vcxsrv/libXfont/src/bitmap, branch 1.15.2.5 VcXsrv Windows X Server (X2Go/Arctica Builds) https://cgit.arctica-project.org/vcxsrv/atom?h=1.15.2.5 2015-03-28T17:06:17+00:00 bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804] 2015-03-28T17:06:17+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2015-03-07T06:54:58+00:00 urn:sha1:9f1b041e535c4da6ffbe95a706d46b3bfb5c0321 We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. Found by afl-1.24b. v2: Verify that additions won't overflow 32-bit int range either. v3: As Julien correctly observes, the previous check for bh & bw not being < 0 reduces the number of cases we need to check for overflow. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744) bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803] 2015-03-28T17:06:06+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2015-02-06T23:54:00+00:00 urn:sha1:de7bfbf0e61cdbe5e5c094d8a237cdc87e8b1fc3 Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Found with afl-1.23b. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c) bdfReadProperties: property count needs range check [CVE-2015-1802] 2015-03-28T17:05:57+00:00 Alan Coopersmith alan.coopersmith@oracle.com 2015-02-06T23:50:45+00:00 urn:sha1:e195099b83a23182925f20028de3e9ea4fe64845 Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e) Merge remote-tracking branch 'origin/released' 2014-03-28T16:43:20+00:00 marha marha@users.sourceforge.net 2014-03-28T16:43:20+00:00 urn:sha1:f0f09f4aa3cdd0267f58b362a7c9fc5ae0921afd Conflicts: X11/xtrans/Xtrans.c Update following packages: 2014-03-28T16:32:23+00:00 marha marha@users.sourceforge.net 2014-03-28T16:32:23+00:00 urn:sha1:d02e6760412c7a96abbc4d0add5dd8d5e83bbe27 libXfont-1.4.7 xproto-7.0.25 Merge remote-tracking branch 'origin/released' 2013-10-01T10:33:20+00:00 marha marha@users.sourceforge.net 2013-10-01T10:33:20+00:00 urn:sha1:be0d35a4a1b1dc5bde14d1b027f4f0cb58b5a779 * origin/released: Update following packages: Conflicts: X11/Xwinsock.h apps/xhost/xhost.c libXaw/src/Vendor.c libXfont/include/X11/fonts/bdfint.h libXfont/src/fontfile/catalogue.c Update following packages: 2013-10-01T10:28:08+00:00 marha marha@users.sourceforge.net 2013-10-01T10:23:16+00:00 urn:sha1:6dd755aa923291db2501cc5c22e409c41a70e3c1 libXpm-3.5.11 libXaw-1.0.12 libXfont-1.4.6 libXrender-0.9.8 xproto-7.0.24 inputproto-2.3 xclock-1.0.7 xhost-1.0.6 Merge remote-tracking branch 'origin/released' 2012-03-05T09:23:14+00:00 marha marha@users.sourceforge.net 2012-03-05T09:23:14+00:00 urn:sha1:8db4c7567d495ef6f6162406394ac192e6c2cfe7 libfontenc xserver pixman mesa git update 5 Mar 2012 2012-03-05T08:59:38+00:00 marha marha@users.sourceforge.net 2012-03-05T08:59:38+00:00 urn:sha1:ffe218bbb0ffa6d2a7f7cbf6b1f81797e667183a font-util-1.3.0 xclock-1.0.6 libXfont-1.4.5 inputproto-2.2 Synchronised line endinge with release branch 2011-09-12T09:27:51+00:00 marha marha@users.sourceforge.net 2011-09-12T09:27:51+00:00 urn:sha1:dafebc5bb70303f0b5baf0b087cf4d9a64b5c7f0