fix a possible memory corruption due to integer overflow, caused by lack

of validation of bdf font files
(CVE 2007-1351)
fix a possible memory corruption due to integer overflow, caused by lack
of validation of fonts.dir files
(CVE 2007-1352)
bump PKGREVISION

4 files changed, 56 insertions, 2 deletions

diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile
index 72c1a038e9f..3331edb0ecb 100644
--- a/x11/libXfont/Makefile
+++ b/x11/libXfont/Makefile
@@ -1,7 +1,8 @@
-# $NetBSD: Makefile,v 1.3 2007/01/23 15:49:37 joerg Exp $
+# $NetBSD: Makefile,v 1.4 2007/04/03 20:27:20 drochner Exp $
 #
 
 DISTNAME=		libXfont-1.2.7
+PKGREVISION=		1
 CATEGORIES=		x11 devel fonts
 MASTER_SITES=		http://xorg.freedesktop.org/releases/individual/lib/
 EXTRACT_SUFX=		.tar.bz2
diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo
index 21f769f4226..07a0c768b8a 100644
--- a/x11/libXfont/distinfo
+++ b/x11/libXfont/distinfo
@@ -1,5 +1,7 @@
-$NetBSD: distinfo,v 1.2 2007/01/23 15:49:37 joerg Exp $
+$NetBSD: distinfo,v 1.3 2007/04/03 20:27:20 drochner Exp $
 
 SHA1 (libXfont-1.2.7.tar.bz2) = 60deba746e544785ca05c7c68ccfbd5d71370a29
 RMD160 (libXfont-1.2.7.tar.bz2) = 33e2688d1e3490d8b588ca2304b3d4068568dcae
 Size (libXfont-1.2.7.tar.bz2) = 573915 bytes
+SHA1 (patch-aa) = c5914dee0f48eee37e7c389bfcd5cbe2e4f0b015
+SHA1 (patch-ab) = cebfd94e8f12c24e65c912b31652265ff798402f
diff --git a/x11/libXfont/patches/patch-aa b/x11/libXfont/patches/patch-aa
new file mode 100644
index 00000000000..515eafd385c
--- /dev/null
+++ b/x11/libXfont/patches/patch-aa
@@ -0,0 +1,29 @@
+$NetBSD: patch-aa,v 1.1 2007/04/03 20:27:21 drochner Exp $
+
+--- src/bitmap/bdfread.c.orig	2007-04-03 19:01:20.000000000 +0200
++++ src/bitmap/bdfread.c
+@@ -65,6 +65,12 @@ from The Open Group.
+ #include <X11/fonts/bitmap.h>
+ #include <X11/fonts/bdfint.h>
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++
+ #define INDICES 256
+ #define MAXENCODING 0xFFFF
+ #define BDFLINELEN  1024
+@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, Font
+ 	bdfError("invalid number of CHARS in BDF file\n");
+ 	return (FALSE);
+     }
++    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
++	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
++		 sizeof(CharInfoRec));
++	goto BAILOUT;
++    }
+     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
+     if (!ci) {
+ 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
diff --git a/x11/libXfont/patches/patch-ab b/x11/libXfont/patches/patch-ab
new file mode 100644
index 00000000000..84065b279fe
--- /dev/null
+++ b/x11/libXfont/patches/patch-ab
@@ -0,0 +1,22 @@
+$NetBSD: patch-ab,v 1.1 2007/04/03 20:27:21 drochner Exp $
+
+--- src/fontfile/fontdir.c.orig	2007-04-03 19:04:16.000000000 +0200
++++ src/fontfile/fontdir.c
+@@ -38,9 +38,17 @@ in this Software without prior written a
+ #include    <X11/fonts/fntfilst.h>
+ #include    <X11/keysym.h>
+ 
++#if HAVE_STDINT_H
++#include <stdint.h>
++#elif !defined(INT32_MAX)
++#define INT32_MAX 0x7fffffff
++#endif
++
+ Bool
+ FontFileInitTable (FontTablePtr table, int size)
+ {
++    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec)))
++	return FALSE;
+     if (size)
+     {
+ 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);