream_io;
- stream->close = ft_ansi_stream_close;
-
- FT_TRACE1(( "FT_Stream_Open:" ));
- FT_TRACE1(( " opened `%s' (%d bytes) successfully\n",
- filepathname, stream->size ));
-
- return FT_Err_Ok;
- }
-
-
-#ifdef FT_DEBUG_MEMORY
-
- extern FT_Int
- ft_mem_debug_init( FT_Memory memory );
-
- extern void
- ft_mem_debug_done( FT_Memory memory );
-
-#endif
-
-
- /* documentation is in ftobjs.h */
-
- FT_EXPORT_DEF( FT_Memory )
- FT_New_Memory( void )
- {
- FT_Memory memory;
-
-
- memory = (FT_Memory)malloc( sizeof ( *memory ) );
- if ( memory )
- {
- memory->user = 0;
- memory->alloc = ft_alloc;
- memory->realloc = ft_realloc;
- memory->free = ft_free;
-#ifdef FT_DEBUG_MEMORY
- ft_mem_debug_init( memory );
-#endif
- }
-
- return memory;
- }
-
-
- /* documentation is in ftobjs.h */
-
- FT_EXPORT_DEF( void )
- FT_Done_Memory( FT_Memory memory )
- {
-#ifdef FT_DEBUG_MEMORY
- ft_mem_debug_done( memory );
-#endif
-#undef free
- memory->free( memory, memory );
- }
-
-
-/* END */
commit 5bf703700ee4a5d6eae20da07cb7a29369667aef
Author: Matthieu Herrb <matthieu@bluenote.herrb.com>
Date: Fri Sep 28 08:17:57 2007 +0200
catalogue.c: prevent a one character overflow
this occurs if readlink writes a result that's exactly the
size of the buffer that's passed to it. Reported by
Joerg Sonnenberger.
Re
diff --git a/src/fontfile/catalogue.c b/src/fontfile/catalogue.c
index 33d4434..c0d90f8 100644
--- a/src/fontfile/catalogue.c
+++ b/src/fontfile/catalogue.c
@@ -156,7 +156,7 @@ CatalogueRescan (FontPathElementPtr fpe)
while (entry = readdir(dir), entry != NULL)
{
snprintf(link, sizeof link, "%s/%s", path, entry->d_name);
- len = readlink(link, dest, sizeof dest);
+ len = readlink(link, dest, sizeof dest - 1);
if (len < 0)
continue;
commit fd8a03fbbd74f5cbaa740e5d50fccdf5c1f78b5b
Author: Jens Granseuer <jensgr@gmx.net>
Date: Thu Sep 27 23:12:00 2007 +0200
fix build with gcc 2.95.
In addition to fixing the C89 issue, the patch also flags a few functions as
static to avoid "no previous prototype" warnings.
diff --git a/src/builtins/dir.c b/src/builtins/dir.c
index 97f1e1e..1f7f547 100644
--- a/src/builtins/dir.c
+++ b/src/builtins/dir.c
@@ -29,7 +29,7 @@
#endif
#include "builtin.h"
-BuiltinDirPtr
+static BuiltinDirPtr
BuiltinDirsDup (const BuiltinDirPtr a_dirs,
int a_dirs_len)
{
@@ -60,7 +60,7 @@ BuiltinDirsDup (const BuiltinDirPtr a_dirs,
* @param a_saved the saved instance of BuiltinDir to copy into a_cur
* @return 0 if went okay, 1 otherwise.
*/
-int
+static int
BuiltinDirRestore (BuiltinDirPtr a_cur,
const BuiltinDirPtr a_saved)
{
@@ -75,7 +75,7 @@ BuiltinDirRestore (BuiltinDirPtr a_cur,
}
-int
+static int
BuiltinDirsRestore (BuiltinDirPtr a_cur_tab,
const BuiltinDirPtr a_saved_tab,
int a_tab_len)
@@ -94,7 +94,7 @@ BuiltinDirsRestore (BuiltinDirPtr a_cur_tab,
return 0 ;
}
-BuiltinAliasPtr
+static BuiltinAliasPtr
BuiltinAliasesDup (const BuiltinAliasPtr a_aliases,
int a_aliases_len)
{
@@ -122,7 +122,7 @@ BuiltinAliasesDup (const BuiltinAliasPtr a_aliases,
* @param a_saved the saved instance of BuiltinAlias to copy into a_cur
* @return 0 if went okay, 1 otherwise.
*/
-int
+static int
BuiltinAliasRestore (BuiltinAliasPtr a_cur,
const BuiltinAliasPtr a_save)
{
@@ -137,7 +137,7 @@ BuiltinAliasRestore (BuiltinAliasPtr a_cur,
return 0 ;
}
-int
+static int
BuiltinAliasesRestore (BuiltinAliasPtr a_cur_tab,
const BuiltinAliasPtr a_saved_tab,
int a_tab_len)
@@ -162,10 +162,10 @@ BuiltinReadDirectory (char *directory, FontDirectoryPtr *pdir)
FontDirectoryPtr dir;
int i;
- dir = FontFileMakeDir ("", builtin_dir_count);
- static BuiltinDirPtr saved_builtin_dir ;
- static BuiltinAliasPtr saved_builtin_alias ;
+ static BuiltinDirPtr saved_builtin_dir;
+ static BuiltinAliasPtr saved_builtin_alias;
+ dir = FontFileMakeDir ("", builtin_dir_count);
if (saved_builtin_dir)
{
commit 268f1bb1859e97944e8b63a5bb12677e874ed144
Author: Tilman Sauerbeck <tilman@code-monkey.de>
Date: Thu Sep 13 20:40:26 2007 +0200
Replaced one instance of bcopy() with memcpy().
f->buffer cannot overlap with io->file->bits, so it's safe to
use memcpy() rather than memmove().
Compile-tested only.
diff --git a/src/builtins/file.c b/src/builtins/file.c
index 863ecee..a46b0a6 100644
--- a/src/builtins/file.c
+++ b/src/builtins/file.c
@@ -27,6 +27,7 @@
#ifdef HAVE_CONFIG_H
#include <config.h>
#endif
+#include <string.h>
#include "builtin.h"
typedef struct _BuiltinIO {
@@ -49,7 +50,7 @@ BuiltinFill (BufFilePtr f)
len = BUFFILESIZE;
if (len > left)
len = left;
- bcopy (io->file->bits + io->offset, f->buffer, len);
+ memcpy (f->buffer, io->file->bits + io->offset, len);
io->offset += len;
f->left = len - 1;
f->bufp = f->buffer + 1;
Reply to: