head 1.4; access; symbols pkgsrc-2013Q2:1.4.0.20 pkgsrc-2013Q2-base:1.4 pkgsrc-2012Q4:1.4.0.18 pkgsrc-2012Q4-base:1.4 pkgsrc-2011Q4:1.4.0.16 pkgsrc-2011Q4-base:1.4 pkgsrc-2011Q2:1.4.0.14 pkgsrc-2011Q2-base:1.4 pkgsrc-2009Q4:1.4.0.12 pkgsrc-2009Q4-base:1.4 pkgsrc-2008Q4:1.4.0.10 pkgsrc-2008Q4-base:1.4 pkgsrc-2008Q3:1.4.0.8 pkgsrc-2008Q3-base:1.4 cube-native-xorg:1.4.0.6 cube-native-xorg-base:1.4 pkgsrc-2008Q2:1.4.0.4 pkgsrc-2008Q2-base:1.4 pkgsrc-2008Q1:1.4.0.2 pkgsrc-2008Q1-base:1.4 pkgsrc-2007Q4:1.2.0.6 pkgsrc-2007Q4-base:1.2 pkgsrc-2007Q3:1.2.0.4 pkgsrc-2007Q3-base:1.2 pkgsrc-2007Q2:1.2.0.2 pkgsrc-2007Q2-base:1.2 pkgsrc-2007Q1:1.1.0.2 pkgsrc-2007Q1-base:1.1; locks; strict; comment @# @; 1.4 date 2008.03.07.20.16.19; author wiz; state dead; branches; next 1.3; 1.3 date 2008.01.20.18.24.51; author joerg; state Exp; branches; next 1.2; 1.2 date 2007.04.10.17.43.25; author drochner; state dead; branches; next 1.1; 1.1 date 2007.04.03.20.27.21; author drochner; state Exp; branches; next ; desc @@ 1.4 log @Update to 1.3.2: Adam Jackson (1): libXfont 1.3.2 Jens Granseuer (1): fix build with gcc 2.95. Matthieu Herrb (3): catalogue.c: prevent a one character overflow ftsystem.c is not needed anymore. Fix for CVE-2008-0006 - PCF Font parser buffer overflow. Tilman Sauerbeck (1): Replaced one instance of bcopy() with memcpy(). @ text @$NetBSD: patch-ab,v 1.3 2008/01/20 18:24:51 joerg Exp $ --- src/bitmap/pcfread.c.orig 2007-09-05 02:18:23.000000000 +0200 +++ src/bitmap/pcfread.c @@@@ -588,6 +588,9 @@@@ pcfReadFont(FontPtr pFont, FontFilePtr f pFont->info.lastRow = pcfGetINT16(file, format); pFont->info.defaultCh = pcfGetINT16(file, format); if (IS_EOF(file)) goto Bail; + if (pFont->info.firstCol > pFont->info.lastCol || + pFont->info.firstRow > pFont->info.lastRow || + pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail; nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) * (pFont->info.lastRow - pFont->info.firstRow + 1); @@@@ -726,6 +729,9 @@@@ pcfReadFontInfo(FontInfoPtr pFontInfo, F pFontInfo->lastRow = pcfGetINT16(file, format); pFontInfo->defaultCh = pcfGetINT16(file, format); if (IS_EOF(file)) goto Bail; + if (pFontInfo->firstCol > pFontInfo->lastCol || + pFontInfo->firstRow > pFontInfo->lastRow || + pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail; nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) * (pFontInfo->lastRow - pFontInfo->firstRow + 1); @ 1.3 log @libXfont-1.3.1nb2: Include upstream fix for another PCF integer overflow. This is CVE-2008-0006. @ text @d1 1 a1 1 $NetBSD$ @ 1.2 log @update to 1.2.8 changes: -the integer overflow fixes went in (was patched in pkgsrc) -build fixes @ text @d1 1 a1 1 $NetBSD: patch-ab,v 1.1 2007/04/03 20:27:21 drochner Exp $ d3 9 a11 5 --- src/fontfile/fontdir.c.orig 2007-04-03 19:04:16.000000000 +0200 +++ src/fontfile/fontdir.c @@@@ -38,9 +38,17 @@@@ in this Software without prior written a #include #include d13 12 a24 14 +#if HAVE_STDINT_H +#include +#elif !defined(INT32_MAX) +#define INT32_MAX 0x7fffffff +#endif + Bool FontFileInitTable (FontTablePtr table, int size) { + if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) + return FALSE; if (size) { table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size); @ 1.1 log @fix a possible memory corruption due to integer overflow, caused by lack of validation of bdf font files (CVE 2007-1351) fix a possible memory corruption due to integer overflow, caused by lack of validation of fonts.dir files (CVE 2007-1352) bump PKGREVISION @ text @d1 1 a1 1 $NetBSD$ @