From 18e337ddf410accec5bdf18c5d28bbd5f3ace7cb Mon Sep 17 00:00:00 2001
From: Mike Gabriel <mike.gabriel@das-netzwerkteam.de>
Date: Mon, 16 Feb 2015 10:29:14 +0100
Subject: Revert "Do proper input validation to fix for CVE-2011-2895."

This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
---
 nx-X11/lib/font/fontfile/decompress.c | 31 ++++++++++++++-----------------
 1 file changed, 14 insertions(+), 17 deletions(-)

diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
index 12b9f0a57..553b31585 100644
--- a/nx-X11/lib/font/fontfile/decompress.c
+++ b/nx-X11/lib/font/fontfile/decompress.c
@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" };	/* 1F 9D */
 #define FIRST	257	/* first free entry */
 #define	CLEAR	256	/* table clear output code */
 
-#define STACK_SIZE  65300
+#define STACK_SIZE  8192
 
 typedef struct _compressedFILE {
     BufFilePtr	    file;
@@ -180,12 +180,14 @@ BufFilePushCompressed (BufFilePtr f)
 	file->tab_suffix[code] = (char_type) code;
     }
     file->free_ent = ((file->block_compress) ? FIRST : 256 );
-    file->oldcode = -1;
     file->clear_flg = 0;
     file->offset = 0;
     file->size = 0;
     file->stackp = file->de_stack;
     bzero(file->buf, BITS);
+    file->finchar = file->oldcode = getcode (file);
+    if (file->oldcode != -1)
+	*file->stackp++ = file->finchar;
     return BufFileCreate ((char *) file,
 			  BufCompressedFill,
 			  0,
@@ -230,6 +232,9 @@ BufCompressedFill (BufFilePtr f)
 	if (buf == bufend)
 	    break;
 
+	if (oldcode == -1)
+	    break;
+
 	code = getcode (file);
 	if (code == -1)
 	    break;
@@ -238,34 +243,26 @@ BufCompressedFill (BufFilePtr f)
 	    for ( code = 255; code >= 0; code-- )
 	    	file->tab_prefix[code] = 0;
 	    file->clear_flg = 1;
-	    file->free_ent = FIRST;
-	    oldcode = -1;
-	    continue;
+	    file->free_ent = FIRST - 1;
+	    if ( (code = getcode (file)) == -1 )	/* O, untimely death! */
+	    	break;
     	}
     	incode = code;
     	/*
      	 * Special case for KwKwK string.
      	 */
     	if ( code >= file->free_ent ) {
-	    if ( code > file->free_ent || oldcode == -1 ) {
-		/* Bad stream. */
-		return BUFFILEEOF;
-	    }
 	    *stackp++ = finchar;
 	    code = oldcode;
     	}
-+	/*
-+	 * The above condition ensures that code < free_ent.
-+	 * The construction of tab_prefixof in turn guarantees that
-+	 * each iteration decreases code and therefore stack usage is
-+	 * bound by 1 << BITS - 256.
-+	 */
-
+    
     	/*
      	 * Generate output characters in reverse order
      	 */
     	while ( code >= 256 )
     	{
+	    if (stackp - de_stack >= STACK_SIZE - 1)
+		return BUFFILEEOF;
 	    *stackp++ = file->tab_suffix[code];
 	    code = file->tab_prefix[code];
     	}
@@ -275,7 +272,7 @@ BufCompressedFill (BufFilePtr f)
     	/*
      	 * Generate the new entry.
      	 */
-    	if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) {
+    	if ( (code=file->free_ent) < file->maxmaxcode ) {
 	    file->tab_prefix[code] = (unsigned short)oldcode;
 	    file->tab_suffix[code] = finchar;
 	    file->free_ent = code+1;
-- 
cgit v1.2.3