diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-05-09 20:15:27 -0400 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2015-05-09 20:20:02 -0400 |
commit | bec4be4c48239613ed1c704ae71bf08754eef711 (patch) | |
tree | 3bcc6202527e53611fd6f66ea147bda48e6e6b14 /libXfont/src/bitmap | |
parent | 13c50b4df1dc97026afb7c783378ade4929f24f1 (diff) | |
download | vcxsrv-bec4be4c48239613ed1c704ae71bf08754eef711.tar.gz vcxsrv-bec4be4c48239613ed1c704ae71bf08754eef711.tar.bz2 vcxsrv-bec4be4c48239613ed1c704ae71bf08754eef711.zip |
Updated to libXfont 1.5.1
In addition to some other changes, the following CVEs have been
fixed:
bdfReadProperties: property count needs range check [CVE-2015-1802]
bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
Diffstat (limited to 'libXfont/src/bitmap')
-rw-r--r-- | libXfont/src/bitmap/Makefile.in | 23 | ||||
-rw-r--r-- | libXfont/src/bitmap/bdfread.c | 35 |
2 files changed, 48 insertions, 10 deletions
diff --git a/libXfont/src/bitmap/Makefile.in b/libXfont/src/bitmap/Makefile.in index 4f654aa67..e58f7ab4c 100644 --- a/libXfont/src/bitmap/Makefile.in +++ b/libXfont/src/bitmap/Makefile.in @@ -1,7 +1,7 @@ -# Makefile.in generated by automake 1.14.1 from Makefile.am. +# Makefile.in generated by automake 1.15 from Makefile.am. # @configure_input@ -# Copyright (C) 1994-2013 Free Software Foundation, Inc. +# Copyright (C) 1994-2014 Free Software Foundation, Inc. # This Makefile.in is free software; the Free Software Foundation # gives unlimited permission to copy and/or distribute it, @@ -15,7 +15,17 @@ @SET_MAKE@ VPATH = @srcdir@ -am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)' +am__is_gnu_make = { \ + if test -z '$(MAKELEVEL)'; then \ + false; \ + elif test -n '$(MAKE_HOST)'; then \ + true; \ + elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \ + true; \ + else \ + false; \ + fi; \ +} am__make_running_with_option = \ case $${target_option-} in \ ?) ;; \ @@ -83,12 +93,11 @@ host_triplet = @host@ @XFONT_PCFFORMAT_TRUE@am__append_3 = pcfwrite.c @XFONT_SNFFORMAT_TRUE@am__append_4 = snfread.c snfstr.h subdir = src/bitmap -DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \ - $(top_srcdir)/depcomp ACLOCAL_M4 = $(top_srcdir)/aclocal.m4 am__aclocal_m4_deps = $(top_srcdir)/configure.ac am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \ $(ACLOCAL_M4) +DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON) mkinstalldirs = $(install_sh) -d CONFIG_HEADER = $(top_builddir)/config.h \ $(top_builddir)/include/X11/fonts/fontconf.h @@ -171,6 +180,7 @@ am__define_uniq_tagged_files = \ done | $(am__uniquify_input)` ETAGS = etags CTAGS = ctags +am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST) ACLOCAL = @ACLOCAL@ ADMIN_MAN_DIR = @ADMIN_MAN_DIR@ @@ -345,7 +355,6 @@ $(srcdir)/Makefile.in: $(srcdir)/Makefile.am $(am__configure_deps) echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/bitmap/Makefile'; \ $(am__cd) $(top_srcdir) && \ $(AUTOMAKE) --foreign src/bitmap/Makefile -.PRECIOUS: Makefile Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status @case '$?' in \ *config.status*) \ @@ -625,6 +634,8 @@ uninstall-am: mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \ tags tags-am uninstall uninstall-am +.PRECIOUS: Makefile + # Tell versions [3.59,3.63) of GNU make to not export all variables. # Otherwise a system limit (for SysV at least) may be exceeded. diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c index 914a0244e..a0ace8f85 100644 --- a/libXfont/src/bitmap/bdfread.c +++ b/libXfont/src/bitmap/bdfread.c @@ -62,8 +62,16 @@ from The Open Group. #if HAVE_STDINT_H #include <stdint.h> -#elif !defined(INT32_MAX) -#define INT32_MAX 0x7fffffff +#else +# ifndef INT32_MAX +# define INT32_MAX 0x7fffffff +# endif +# ifndef INT16_MAX +# define INT16_MAX 0x7fff +# endif +# ifndef INT16_MIN +# define INT16_MIN (0 - 0x8000) +# endif #endif #define INDICES 256 @@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, bdfError("DWIDTH y value must be zero\n"); goto BAILOUT; } + /* xCharInfo metrics are stored as INT16 */ + if ((wx < 0) || (wx > INT16_MAX)) { + bdfError("character '%s' has out of range width, %d\n", + charName, wx); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { bdfError("bad 'BBX'\n"); @@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, charName, bw, bh); goto BAILOUT; } + /* xCharInfo metrics are read as int, but stored as INT16 */ + if ((bl > INT16_MAX) || (bl < INT16_MIN) || + (bb > INT16_MAX) || (bb < INT16_MIN) || + (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { + bdfError("character '%s' has out of range metrics, %d %d %d %d\n", + charName, bl, (bl+bw), (bh+bb), -bb); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { for (p = line + strlen("ATTRIBUTES "); @@ -458,7 +480,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, ci->metrics.descent = -bb; ci->metrics.characterWidth = wx; ci->bits = NULL; - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { + bdfError("could not read bitmap for character '%s'\n", charName); + goto BAILOUT; + } ci++; ndx++; } else @@ -604,7 +629,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) bdfError("missing 'STARTPROPERTIES'\n"); return (FALSE); } - if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { + if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || + (nProps <= 0) || + (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { bdfError("bad 'STARTPROPERTIES'\n"); return (FALSE); } |