Fix for CVE-2006-3739 and CVE-2006-3740.

3 files changed, 89 insertions, 0 deletions

diff --git a/x11/XFree86-libs/patches/patch-av b/x11/XFree86-libs/patches/patch-av
new file mode 100644
index 00000000000..64232e7be70
--- /dev/null
+++ b/x11/XFree86-libs/patches/patch-av
@@ -0,0 +1,25 @@
+$NetBSD: patch-av,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/afm.c.orig	2001-08-27 20:49:52.000000000 +0100
++++ lib/font/Type1/afm.c
+@@ -30,6 +30,8 @@
+ #include "fontmisc.h"			/* for xalloc/xfree */
+ #include "AFM.h"
+ 
++#include <limits.h>
++
+ #define PBUF 256
+ #define KBUF 20
+ 
+@@ -111,6 +113,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
+             
+             fi->nChars = atoi(p);
+ 
++	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++		xfree(afmbuf);
++		xfree(fi);
++		return(1);
++	    }
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
diff --git a/x11/XFree86-libs/patches/patch-aw b/x11/XFree86-libs/patches/patch-aw
new file mode 100644
index 00000000000..7708823991c
--- /dev/null
+++ b/x11/XFree86-libs/patches/patch-aw
@@ -0,0 +1,51 @@
+$NetBSD: patch-aw,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/scanfont.c.orig	2003-11-29 04:55:28.000000000 +0000
++++ lib/font/Type1/scanfont.c
+@@ -64,6 +64,8 @@
+ #include "spaces.h"
+ #include "fontfcn.h"
+ #include "blues.h"
++
++#include <limits.h>
+  
+ #ifdef BUILDCID
+ #define CID_BUFSIZE 80
+@@ -646,6 +648,7 @@ getFDArray(psobj *arrayP)
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -842,7 +845,8 @@ BuildSubrs(psfont *FontP)
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj)) 
++       return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -903,7 +907,7 @@ BuildCharStrings(psfont *FontP)
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1711,6 +1715,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++	rc = SCAN_ERROR;
++	break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
diff --git a/x11/XFree86-libs/patches/patch-ax b/x11/XFree86-libs/patches/patch-ax
new file mode 100644
index 00000000000..c84df7fa585
--- /dev/null
+++ b/x11/XFree86-libs/patches/patch-ax
@@ -0,0 +1,13 @@
+$NetBSD: patch-ax,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/util.c.orig	2001-01-17 19:43:24.000000000 +0000
++++ lib/font/Type1/util.c
+@@ -97,7 +97,7 @@ vm_alloc(int bytes)
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;