Fixes for CVE-2006-2006-3739 and CVE-2006-3740.

Bump revision.

5 files changed, 100 insertions, 3 deletions

diff --git a/x11/xorg-libs/Makefile b/x11/xorg-libs/Makefile
index 882c4d133d6..633ec3dc3be 100644
--- a/x11/xorg-libs/Makefile
+++ b/x11/xorg-libs/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.42 2006/08/26 15:20:44 joerg Exp $
+# $NetBSD: Makefile,v 1.43 2006/09/13 12:27:26 joerg Exp $
 
 DISTNAME=		${DISTFILES}
 PKGNAME=		xorg-libs-${XORG_VER}
-PKGREVISION=		8
+PKGREVISION=		9
 CATEGORIES=		x11
 MASTER_SITES=		${MASTER_SITE_XORG}
 DISTFILES=		X11R${XORG_VER}-src1.tar.gz X11R${XORG_VER}-src2.tar.gz \
diff --git a/x11/xorg-libs/distinfo b/x11/xorg-libs/distinfo
index 6e198784790..993a9fd26b6 100644
--- a/x11/xorg-libs/distinfo
+++ b/x11/xorg-libs/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2006/08/22 18:12:14 joerg Exp $
+$NetBSD: distinfo,v 1.53 2006/09/13 12:27:26 joerg Exp $
 
 SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef
 RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8
@@ -59,3 +59,6 @@ SHA1 (patch-cc) = d5d72e525f9564eda7f2ea21ddb179800fb153b5
 SHA1 (patch-cd) = e4bb522f4f3e896627aab68e39b0c643e4a6a5be
 SHA1 (patch-ce) = ce68c16dde6a924dbb43b44653bd4bc7c26c34ef
 SHA1 (patch-cf) = ec178ce36dbcd9b65d49584aa80e080b6f11132a
+SHA1 (patch-cg) = 82b40c8e39305bd320a88498c7202dc6e1e11743
+SHA1 (patch-ch) = e09e3fe3dd14caa70d2bcee1b58a72db0851632c
+SHA1 (patch-ci) = eaba43892d9968cf268ce1c0efe31a14c1a56ed5
diff --git a/x11/xorg-libs/patches/patch-cg b/x11/xorg-libs/patches/patch-cg
new file mode 100644
index 00000000000..b811dc030b6
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-cg
@@ -0,0 +1,27 @@
+$NetBSD: patch-cg,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/afm.c.orig	2006-09-13 14:17:16.000000000 +0200
++++ lib/font/Type1/afm.c
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h"        /* For INT32 declaration */
+ #include "Xdefs.h"      /* For Bool */
+@@ -118,6 +119,12 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
+             
+             fi->nChars = atoi(p);
+ 
++	    if (fi->nChars < 0 || fi->nChars  > INT_MAX / sizeof(Metrics)) {
++                xfree(afmbuf);
++                xfree(fi);
++                return(1);
++	    }
++
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
diff --git a/x11/xorg-libs/patches/patch-ch b/x11/xorg-libs/patches/patch-ch
new file mode 100644
index 00000000000..562487dedcb
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-ch
@@ -0,0 +1,52 @@
+$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/scanfont.c.orig	2006-09-13 14:18:59.000000000 +0200
++++ lib/font/Type1/scanfont.c
+@@ -57,6 +57,7 @@
+ 
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h"	/* Bool declaration */
+ #include "Xmd.h"	/* INT32 declaration */
+@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP)
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP)
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj))
++     return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP)
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++      rc = SCAN_ERROR;
++      break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
diff --git a/x11/xorg-libs/patches/patch-ci b/x11/xorg-libs/patches/patch-ci
new file mode 100644
index 00000000000..c598bb4319e
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-ci
@@ -0,0 +1,15 @@
+$NetBSD: patch-ci,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/util.c.orig	2006-09-13 14:22:13.000000000 +0200
++++ lib/font/Type1/util.c
+@@ -104,7 +104,7 @@ vm_alloc(int bytes)
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;