head	1.2;
access;
symbols
	pkgsrc-2013Q2:1.2.0.24
	pkgsrc-2013Q2-base:1.2
	pkgsrc-2012Q4:1.2.0.22
	pkgsrc-2012Q4-base:1.2
	pkgsrc-2011Q4:1.2.0.20
	pkgsrc-2011Q4-base:1.2
	pkgsrc-2011Q2:1.2.0.18
	pkgsrc-2011Q2-base:1.2
	pkgsrc-2009Q4:1.2.0.16
	pkgsrc-2009Q4-base:1.2
	pkgsrc-2008Q4:1.2.0.14
	pkgsrc-2008Q4-base:1.2
	pkgsrc-2008Q3:1.2.0.12
	pkgsrc-2008Q3-base:1.2
	cube-native-xorg:1.2.0.10
	cube-native-xorg-base:1.2
	pkgsrc-2008Q2:1.2.0.8
	pkgsrc-2008Q2-base:1.2
	pkgsrc-2008Q1:1.2.0.6
	pkgsrc-2008Q1-base:1.2
	pkgsrc-2007Q4:1.2.0.4
	pkgsrc-2007Q4-base:1.2
	pkgsrc-2007Q3:1.2.0.2
	pkgsrc-2007Q3-base:1.2
	pkgsrc-2007Q2:1.1.0.10
	pkgsrc-2007Q2-base:1.1
	pkgsrc-2007Q1:1.1.0.8
	pkgsrc-2007Q1-base:1.1
	pkgsrc-2006Q4:1.1.0.6
	pkgsrc-2006Q4-base:1.1
	pkgsrc-2006Q3:1.1.0.4
	pkgsrc-2006Q3-base:1.1
	pkgsrc-2006Q2:1.1.0.2;
locks; strict;
comment	@# @;


1.2
date	2007.08.17.20.25.38;	author joerg;	state dead;
branches;
next	1.1;

1.1
date	2006.09.13.12.27.26;	author joerg;	state Exp;
branches
	1.1.2.1;
next	;

1.1.2.1
date	2006.09.13.12.27.26;	author salo;	state dead;
branches;
next	1.1.2.2;

1.1.2.2
date	2006.09.16.10.27.05;	author salo;	state Exp;
branches;
next	;


desc
@@


1.2
log
@To quote Johnny Lam: "In modular-xorg we trust"

Remove xorg 6.9 packages from pkgsrc.
@
text
@$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $

Fixes for CVE-2006-2006-3739 and CVE-2006-3740.

--- lib/font/Type1/scanfont.c.orig	2006-09-13 14:18:59.000000000 +0200
+++ lib/font/Type1/scanfont.c
@@@@ -57,6 +57,7 @@@@
 
 #ifndef FONTMODULE
 #include <string.h>
+#include <limits.h>
 #else
 #include "Xdefs.h"	/* Bool declaration */
 #include "Xmd.h"	/* INT32 declaration */
@@@@ -654,6 +655,7 @@@@ getFDArray(psobj *arrayP)
   arrayP->data.valueP = tokenStartP;
 
   /* allocate FDArray */
+  /* No integer overflow since arrayP->len is unsigned short */
   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
 
@@@@ -850,7 +852,8 @@@@ BuildSubrs(psfont *FontP)
      }
      return(SCAN_OK);
    }
- 
+   if (N > INT_MAX / sizeof(psobj))
+     return (SCAN_ERROR);
    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
    FontP->Subrs.len = N;
@@@@ -911,7 +914,7 @@@@ BuildCharStrings(psfont *FontP)
      }
      else return(rc);  /* if next token was not an Int */
    }
-   if (N<=0) return(SCAN_ERROR);
+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
    /* save number of entries in the dictionary */
  
    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@@@ -1719,6 +1722,10 @@@@ scan_cidfont(cidfont *CIDFontP, cmapres 
     if (tokenType == TOKEN_INTEGER)
       rangecnt = tokenValue.integer;
 
+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+      rc = SCAN_ERROR;
+      break;
+    }
     /* ==> tokenLength, tokenTooLong, tokenType, and */
     /* tokenValue are now set                        */
 
@


1.1
log
@Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
Bump revision.
@
text
@d1 1
a1 1
$NetBSD$
@


1.1.2.1
log
@file patch-ch was added on branch pkgsrc-2006Q2 on 2006-09-13 12:27:26 +0000
@
text
@d1 52
@


1.1.2.2
log
@Pullup ticket 1825 - requested by joerg
security fixes for xorg

Revisions pulled up:
- pkgsrc/x11/xorg-libs/Makefile			1.42, 1.43, 1.44
- pkgsrc/x11/xorg-libs/PLIST			1.11
- pkgsrc/x11/xorg-libs/distinfo			1.53, 1.54
- pkgsrc/x11/xorg-libs/patches/patch-cg		1.1
- pkgsrc/x11/xorg-libs/patches/patch-ch		1.1
- pkgsrc/x11/xorg-libs/patches/patch-ci		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cj		1.1
- pkgsrc/x11/xorg-libs/patches/patch-ck		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cl		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cm		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cn		1.1
- pkgsrc/x11/xorg-libs/patches/patch-co		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cp		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cq		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cr		1.1
- pkgsrc/x11/xorg-libs/patches/patch-cs		1.1
- pkgsrc/x11/xorg-libs/patches/patch-ct		1.1
- pkgsrc/x11/xorg-clients/Makefile		1.30, 1.31
- pkgsrc/x11/xorg-server/Makefile		1.46

   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Sat Aug 26 15:20:44 UTC 2006

   Modified Files:
   	pkgsrc/x11/xorg-libs: Makefile PLIST

   Log Message:
   Fix PLIST for FreeBSD. Bump revision.
---
   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Tue Aug 29 15:06:59 UTC 2006

   Modified Files:
   	pkgsrc/x11/xorg-clients: Makefile

   Log Message:
   Make xorg-libs dependency explicit instead of including it indirectly
   via xcursor->Xfixes. Bump revision. Noticed by tron@@.
---
   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Wed Sep 13 12:27:26 UTC 2006

   Modified Files:
   	pkgsrc/x11/xorg-libs: Makefile distinfo
   Added Files:
   	pkgsrc/x11/xorg-libs/patches: patch-cg patch-ch patch-ci

   Log Message:
   Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
   Bump revision.
---
   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Thu Sep 14 16:52:54 UTC 2006

   Modified Files:
   	pkgsrc/x11/xorg-libs: distinfo
   Added Files:
   	pkgsrc/x11/xorg-libs/patches: patch-cj patch-ck patch-cl patch-cm
   	    patch-cn patch-co patch-cp patch-cq patch-cr patch-cs patch-ct

   Log Message:
   Check set*uid for error, at least on Linux it can fail.
   Bump revisions of xorg-clients, xorg-libs and xorg-server.
---
   Module Name:		pkgsrc
   Committed By:	joerg
   Date:		Thu Sep 14 17:13:58 UTC 2006

   Modified Files:
   	pkgsrc/x11/xorg-clients: Makefile
   	pkgsrc/x11/xorg-libs: Makefile
   	pkgsrc/x11/xorg-server: Makefile

   Log Message:
   Actually bump the revisions as promised.
@
text
@a0 52
$NetBSD: patch-ch,v 1.1.2.1 2006/09/16 10:27:05 salo Exp $

Fixes for CVE-2006-2006-3739 and CVE-2006-3740.

--- lib/font/Type1/scanfont.c.orig	2006-09-13 14:18:59.000000000 +0200
+++ lib/font/Type1/scanfont.c
@@@@ -57,6 +57,7 @@@@
 
 #ifndef FONTMODULE
 #include <string.h>
+#include <limits.h>
 #else
 #include "Xdefs.h"	/* Bool declaration */
 #include "Xmd.h"	/* INT32 declaration */
@@@@ -654,6 +655,7 @@@@ getFDArray(psobj *arrayP)
   arrayP->data.valueP = tokenStartP;
 
   /* allocate FDArray */
+  /* No integer overflow since arrayP->len is unsigned short */
   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
 
@@@@ -850,7 +852,8 @@@@ BuildSubrs(psfont *FontP)
      }
      return(SCAN_OK);
    }
- 
+   if (N > INT_MAX / sizeof(psobj))
+     return (SCAN_ERROR);
    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
    FontP->Subrs.len = N;
@@@@ -911,7 +914,7 @@@@ BuildCharStrings(psfont *FontP)
      }
      else return(rc);  /* if next token was not an Int */
    }
-   if (N<=0) return(SCAN_ERROR);
+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
    /* save number of entries in the dictionary */
  
    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@@@ -1719,6 +1722,10 @@@@ scan_cidfont(cidfont *CIDFontP, cmapres 
     if (tokenType == TOKEN_INTEGER)
       rangecnt = tokenValue.integer;
 
+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+      rc = SCAN_ERROR;
+      break;
+    }
     /* ==> tokenLength, tokenTooLong, tokenType, and */
     /* tokenValue are now set                        */
 
@