Updated to libXfont 1.5.1

In addition to some other changes, the following CVEs have been
fixed:
bdfReadProperties: property count needs range check [CVE-2015-1802]
bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]

2 files changed, 48 insertions, 10 deletions

diff --git a/libXfont/src/bitmap/Makefile.in b/libXfont/src/bitmap/Makefile.in
index 4f654aa67..e58f7ab4c 100644
--- a/libXfont/src/bitmap/Makefile.in
+++ b/libXfont/src/bitmap/Makefile.in
@@ -1,7 +1,7 @@
-# Makefile.in generated by automake 1.14.1 from Makefile.am.
+# Makefile.in generated by automake 1.15 from Makefile.am.
 # @configure_input@
 
-# Copyright (C) 1994-2013 Free Software Foundation, Inc.
+# Copyright (C) 1994-2014 Free Software Foundation, Inc.
 
 # This Makefile.in is free software; the Free Software Foundation
 # gives unlimited permission to copy and/or distribute it,
@@ -15,7 +15,17 @@
 @SET_MAKE@
 
 VPATH = @srcdir@
-am__is_gnu_make = test -n '$(MAKEFILE_LIST)' && test -n '$(MAKELEVEL)'
+am__is_gnu_make = { \
+  if test -z '$(MAKELEVEL)'; then \
+    false; \
+  elif test -n '$(MAKE_HOST)'; then \
+    true; \
+  elif test -n '$(MAKE_VERSION)' && test -n '$(CURDIR)'; then \
+    true; \
+  else \
+    false; \
+  fi; \
+}
 am__make_running_with_option = \
   case $${target_option-} in \
       ?) ;; \
@@ -83,12 +93,11 @@ host_triplet = @host@
 @XFONT_PCFFORMAT_TRUE@am__append_3 = pcfwrite.c
 @XFONT_SNFFORMAT_TRUE@am__append_4 = snfread.c snfstr.h
 subdir = src/bitmap
-DIST_COMMON = $(srcdir)/Makefile.in $(srcdir)/Makefile.am \
-	$(top_srcdir)/depcomp
 ACLOCAL_M4 = $(top_srcdir)/aclocal.m4
 am__aclocal_m4_deps = $(top_srcdir)/configure.ac
 am__configure_deps = $(am__aclocal_m4_deps) $(CONFIGURE_DEPENDENCIES) \
 	$(ACLOCAL_M4)
+DIST_COMMON = $(srcdir)/Makefile.am $(am__DIST_COMMON)
 mkinstalldirs = $(install_sh) -d
 CONFIG_HEADER = $(top_builddir)/config.h \
 	$(top_builddir)/include/X11/fonts/fontconf.h
@@ -171,6 +180,7 @@ am__define_uniq_tagged_files = \
   done | $(am__uniquify_input)`
 ETAGS = etags
 CTAGS = ctags
+am__DIST_COMMON = $(srcdir)/Makefile.in $(top_srcdir)/depcomp
 DISTFILES = $(DIST_COMMON) $(DIST_SOURCES) $(TEXINFOS) $(EXTRA_DIST)
 ACLOCAL = @ACLOCAL@
 ADMIN_MAN_DIR = @ADMIN_MAN_DIR@
@@ -345,7 +355,6 @@ $(srcdir)/Makefile.in:  $(srcdir)/Makefile.am  $(am__configure_deps)
 	echo ' cd $(top_srcdir) && $(AUTOMAKE) --foreign src/bitmap/Makefile'; \
 	$(am__cd) $(top_srcdir) && \
 	  $(AUTOMAKE) --foreign src/bitmap/Makefile
-.PRECIOUS: Makefile
 Makefile: $(srcdir)/Makefile.in $(top_builddir)/config.status
 	@case '$?' in \
 	  *config.status*) \
@@ -625,6 +634,8 @@ uninstall-am:
 	mostlyclean-generic mostlyclean-libtool pdf pdf-am ps ps-am \
 	tags tags-am uninstall uninstall-am
 
+.PRECIOUS: Makefile
+
 
 # Tell versions [3.59,3.63) of GNU make to not export all variables.
 # Otherwise a system limit (for SysV at least) may be exceeded.
diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c
index 914a0244e..a0ace8f85 100644
--- a/libXfont/src/bitmap/bdfread.c
+++ b/libXfont/src/bitmap/bdfread.c
@@ -62,8 +62,16 @@ from The Open Group.
 
 #if HAVE_STDINT_H
 #include <stdint.h>
-#elif !defined(INT32_MAX)
-#define INT32_MAX 0x7fffffff
+#else
+# ifndef INT32_MAX
+#  define INT32_MAX 0x7fffffff
+# endif
+# ifndef INT16_MAX
+#  define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+#  define INT16_MIN (0 - 0x8000)
+# endif
 #endif
 
 #define INDICES 256
@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	    bdfError("DWIDTH y value must be zero\n");
 	    goto BAILOUT;
 	}
+	/* xCharInfo metrics are stored as INT16 */
+	if ((wx < 0) || (wx > INT16_MAX)) {
+	    bdfError("character '%s' has out of range width, %d\n",
+		     charName, wx);
+	    goto BAILOUT;
+	}
 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
 	if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
 	    bdfError("bad 'BBX'\n");
@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 		     charName, bw, bh);
 	    goto BAILOUT;
 	}
+	/* xCharInfo metrics are read as int, but stored as INT16 */
+	if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
+	    (bb > INT16_MAX) || (bb < INT16_MIN) ||
+	    (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
+	    bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
+		     charName, bl, (bl+bw), (bh+bb), -bb);
+	    goto BAILOUT;
+	}
 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
 	if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
 	    for (p = line + strlen("ATTRIBUTES ");
@@ -458,7 +480,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	    ci->metrics.descent = -bb;
 	    ci->metrics.characterWidth = wx;
 	    ci->bits = NULL;
-	    bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
+	    if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
+		bdfError("could not read bitmap for character '%s'\n", charName);
+		goto BAILOUT;
+	    }
 	    ci++;
 	    ndx++;
 	} else
@@ -604,7 +629,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
 	bdfError("missing 'STARTPROPERTIES'\n");
 	return (FALSE);
     }
-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+	(nProps <= 0) ||
+	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
 	bdfError("bad 'STARTPROPERTIES'\n");
 	return (FALSE);
     }