libxfont: Changes to 'debian-unstable'
ChangeLog | 361 ++++++++++
README | 6
configure.ac | 42 -
debian/changelog | 9
debian/control | 3
debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch | 47 -
debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch | 50 -
debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch | 73 --
debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch | 159 ----
debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch | 68 -
debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch | 127 ---
debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch | 52 -
debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch | 39 -
debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch | 42 -
debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch | 76 --
debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch | 59 -
debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch | 108 --
debian/patches/series | 13
debian/upstream/signing-key.asc | 60 +
debian/watch | 1
src/Makefile.am | 2
src/bitmap/Makefile.am | 24
src/bitmap/bitmap.c | 6
src/bitmap/bitmapfunc.c | 31
src/bitmap/bitscale.c | 22
src/fc/fsconvert.c | 16
src/fc/fserve.c | 253 ++++++-
src/fc/fsio.h | 3
src/fontfile/dirfile.c | 4
src/fontfile/fontdir.c | 5
src/fontfile/renderers.c | 6
src/stubs/Makefile.am | 2
src/stubs/cauthgen.c | 1
src/stubs/csignal.c | 1
src/stubs/delfntcid.c | 1
src/stubs/errorf.c | 1
src/stubs/fatalerror.c | 13
src/stubs/findoldfnt.c | 1
src/stubs/getcres.c | 1
src/stubs/getdefptsize.c | 1
src/stubs/getnewfntcid.c | 1
src/stubs/gettime.c | 1
src/stubs/initfshdl.c | 1
src/stubs/regfpefunc.c | 4
src/stubs/rmfshdl.c | 1
src/stubs/servclient.c | 9
src/stubs/setfntauth.c | 1
src/stubs/stfntcfnt.c | 1
src/stubs/stubs.h | 49 +
src/stubs/stubsinit.c | 82 ++
src/util/atom.c | 4
src/util/miscutil.c | 12
52 files changed, 946 insertions(+), 1009 deletions(-)
New commits:
commit ee8c68d9c983b5f8d7c1f373604cfcbdec1bcb7f
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jul 12 17:47:48 2014 +0200
Upload to unstable
diff --git a/debian/changelog b/debian/changelog
index 35d9041..facbe53 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,11 +1,11 @@
-libxfont (1:1.4.99.901-1) UNRELEASED; urgency=medium
+libxfont (1:1.4.99.901-1) unstable; urgency=medium
* New upstream release candidate.
+ includes the CVE-2014-{0209,0210,0211} patches
* Remove Cyril from Uploaders.
* Allow uscan to verify tarball signature.
- -- Julien Cristau <jcristau@debian.org> Sat, 12 Jul 2014 17:32:28 +0200
+ -- Julien Cristau <jcristau@debian.org> Sat, 12 Jul 2014 17:44:11 +0200
libxfont (1:1.4.7-2) unstable; urgency=high
commit a99b9a708572f8a331825a0c29b97a530a8352aa
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jul 12 17:43:58 2014 +0200
Allow uscan to verify tarball signature.
Add alanc's public gpg key in debian/upstream/signing-key.asc and adjust
debian/watch.
diff --git a/debian/changelog b/debian/changelog
index 11f9f15..35d9041 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,7 @@ libxfont (1:1.4.99.901-1) UNRELEASED; urgency=medium
* New upstream release candidate.
+ includes the CVE-2014-{0209,0210,0211} patches
* Remove Cyril from Uploaders.
+ * Allow uscan to verify tarball signature.
-- Julien Cristau <jcristau@debian.org> Sat, 12 Jul 2014 17:32:28 +0200
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..863981f
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,60 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQGiBEab+moRBACDH5yKqS3wcc5bdxY7PBNuwKvF5TKMfagmSvuRDtZjjIIWaA/n
+Z1KboV9Gq5g7kP7+Kfu+Qgd8u65eVsWwmPW10fXvj3aCU53glx2EdGdrHcgiyH2g
+EQfPiyBw+trIppWFRV0IDXSLMA1FNC92t2nSG/VFHaPTVwcgkIRSfcXDvwCglGdE
+a6f4uLqoNHP+m4yYnzapFuMD/R4+2AJDAvEWKDdYCGZzlawjAmmWyXrmT7/C/mx9
+8qUR473l4buXjHgDkkXXlHqdzil1vK85PhrKzNJDCCmlHUJNz+QwiAMOLwpD+kwV
+Pb57RG7y+a5JQ5+jtVw4RlUxZIk/wj2An9YBO3A5vR7PdjM32ZJCN2+aM4dYfNzQ
+xQKTA/47icvBaBVTl9rztjg2pd2Aqpc1P/GsIYLGj7XjnnJvGAENBHSH1QjpZMJG
+CTS9oJ+B0/wrIr+pA+MdFgYAb6ojMQJOO6UChjWWSGjMFcs/CeXhxlLBido3DtAE
+TbNTwO6OEfAvdosvTdhJFnwvZlJ+zZGGy5CrF2Fd9PUe9tmASbQoQWxhbiBDb29w
+ZXJzbWl0aCA8YWxhbmNAZnJlZWRlc2t0b3Aub3JnPohoBBMRAgAoAhsDBgsJCAcD
+AgYVCAIJCgsEFgIDAQIeAQIXgAUCUXnRYgUJFEPYeAAKCRCi+54IHy0TDonxAKCP
+cAgXNojuujUg5Wqi6v0RBFVSUgCggq1SsVEdq9NDWvXvkeGyNaBivSK0K0FsYW4g
+Q29vcGVyc21pdGggPGFsYW4uY29vcGVyc21pdGhAc3VuLmNvbT6IZgQTEQIAJgIb
+AwYLCQgHAwIEFQIIAwQWAgMBAh4BAheABQJRedFiBQkUQ9h4AAoJEKL7nggfLRMO
+6sUAn0jl3h9rY4OJ13Lu7nsKclyhDpOqAKCFgTmaDGRuDRxloLg9jftrn7a7vrQu
+QWxhbiBDb29wZXJzbWl0aCA8YWxhbi5jb29wZXJzbWl0aEBvcmFjbGUuY29tPohr
+BBMRAgArAhsDBgsJCAcDAgYVCAIJCgsEFgIDAQIeAQIXgAIZAQUCUXnRYgUJFEPY
+eAAKCRCi+54IHy0TDtBZAJ9IgVVNoFIPRjTsNjcSFaLznuDRJgCcC/WgV312IrxS
+Q8PRAyEgozSB9Ke5Ag0ERpv6bxAIAJp5aUlho5rUhpS6ik7spsAQFPRuycPKMNu0
+J4F0v/OoPz085soV8ytLj4HqCGk2Zamh1jSgliZwuk9m7V7Wgxx+nBJawpWDX/eK
+LObErfDwQ4dfOFvjbXLQMmNnQNaUGIWLPP3l8GuBOHMq60Bu+TPgh627vUntL5RE
+QEQqTXIzWC6U10QsDblLwIvdOVSdGF5xl/N1myXzSKvrsZwWtoFc8G9v9hcCjhtN
+1sm9b7Ojc51iZXvcetcvPy5RA6AUW3yEExaedUdLnvIF9sjFYIfJWFVYh2AgavnG
+re6fF+NV2v3zfx3wRT7H9//m4YIDYJmgZgyQccXegTwfGBIq3osAAwYH/1FiMUMM
+ES5Ilz2nDqId+DCWECAU6wgvIFRcXrZWxDxB+ZrnmTCXoAD0xedpfOkRHp8XTVc/
+9MU+wQ+lZRx2OQ6MJW0XGuFvHm94KZF/8HzWA2Ah7U4n0+3sLpk6zWceZq2zZNF0
+yVTjwD98+xNK1Q9sP8aOKdtg8yMH3hisKR6rdW+mfX5q0Q8Gol2hZsFH/qyIhnPz
+hXDknuOh8E5iMkzrejVXUEn++Yzj23XjP59SObLznVkyxI+kBI9qvVEPfFBDybjH
+WqLcgRcCpXAzjizEi+/d31iDa2ErJHV4R42obecFqiPnoDtiX3IiP7z9fmxM4aWP
+ZZRqvq+1ht5wkn+ISQQYEQIACQUCRpv6bwIbDAAKCRCi+54IHy0TDoLoAKCHYRpw
+/XfyEunw1YL/uMZzl78qIQCdFVcXNbqD83qVhW4Ly7hyDL8o0aK5Ag0EUXnVIQEQ
+AKHpjOmY056n0tsZoW9q5egsMcl5tKC8uimrhO05nnq+5/60/YedC++V9c9b/3/X
+7O28LyBkAtBgD0xJZSDQ0DhTzKAp6AzjQtBvI68uinGwxSjT+oQpPMxqhA1I0kzo
+EDCdEqV+HsVOAEdbAi/tP9bbdTDzwVc8MWDriamBUqc53Rb00Mffy9435UgTS4gA
+hMwANhy6XZmOMBhITOzxFJUEDTDJtLbE0b1jPRQS7NHQgak1inmuvPMc3wAuoEcS
+CSt1xupbYsBoXOjK5wC/eE1LIdZoRyW2OkT140DqDZ8zfRID860hnirnYgb09TPN
+tj93pudUAUt6T9+tcLN4/rxhxHOwse66KGHO4bQ1rZ6mfco6SYd9V60cL6hC2eMe
+cyxZliMu17lj7EX8lxUH+omIgHc7HGoyUR6V+WB60cxWj5v05zdeLeZ2aLBcPFhx
+lfDESm8f4ezdJSDS1QZmC0P5h3RJfhhfmdBr8kHzr7111D1/O71Av1VV5FyJ9YxU
+Sxp4IPuzK7JbbgVHcA6PvXrDzWUslmZgPADpKH4hTmG/NdCqhEXcufvY6s5yNksB
+8X3ReNvuSSyfGnRz3kvtyK0XzC7KRX2PquLI6A8KJprHwZGqEB1NDG8b2iaYnghO
+jyfIYEVQF3nGfaBwv4lrCPEoZSUaK8f/NQZjNU8NQyTnABEBAAGJAm0EGBEKAA8F
+AlF51SECGwIFCQlmAYACKQkQovueCB8tEw7BXSAEGQEKAAYFAlF51SEACgkQz98U
+iCjGQqfW5g//dOdJHt23cdMyz5VADaE7u+L0E+eX9GtHF4J649eXsui59EtbHh2n
+XdGhd5SqQ8FDi9GCEKaQ4S31n/YBLEBCkj7R0IMikW2o78/JxDovB8+aL606hgma
+fNVx1aIshIglrl8Xlu3sjeAvG48W6YjdL2mfrIDHjIVwOZsMihbOJvST6Q3upHdn
+mjDtM5HCQmI5NEXDWYj6IZuhJnnrDWwNsyYV4KPoUBxAcqIyCeZbVssuWWnHPXX8
+VavVq98vpVynfGzGYpJbDj19C/utMjKGI5dcvbVaucA7X/oktxrxS6SBDhuIaAE9
+4ZHlbxqfyHfETI/La2Z/ALDAtYdhJR2gSkTHyKSW1QqYlulSfB//lnna44mmTuRO
+NbDNgb0FGSvtsBMZ80iHDqPgUfS60kxCfFrsSGfTFU+X4QAzpTtUJEcr+J4HULDe
+MfwOgghVfmKxFXWfud8xDaCXuywLTtVgMCZp4P7MAyuJlaxsFTu+c1Vly94grk4U
+MtALLMqCXSosA490gLTSdg3HSwxt2Q/LJdy427ZIMvjGXIruns8U/OmL9dVgWu3b
+JHsL68Skx8Ts63qTN9QXM/PB+8VwOaC7PJ+g6t40DleOmdsS8cN31yf5KB8rsL4u
+n4u1yrMJfpnSblPMu5wJi3kjoA+Dd5ZFqx9nTi4wBjfVYGCPsleq59K8kQCYx1Cn
+lZcq630ITy9dB/aHCQry2gCbBwZ2Rsf9kr05S8uLhlwW3vRSvRs=
+=tc6G
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
index b369043..7c17063 100644
--- a/debian/watch
+++ b/debian/watch
@@ -1,3 +1,4 @@
#git=git://anongit.freedesktop.org/xorg/lib/libXfont
version=3
+opts="pgpsigurlmangle=s/$/.sig/" \
http://xorg.freedesktop.org/releases/individual/lib/ libXfont-(.*)\.tar\.gz
commit a4ef30097c7d0834586176eac05617c8952b8d9d
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jul 12 17:37:18 2014 +0200
Remove Cyril from Uploaders.
diff --git a/debian/changelog b/debian/changelog
index 190b178..11f9f15 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -2,6 +2,7 @@ libxfont (1:1.4.99.901-1) UNRELEASED; urgency=medium
* New upstream release candidate.
+ includes the CVE-2014-{0209,0210,0211} patches
+ * Remove Cyril from Uploaders.
-- Julien Cristau <jcristau@debian.org> Sat, 12 Jul 2014 17:32:28 +0200
diff --git a/debian/control b/debian/control
index d27ab11..b594190 100644
--- a/debian/control
+++ b/debian/control
@@ -2,7 +2,8 @@ Source: libxfont
Section: x11
Priority: optional
Maintainer: Debian X Strike Force <debian-x@lists.debian.org>
-Uploaders: Drew Parsons <dparsons@debian.org>, Cyril Brulebois <kibi@debian.org>
+Uploaders:
+ Drew Parsons <dparsons@debian.org>,
Build-Depends:
debhelper (>= 8.1.3),
dh-autoreconf,
commit 4a47fe3a5a54aaa590adf3e3f3bbd39307f12ed0
Author: Julien Cristau <jcristau@debian.org>
Date: Sat Jul 12 17:35:22 2014 +0200
Drop security patches, applied upstream
diff --git a/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch b/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch
deleted file mode 100644
index 807ea9a..0000000
--- a/debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch
+++ /dev/null
@@ -1,47 +0,0 @@
-From b3c8e47704a0ee40fbbd401a55a2167630a91ae6 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:01:11 -0700
-Subject: [PATCH:libXfont 01/12] CVE-2014-XXXA: integer overflow of realloc()
- size in FontFileAddEntry()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-FontFileReadDirectory() opens a fonts.dir file, and reads over every
-line in an fscanf loop. For each successful entry read (font name,
-file name) a call is made to FontFileAddFontFile().
-
-FontFileAddFontFile() will add a font file entry (for the font name
-and file) each time it’s called, by calling FontFileAddEntry().
-FontFileAddEntry() will do the actual adding. If the table it has
-to add to is full, it will do a realloc, adding 100 more entries
-to the table size without checking to see if that will overflow the
-int used to store the size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fontfile/fontdir.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
-index ef7ffa5..7271603 100644
---- a/src/fontfile/fontdir.c
-+++ b/src/fontfile/fontdir.c
-@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
- if (table->sorted)
- return (FontEntryPtr) 0; /* "cannot" happen */
- if (table->used == table->size) {
-+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
-+ /* If we've read so many entries we're going to ask for 2gb
-+ or more of memory, something is so wrong with this font
-+ directory that we should just give up before we overflow. */
-+ return NULL;
- newsize = table->size + 100;
- entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
- if (!entry)
---
-1.7.9.2
-
diff --git a/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch b/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch
deleted file mode 100644
index dc13234..0000000
--- a/debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch
+++ /dev/null
@@ -1,50 +0,0 @@
-From 3319cc1c44e4f5cd1ddcef7ac075c2703df48006 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:01:48 -0700
-Subject: [PATCH:libXfont 02/12] CVE-2014-XXXA: integer overflow of realloc()
- size in lexAlias()
-
-lexAlias() reads from a file in a loop. It does this by starting with a
-64 byte buffer. If that size limit is hit, it does a realloc of the
-buffer size << 1, basically doubling the needed length every time the
-length limit is hit.
-
-Eventually, this will shift out to 0 (for a length of ~4gig), and that
-length will be passed on to realloc(). A length of 0 (with a valid
-pointer) causes realloc to free the buffer on most POSIX platforms,
-but the caller will still have a pointer to it, leading to use after
-free issues.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fontfile/dirfile.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c
-index cb28333..38ced75 100644
---- a/src/fontfile/dirfile.c
-+++ b/src/fontfile/dirfile.c
-@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <errno.h>
-+#include <limits.h>
-
- static Bool AddFileNameAliases ( FontDirectoryPtr dir );
- static int ReadFontAlias ( char *directory, Bool isFile,
-@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken)
- int nsize;
- char *nbuf;
-
-+ if (tokenSize >= (INT_MAX >> 2))
-+ /* Stop before we overflow */
-+ return EALLOC;
- nsize = tokenSize ? (tokenSize << 1) : 64;
- nbuf = realloc(tokenBuf, nsize);
- if (!nbuf)
---
-1.7.9.2
-
diff --git a/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
deleted file mode 100644
index 1916e0c..0000000
--- a/debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch
+++ /dev/null
@@ -1,73 +0,0 @@
-From ba280a2116cd57f5a9e01cd7b468fcbd96428a7d Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:00 -0700
-Subject: [PATCH:libXfont 03/12] CVE-2014-XXXB: unvalidated length in
- _fs_recv_conn_setup()
-
-The connection setup reply from the font server can include a list
-of alternate servers to contact if this font server stops working.
-
-The reply specifies a total size of all the font server names, and
-then provides a list of names. _fs_recv_conn_setup() allocated the
-specified total size for copying the names to, but didn't check to
-make sure it wasn't copying more data to that buffer than the size
-it had allocated.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-Index: libxfont/src/fc/fserve.c
-===================================================================
---- libxfont.orig/src/fc/fserve.c
-+++ libxfont/src/fc/fserve.c
-@@ -2786,7 +2786,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
- int ret = FSIO_ERROR;
- fsConnSetup *setup;
- FSFpeAltPtr alts;
-- int i, alt_len;
-+ unsigned int i, alt_len;
- int setup_len;
- char *alt_save, *alt_names;
-
-@@ -2813,8 +2813,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
- }
- if (setup->num_alternates)
- {
-+ size_t alt_name_len = setup->alternate_len << 2;
- alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
-- (setup->alternate_len << 2));
-+ alt_name_len);
- if (alts)
- {
- alt_names = (char *) (setup + 1);
-@@ -2823,10 +2824,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
- {
- alts[i].subset = alt_names[0];
- alt_len = alt_names[1];
-+ if (alt_len >= alt_name_len) {
-+ /*
-+ * Length is longer than setup->alternate_len
-+ * told us to allocate room for, assume entire
-+ * alternate list is corrupted.
-+ */
-+#ifdef DEBUG
-+ fprintf (stderr,
-+ "invalid alt list (length %lx >= %lx)\n",
-+ (long) alt_len, (long) alt_name_len);
-+#endif
-+ free(alts);
-+ return FSIO_ERROR;
-+ }
- alts[i].name = alt_save;
- memcpy (alt_save, alt_names + 2, alt_len);
- alt_save[alt_len] = '\0';
- alt_save += alt_len + 1;
-+ alt_name_len -= alt_len + 1;
- alt_names += _fs_pad_length (alt_len + 2);
- }
- conn->numAlts = setup->num_alternates;
diff --git a/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch b/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
deleted file mode 100644
index 009bd0f..0000000
--- a/debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch
+++ /dev/null
@@ -1,159 +0,0 @@
-From 93c37e1a39c8de9cc621dde2128a1d17e56ff4eb Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:12 -0700
-Subject: [PATCH:libXfont 04/12] CVE-2014-XXXB: unvalidated lengths when
- reading replies from font server
-
-Functions to handle replies to font server requests were casting replies
-from the generic form to reply specific structs without first checking
-that the reply was at least as long as the struct being cast to.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 38 insertions(+), 6 deletions(-)
-
-Index: libxfont/src/fc/fserve.c
-===================================================================
---- libxfont.orig/src/fc/fserve.c
-+++ libxfont/src/fc/fserve.c
-@@ -91,6 +91,12 @@ in this Software without prior written a
- (pci)->descent || \
- (pci)->characterWidth)
-
-+/*
-+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
-+ * so this converts for doing size comparisons.
-+ */
-+#define LENGTHOF(r) (SIZEOF(r) >> 2)
-+
- extern void ErrorF(const char *f, ...);
-
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri
- rep->sequenceNumber,
- conn->reqbuffer[i].opcode);
- }
-+
-+#define _fs_reply_failed(rep, name, op) do { \
-+ if (rep) { \
-+ if (rep->type == FS_Error) \
-+ fprintf (stderr, "Error: %d Request: %s\n", \
-+ ((fsError *)rep)->request, #name); \
-+ else \
-+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
-+ #name, rep->length, op, LENGTHOF(name)); \
-+ } \
-+} while (0)
-+
- #else
- #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
- #define _fs_add_rep_log(conn,rep)
-+#define _fs_reply_failed(rep,name,op)
- #endif
-
- static Bool
-@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe
- int ret;
-
- rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
- return BadFontName;
- }
-
-@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fp
- int ret;
-
- rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXInfoReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
- return BadFontName;
- }
-
-@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr f
- FontInfoRec *fi = &bfont->pfont->info;
-
- rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
- return BadFontName;
- }
-
-@@ -1825,13 +1850,15 @@ fs_read_glyphs(FontPathElementPtr fpe, F
- unsigned long minchar, maxchar;
-
- rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- err = AllocError;
-+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
- goto bail;
- }
-
-@@ -2234,12 +2261,14 @@ fs_read_list(FontPathElementPtr fpe, FSB
- int err;
-
- rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsListFontsReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
-+ _fs_reply_failed (rep, fsListFontsReply, "<");
- return AllocError;
- }
- data = (char *) rep + SIZEOF (fsListFontsReply);
-@@ -2358,12 +2387,15 @@ fs_read_list_info(FontPathElementPtr fpe
- _fs_free_props (&binfo->info);
-
- rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ ((rep->nameLength != 0) &&
-+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- binfo->status = FS_LFWI_FINISHED;
- err = AllocError;
-+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
- goto done;
- }
- /*
diff --git a/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch b/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch
deleted file mode 100644
index 8ff36d7..0000000
--- a/debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch
+++ /dev/null
@@ -1,68 +0,0 @@
-From 55e664ab0bafb35c67e5dfe5351209e792e7bafe Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:25 -0700
-Subject: [PATCH:libXfont 05/12] CVE-2014-XXXC: Integer overflow in
- fs_get_reply/_fs_start_read
-
-fs_get_reply() would take any reply size, multiply it by 4 and pass to
-_fs_start_read. If that size was bigger than the current reply buffer
-size, _fs_start_read would add it to the existing buffer size plus the
-buffer size increment constant and realloc the buffer to that result.
-
-This math could overflow, causing the code to allocate a smaller
-buffer than the amount it was about to read into that buffer from
-the network. It could also succeed, allowing the remote font server
-to cause massive allocations in the X server, possibly using up all
-the address space in a 32-bit X server, allowing the triggering of
-other bugs in code that fails to handle malloc failure properly.
-
-This patch protects against both problems, by disconnecting any
-font server trying to feed us more than (the somewhat arbitrary)
-64 mb in a single reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index f08028f..3abbacf 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
- */
- #define LENGTHOF(r) (SIZEOF(r) >> 2)
-
-+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
-+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
-+
- extern void ErrorF(const char *f, ...);
-
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
-
- rep = (fsGenericReply *) buf;
-
-+ /*
-+ * Refuse to accept replies longer than a maximum reasonable length,
-+ * before we pass to _fs_start_read, since it will try to resize the
-+ * incoming connection buffer to this size. Also avoids integer overflow
-+ * on 32-bit systems.
-+ */
-+ if (rep->length > MAX_REPLY_LENGTH)
-+ {
-+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
-+ " from font server\n", rep->length);
-+ _fs_connection_died (conn);
-+ *error = FSIO_ERROR;
-+ return 0;
-+ }
-+
- ret = _fs_start_read (conn, rep->length << 2, &buf);
- if (ret != FSIO_READY)
- {
---
-1.7.9.2
-
diff --git a/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch b/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch
deleted file mode 100644
index d3a7da6..0000000
--- a/debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch
+++ /dev/null
@@ -1,127 +0,0 @@
-From cabf7953b56ab11c2a42d81a372f5805bbf819ee Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:34 -0700
-Subject: [PATCH:libXfont 06/12] CVE-2014-XXXB: unvalidated length fields in
- fs_read_query_info()
-
-fs_read_query_info() parses a reply from the font server. The reply
-contains embedded length fields, none of which are validated. This
-can cause out of bound reads in either fs_read_query_info() or in
-_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fsconvert.c | 9 +++++++++
- src/fc/fserve.c | 37 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 46 insertions(+)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index 75b5372..dfa1317 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
- for (i = 0; i < nprops; i++, dprop++, is_str++)
- {
- memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
-+ if ((local_off.name.position >= pi->data_len) ||
-+ (local_off.name.length >
-+ (pi->data_len - local_off.name.position)))
-+ goto bail;
- dprop->name = MakeAtom(&pdc[local_off.name.position],
- local_off.name.length, 1);
- if (local_off.type != PropTypeString) {
-@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
- dprop->value = local_off.value.position;
- } else {
- *is_str = TRUE;
-+ if ((local_off.value.position >= pi->data_len) ||
-+ (local_off.value.length >
-+ (pi->data_len - local_off.value.position)))
-+ goto bail;
- dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
- local_off.value.length, 1);
- if (dprop->value == BAD_RESOURCE)
- {
-+ bail:
- free (pfi->props);
- pfi->nprops = 0;
- pfi->props = 0;
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3abbacf..ec5336e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -854,6 +854,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FSFpePtr conn = (FSFpePtr) fpe->private;
- fsQueryXInfoReply *rep;
- char *buf;
-+ long bufleft; /* length of reply left to use */
- fsPropInfo *pi;
- fsPropOffset *po;
- pointer pd;
-@@ -885,6 +886,9 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- buf = (char *) rep;
- buf += SIZEOF(fsQueryXInfoReply);
-
-+ bufleft = rep->length << 2;
-+ bufleft -= SIZEOF(fsQueryXInfoReply);
-+
- /* move the data over */
- fsUnpack_XFontInfoHeader(rep, pInfo);
-
-@@ -892,17 +896,50 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- _fs_init_fontinfo(conn, pInfo);
-
- /* Compute offsets into the reply */
-+ if (bufleft < SIZEOF(fsPropInfo))
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
-+ bufleft);
-+#endif
-+ goto bail;
-+ }
- pi = (fsPropInfo *) buf;
- buf += SIZEOF (fsPropInfo);
-+ bufleft -= SIZEOF(fsPropInfo);
-
-+ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets)
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n",
-+ bufleft, pi->num_offsets);
-+#endif
-+ goto bail;
-+ }
- po = (fsPropOffset *) buf;
- buf += pi->num_offsets * SIZEOF(fsPropOffset);
-+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
-
-+ if (bufleft < pi->data_len)
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-+ bufleft, pi->data_len);
-+#endif
-+ goto bail;
-+ }
- pd = (pointer) buf;
- buf += pi->data_len;
-+ bufleft -= pi->data_len;
-
- /* convert the properties and step over the reply */
- ret = _fs_convert_props(pi, po, pd, pInfo);
-+ bail:
- _fs_done_read (conn, rep->length << 2);
-
- if (ret == -1)
---
-1.7.9.2
-
diff --git a/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch
deleted file mode 100644
index 488079f..0000000
--- a/debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch
+++ /dev/null
@@ -1,52 +0,0 @@
-From 4f20a0e202605566d884ed08a752edf99fa828d6 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:42 -0700
-Subject: [PATCH:libXfont 07/12] CVE-2014-XXXC: integer overflow in
- fs_read_extent_info()
-
-fs_read_extent_info() parses a reply from the font server.
-The reply contains a 32bit number of elements field which is used
-to calculate a buffer length. There is an integer overflow in this
-calculation which can lead to memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index ec5336e..96abd0e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.
- #include "fservestr.h"
- #include <X11/fonts/fontutil.h>
- #include <errno.h>
-+#include <limits.h>
-
- #include <time.h>
- #define Time_t time_t
-@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- numInfos *= 2;
- haveInk = TRUE;
- }
-- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos);
-+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXExtents16: numInfos (%d) >= %ld\n",
-+ numInfos, (INT_MAX / sizeof(CharInfoRec)));
-+#endif
-+ pCI = NULL;
-+ }
-+ else
-+ pCI = malloc(sizeof(CharInfoRec) * numInfos);
-
- if (!pCI)
- {
---
-1.7.9.2
-
diff --git a/debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch b/debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch
deleted file mode 100644
index d46ba2f..0000000
--- a/debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch
+++ /dev/null
@@ -1,39 +0,0 @@
-From df45b2104dca6457eece772fe6171c9215ca5a09 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:02:54 -0700
-Subject: [PATCH:libXfont 08/12] CVE-2014-XXXC: integer overflow in
- fs_alloc_glyphs()
-
-fs_alloc_glyphs() is a malloc wrapper used by the font code.
-It contains a classic integer overflow in the malloc() call,
-which can cause memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fsconvert.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index dfa1317..18b0c0d 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
- FSGlyphPtr glyphs;
- FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
-
-- glyphs = malloc (sizeof (FSGlyphRec) + size);
-+ if (size < (INT_MAX - sizeof (FSGlyphRec)))
-+ glyphs = malloc (sizeof (FSGlyphRec) + size);
-+ else
-+ glyphs = NULL;
-+ if (glyphs == NULL)
-+ return NULL;
- glyphs->next = fsfont->glyphs;
- fsfont->glyphs = glyphs;
- return (pointer) (glyphs + 1);
---
-1.7.9.2
-
diff --git a/debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch b/debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch
deleted file mode 100644
index a50f52d..0000000
--- a/debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch
+++ /dev/null
@@ -1,42 +0,0 @@
-From 97c27af9e2dcb6127f7030f0bd35e9034e464f0f Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:03:05 -0700
-Subject: [PATCH:libXfont 09/12] CVE-2014-XXXB: unvalidated length fields in
- fs_read_extent_info()
-
-Looping over the extents in the reply could go past the end of the
-reply buffer if the reply indicated more extents than could fit in
-the specified reply length.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 96abd0e..232e969 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- #endif
- pCI = NULL;
- }
-+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
-+ / LENGTHOF(fsXCharInfo))) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
-+ numExtents, rep->length,
-+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
-+#endif
-+ pCI = NULL;
-+ }
- else
- pCI = malloc(sizeof(CharInfoRec) * numInfos);
-
---
-1.7.9.2
-
diff --git a/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch b/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch
deleted file mode 100644
index 6c79ff3..0000000
--- a/debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch
+++ /dev/null
@@ -1,76 +0,0 @@
-From b6002903efd840672d070d317911c675c2d23c1c Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith@oracle.com>
-Date: Fri, 25 Apr 2014 23:03:24 -0700
-Subject: [PATCH:libXfont 10/12] CVE-2014-XXXB: unvalidated length fields in
- fs_read_glyphs()
-
-fs_read_glyphs() parses a reply from the font server. The reply
-contains embedded length fields, none of which are validated.
-This can cause out of bound reads when looping over the glyph
-bitmaps in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-Reviewed-by: Adam Jackson <ajax@redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
----
- src/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-Index: libxfont/src/fc/fserve.c
-===================================================================
---- libxfont.orig/src/fc/fserve.c
-+++ libxfont/src/fc/fserve.c
-@@ -1909,6 +1909,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F
- FontInfoPtr pfi = &pfont->info;
- fsQueryXBitmaps16Reply *rep;
- char *buf;
-+ long bufleft; /* length of reply left to use */
- fsOffset32 *ppbits;
- fsOffset32 local_off;
- char *off_adr;
-@@ -1940,9 +1941,33 @@ fs_read_glyphs(FontPathElementPtr fpe, F
- buf = (char *) rep;
- buf += SIZEOF (fsQueryXBitmaps16Reply);
-
-+ bufleft = rep->length << 2;
-+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply);
-+
-+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)
-+ {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",
-+ rep->num_chars, bufleft, SIZEOF (fsOffset32));
-+#endif
-+ err = AllocError;
-+ goto bail;
-+ }
- ppbits = (fsOffset32 *) buf;
- buf += SIZEOF (fsOffset32) * (rep->num_chars);
-+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);
-
-+ if (bufleft < rep->nbytes)
-+ {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",
-+ rep->nbytes, bufleft);
-+#endif
-+ err = AllocError;
-+ goto bail;
-+ }
- pbitmaps = (pointer ) buf;
-
- if (blockrec->type == FS_LOAD_GLYPHS)
-@@ -2000,7 +2025,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F
- */
Reply to: