Fix CVE-2014-0209, CVE-2014-0210 and CVE-2014-0211 by taking the 12 patch files from Debian Wheezy libxfont 1.4.5-4, and applying with patch --ignore-whitespace

2 files changed, 9 insertions, 0 deletions

diff --git a/libXfont/src/fontfile/dirfile.c b/libXfont/src/fontfile/dirfile.c
index c8aff6f4f..789fde5ff 100644
--- a/libXfont/src/fontfile/dirfile.c
+++ b/libXfont/src/fontfile/dirfile.c
@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
 #include <sys/types.h>
 #include <sys/stat.h>
 #include <errno.h>
+#include <limits.h>
 
 static Bool AddFileNameAliases ( FontDirectoryPtr dir );
 static int ReadFontAlias ( char *directory, Bool isFile,
@@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken)
 	    int         nsize;
 	    char       *nbuf;
 
+	    if (tokenSize >= (INT_MAX >> 2))
+		/* Stop before we overflow */
+		return EALLOC;
 	    nsize = tokenSize ? (tokenSize << 1) : 64;
 	    nbuf = realloc(tokenBuf, nsize);
 	    if (!nbuf)
diff --git a/libXfont/src/fontfile/fontdir.c b/libXfont/src/fontfile/fontdir.c
index 97b2ba3b1..ce1595c8b 100644
--- a/libXfont/src/fontfile/fontdir.c
+++ b/libXfont/src/fontfile/fontdir.c
@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
     if (table->sorted)
 	return (FontEntryPtr) 0;    /* "cannot" happen */
     if (table->used == table->size) {
+	if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
+	    /* If we've read so many entries we're going to ask for 2gb
+	       or more of memory, something is so wrong with this font
+	       directory that we should just give up before we overflow. */
+	    return NULL;
 	newsize = table->size + 100;
 	entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
 	if (!entry)