diff options
| author | wiz <wiz@pkgsrc.org> | 2014-05-16 08:36:21 +0000 |
|---|---|---|
| committer | wiz <wiz@pkgsrc.org> | 2014-05-16 08:36:21 +0000 |
| commit | 2ebfb043ab8c996d672a389b728d6ab20497a83c (patch) | |
| tree | 45fb3b8da378215daaa11473228f38c3be8af42d /x11 | |
| parent | ad3e7b738b632b26c86a4cb7628b7e0b78b9ca93 (diff) | |
| download | pkgsrc-2ebfb043ab8c996d672a389b728d6ab20497a83c.tar.gz | |
Update to 1.4.8.
This release is overflowing with security fixes and code cleanups,
including the fixes for CVE-2014-0209, CVE-2014-0210, & CVE-2014-0211
for the security advisory published earlier this week:
http://lists.x.org/archives/xorg-announce/2014-May/002431.html
This release works with fontsproto 2.1.2 or earlier and is for use with
the existing stable releases of xorg-server - 1.15 & earlier.
libXfont 1.5 will be released later this year to support fontsproto 2.1.3
and xorg-server 1.16. It will also change the compile time defaults to stop
building SNF font format support by default, taking the next step in the
deprecation of this file format that was used prior to X11R5, and has been
on the way out since 1991. In the unlikely event that you still need to
support old SNF format fonts, get in the habit of adding --enable-snfformat
to your configure flags when building.
Diffstat (limited to 'x11')
| -rw-r--r-- | x11/libXfont/Makefile | 5 | ||||
| -rw-r--r-- | x11/libXfont/distinfo | 11 | ||||
| -rw-r--r-- | x11/libXfont/patches/patch-configure | 56 | ||||
| -rw-r--r-- | x11/libXfont/patches/patch-src_fc_fsconvert.c | 45 | ||||
| -rw-r--r-- | x11/libXfont/patches/patch-src_fc_fserve.c | 403 |
5 files changed, 63 insertions, 457 deletions
diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile index 00b14c7db4d..850a65f3345 100644 --- a/x11/libXfont/Makefile +++ b/x11/libXfont/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.32 2014/05/15 23:48:05 joerg Exp $ +# $NetBSD: Makefile,v 1.33 2014/05/16 08:36:21 wiz Exp $ -DISTNAME= libXfont-1.4.7 -PKGREVISION= 2 +DISTNAME= libXfont-1.4.8 CATEGORIES= x11 devel fonts MASTER_SITES= ${MASTER_SITE_XORG:=lib/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo index 9bfb07eb45d..b04e5f4ba81 100644 --- a/x11/libXfont/distinfo +++ b/x11/libXfont/distinfo @@ -1,8 +1,7 @@ -$NetBSD: distinfo,v 1.23 2014/05/15 23:48:05 joerg Exp $ +$NetBSD: distinfo,v 1.24 2014/05/16 08:36:21 wiz Exp $ -SHA1 (libXfont-1.4.7.tar.bz2) = 77f60d0a2190cb36c07c2217693f46d5e8942ca2 -RMD160 (libXfont-1.4.7.tar.bz2) = 9ed172b89586d7f1b8342045c75f5aa861c6f661 -Size (libXfont-1.4.7.tar.bz2) = 482851 bytes -SHA1 (patch-src_fc_fsconvert.c) = 7efe7b1a761756739fb4aef2416e4e1b33c509fd -SHA1 (patch-src_fc_fserve.c) = c62a9fb13dc22e48088d89d4b183573769e8c00b +SHA1 (libXfont-1.4.8.tar.bz2) = 687746ba7e6d6064cb2b930e2dfe744603a5f85b +RMD160 (libXfont-1.4.8.tar.bz2) = 4ab6fff999c13163c30eb455329c1c37b6891e69 +Size (libXfont-1.4.8.tar.bz2) = 490641 bytes +SHA1 (patch-configure) = 2176c5f4154a332171857533d94730b0a31c5a7a SHA1 (patch-src_util_patcache.c) = 4b21d5fddae374e43e5ec37efd3da98171f1625d diff --git a/x11/libXfont/patches/patch-configure b/x11/libXfont/patches/patch-configure new file mode 100644 index 00000000000..2c7beb4c136 --- /dev/null +++ b/x11/libXfont/patches/patch-configure @@ -0,0 +1,56 @@ +$NetBSD: patch-configure,v 1.1 2014/05/16 08:36:21 wiz Exp $ + +Allow building with fontsproto-2.1.3. + +--- configure.orig 2014-05-16 08:33:28.000000000 +0000 ++++ configure +@@ -19138,12 +19138,12 @@ if test -n "$XFONT_CFLAGS"; then + pkg_cv_XFONT_CFLAGS="$XFONT_CFLAGS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"xproto xtrans fontsproto < 2.1.3 fontenc\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "xproto xtrans fontsproto < 2.1.3 fontenc") 2>&5 ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"xproto xtrans fontsproto fontenc\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "xproto xtrans fontsproto fontenc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then +- pkg_cv_XFONT_CFLAGS=`$PKG_CONFIG --cflags "xproto xtrans fontsproto < 2.1.3 fontenc" 2>/dev/null` ++ pkg_cv_XFONT_CFLAGS=`$PKG_CONFIG --cflags "xproto xtrans fontsproto fontenc" 2>/dev/null` + else + pkg_failed=yes + fi +@@ -19154,12 +19154,12 @@ if test -n "$XFONT_LIBS"; then + pkg_cv_XFONT_LIBS="$XFONT_LIBS" + elif test -n "$PKG_CONFIG"; then + if test -n "$PKG_CONFIG" && \ +- { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"xproto xtrans fontsproto < 2.1.3 fontenc\""; } >&5 +- ($PKG_CONFIG --exists --print-errors "xproto xtrans fontsproto < 2.1.3 fontenc") 2>&5 ++ { { $as_echo "$as_me:${as_lineno-$LINENO}: \$PKG_CONFIG --exists --print-errors \"xproto xtrans fontsproto fontenc\""; } >&5 ++ ($PKG_CONFIG --exists --print-errors "xproto xtrans fontsproto fontenc") 2>&5 + ac_status=$? + $as_echo "$as_me:${as_lineno-$LINENO}: \$? = $ac_status" >&5 + test $ac_status = 0; }; then +- pkg_cv_XFONT_LIBS=`$PKG_CONFIG --libs "xproto xtrans fontsproto < 2.1.3 fontenc" 2>/dev/null` ++ pkg_cv_XFONT_LIBS=`$PKG_CONFIG --libs "xproto xtrans fontsproto fontenc" 2>/dev/null` + else + pkg_failed=yes + fi +@@ -19177,14 +19177,14 @@ else + _pkg_short_errors_supported=no + fi + if test $_pkg_short_errors_supported = yes; then +- XFONT_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "xproto xtrans fontsproto < 2.1.3 fontenc" 2>&1` ++ XFONT_PKG_ERRORS=`$PKG_CONFIG --short-errors --print-errors "xproto xtrans fontsproto fontenc" 2>&1` + else +- XFONT_PKG_ERRORS=`$PKG_CONFIG --print-errors "xproto xtrans fontsproto < 2.1.3 fontenc" 2>&1` ++ XFONT_PKG_ERRORS=`$PKG_CONFIG --print-errors "xproto xtrans fontsproto fontenc" 2>&1` + fi + # Put the nasty error message in config.log where it belongs + echo "$XFONT_PKG_ERRORS" >&5 + +- as_fn_error $? "Package requirements (xproto xtrans fontsproto < 2.1.3 fontenc) were not met: ++ as_fn_error $? "Package requirements (xproto xtrans fontsproto fontenc) were not met: + + $XFONT_PKG_ERRORS + diff --git a/x11/libXfont/patches/patch-src_fc_fsconvert.c b/x11/libXfont/patches/patch-src_fc_fsconvert.c deleted file mode 100644 index 2c21b014310..00000000000 --- a/x11/libXfont/patches/patch-src_fc_fsconvert.c +++ /dev/null @@ -1,45 +0,0 @@ -$NetBSD: patch-src_fc_fsconvert.c,v 1.1 2014/05/15 23:48:05 joerg Exp $ - ---- src/fc/fsconvert.c.orig 2014-01-07 16:25:08.000000000 +0000 -+++ src/fc/fsconvert.c -@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp - for (i = 0; i < nprops; i++, dprop++, is_str++) - { - memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->name = MakeAtom(&pdc[local_off.name.position], - local_off.name.length, 1); - if (local_off.type != PropTypeString) { -@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp - dprop->value = local_off.value.position; - } else { - *is_str = TRUE; -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], - local_off.value.length, 1); - if (dprop->value == BAD_RESOURCE) - { -+ bail: - free (pfi->props); - pfi->nprops = 0; - pfi->props = 0; -@@ -712,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size - FSGlyphPtr glyphs; - FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - -- glyphs = malloc (sizeof (FSGlyphRec) + size); -+ if (size < (INT_MAX - sizeof (FSGlyphRec))) -+ glyphs = malloc (sizeof (FSGlyphRec) + size); -+ else -+ glyphs = NULL; -+ if (glyphs == NULL) -+ return NULL; - glyphs->next = fsfont->glyphs; - fsfont->glyphs = glyphs; - return (pointer) (glyphs + 1); diff --git a/x11/libXfont/patches/patch-src_fc_fserve.c b/x11/libXfont/patches/patch-src_fc_fserve.c deleted file mode 100644 index fb4dee52fbf..00000000000 --- a/x11/libXfont/patches/patch-src_fc_fserve.c +++ /dev/null @@ -1,403 +0,0 @@ -$NetBSD: patch-src_fc_fserve.c,v 1.1 2014/05/15 23:48:05 joerg Exp $ - ---- src/fc/fserve.c.orig 2014-01-07 16:25:08.000000000 +0000 -+++ src/fc/fserve.c -@@ -70,6 +70,7 @@ in this Software without prior written a - #include "fservestr.h" - #include <X11/fonts/fontutil.h> - #include <errno.h> -+#include <limits.h> - - #include <time.h> - #define Time_t time_t -@@ -91,6 +92,15 @@ in this Software without prior written a - (pci)->descent || \ - (pci)->characterWidth) - -+/* -+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, -+ * so this converts for doing size comparisons. -+ */ -+#define LENGTHOF(r) (SIZEOF(r) >> 2) -+ -+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ -+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -206,9 +216,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri - rep->sequenceNumber, - conn->reqbuffer[i].opcode); - } -+ -+#define _fs_reply_failed(rep, name, op) do { \ -+ if (rep) { \ -+ if (rep->type == FS_Error) \ -+ fprintf (stderr, "Error: %d Request: %s\n", \ -+ ((fsError *)rep)->request, #name); \ -+ else \ -+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ -+ #name, rep->length, op, LENGTHOF(name)); \ -+ } \ -+} while (0) -+ - #else - #define _fs_add_req_log(conn,op) ((conn)->current_seq++) - #define _fs_add_rep_log(conn,rep) -+#define _fs_reply_failed(rep,name,op) - #endif - - static Bool -@@ -600,6 +623,21 @@ fs_get_reply (FSFpePtr conn, int *error) - - rep = (fsGenericReply *) buf; - -+ /* -+ * Refuse to accept replies longer than a maximum reasonable length, -+ * before we pass to _fs_start_read, since it will try to resize the -+ * incoming connection buffer to this size. Also avoids integer overflow -+ * on 32-bit systems. -+ */ -+ if (rep->length > MAX_REPLY_LENGTH) -+ { -+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" -+ " from font server\n", rep->length); -+ _fs_connection_died (conn); -+ *error = FSIO_ERROR; -+ return 0; -+ } -+ - ret = _fs_start_read (conn, rep->length << 2, &buf); - if (ret != FSIO_READY) - { -@@ -682,13 +720,15 @@ fs_read_open_font(FontPathElementPtr fpe - int ret; - - rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); - return BadFontName; - } - -@@ -815,6 +855,7 @@ fs_read_query_info(FontPathElementPtr fp - FSFpePtr conn = (FSFpePtr) fpe->private; - fsQueryXInfoReply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsPropInfo *pi; - fsPropOffset *po; - pointer pd; -@@ -824,13 +865,15 @@ fs_read_query_info(FontPathElementPtr fp - int ret; - - rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXInfoReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); - return BadFontName; - } - -@@ -844,6 +887,9 @@ fs_read_query_info(FontPathElementPtr fp - buf = (char *) rep; - buf += SIZEOF(fsQueryXInfoReply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF(fsQueryXInfoReply); -+ - /* move the data over */ - fsUnpack_XFontInfoHeader(rep, pInfo); - -@@ -851,17 +897,50 @@ fs_read_query_info(FontPathElementPtr fp - _fs_init_fontinfo(conn, pInfo); - - /* Compute offsets into the reply */ -+ if (bufleft < SIZEOF(fsPropInfo)) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", -+ bufleft); -+#endif -+ goto bail; -+ } - pi = (fsPropInfo *) buf; - buf += SIZEOF (fsPropInfo); -+ bufleft -= SIZEOF(fsPropInfo); - -+ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n", -+ bufleft, pi->num_offsets); -+#endif -+ goto bail; -+ } - po = (fsPropOffset *) buf; - buf += pi->num_offsets * SIZEOF(fsPropOffset); -+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - -+ if (bufleft < pi->data_len) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", -+ bufleft, pi->data_len); -+#endif -+ goto bail; -+ } - pd = (pointer) buf; - buf += pi->data_len; -+ bufleft -= pi->data_len; - - /* convert the properties and step over the reply */ - ret = _fs_convert_props(pi, po, pd, pInfo); -+ bail: - _fs_done_read (conn, rep->length << 2); - - if (ret == -1) -@@ -951,13 +1030,15 @@ fs_read_extent_info(FontPathElementPtr f - FontInfoRec *fi = &bfont->pfont->info; - - rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); - return BadFontName; - } - -@@ -970,7 +1051,26 @@ fs_read_extent_info(FontPathElementPtr f - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) -+ / LENGTHOF(fsXCharInfo))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", -+ numExtents, rep->length, -+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { -@@ -1809,6 +1909,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -1825,21 +1926,48 @@ fs_read_glyphs(FontPathElementPtr fpe, F - unsigned long minchar, maxchar; - - rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - err = AllocError; -+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); - goto bail; - } - - buf = (char *) rep; - buf += SIZEOF (fsQueryXBitmaps16Reply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); -+ -+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", -+ rep->num_chars, bufleft, SIZEOF (fsOffset32)); -+#endif -+ err = AllocError; -+ goto bail; -+ } - ppbits = (fsOffset32 *) buf; - buf += SIZEOF (fsOffset32) * (rep->num_chars); -+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); -+ -+ if (bufleft < rep->nbytes) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", -+ rep->nbytes, bufleft); -+#endif -+ err = AllocError; -+ goto bail; -+ } - - pbitmaps = (pointer ) buf; - -@@ -1898,7 +2026,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F - */ - if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) - { -- if (local_off.length) -+ if (local_off.length && -+ (local_off.position < rep->nbytes) && -+ (local_off.length <= (rep->nbytes - local_off.position))) - { - bits = allbits; - allbits += local_off.length; -@@ -2228,31 +2358,48 @@ fs_read_list(FontPathElementPtr fpe, FSB - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; - int err; - - rep = (fsListFontsReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsListFontsReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); -+ _fs_reply_failed (rep, fsListFontsReply, "<"); - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; -@@ -2358,12 +2505,15 @@ fs_read_list_info(FontPathElementPtr fpe - _fs_free_props (&binfo->info); - - rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ ((rep->nameLength != 0) && -+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - binfo->status = FS_LFWI_FINISHED; - err = AllocError; -+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); - goto done; - } - /* -@@ -2786,7 +2936,7 @@ _fs_recv_conn_setup (FSFpePtr conn) - int ret = FSIO_ERROR; - fsConnSetup *setup; - FSFpeAltPtr alts; -- int i, alt_len; -+ unsigned int i, alt_len; - int setup_len; - char *alt_save, *alt_names; - -@@ -2813,8 +2963,9 @@ _fs_recv_conn_setup (FSFpePtr conn) - } - if (setup->num_alternates) - { -+ size_t alt_name_len = setup->alternate_len << 2; - alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) + -- (setup->alternate_len << 2)); -+ alt_name_len); - if (alts) - { - alt_names = (char *) (setup + 1); -@@ -2823,10 +2974,25 @@ _fs_recv_conn_setup (FSFpePtr conn) - { - alts[i].subset = alt_names[0]; - alt_len = alt_names[1]; -+ if (alt_len >= alt_name_len) { -+ /* -+ * Length is longer than setup->alternate_len -+ * told us to allocate room for, assume entire -+ * alternate list is corrupted. -+ */ -+#ifdef DEBUG -+ fprintf (stderr, -+ "invalid alt list (length %lx >= %lx)\n", -+ (long) alt_len, (long) alt_name_len); -+#endif -+ free(alts); -+ return FSIO_ERROR; -+ } - alts[i].name = alt_save; - memcpy (alt_save, alt_names + 2, alt_len); - alt_save[alt_len] = '\0'; - alt_save += alt_len + 1; -+ alt_name_len -= alt_len + 1; - alt_names += _fs_pad_length (alt_len + 2); - } - conn->numAlts = setup->num_alternates; |