summaryrefslogtreecommitdiff
path: root/x11
diff options
context:
space:
mode:
authorjoerg <joerg@pkgsrc.org>2006-09-13 12:27:26 +0000
committerjoerg <joerg@pkgsrc.org>2006-09-13 12:27:26 +0000
commit4874440dda921906548edeae5a44dd590d7eee48 (patch)
treec21c08f8d5a3dced8de36183b5544cca7e2ab5a5 /x11
parent40bbaca9a62f9ef1fbdd30f6a06134be034c9198 (diff)
downloadpkgsrc-4874440dda921906548edeae5a44dd590d7eee48.tar.gz
Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
Bump revision.
Diffstat (limited to 'x11')
-rw-r--r--x11/xorg-libs/Makefile4
-rw-r--r--x11/xorg-libs/distinfo5
-rw-r--r--x11/xorg-libs/patches/patch-cg27
-rw-r--r--x11/xorg-libs/patches/patch-ch52
-rw-r--r--x11/xorg-libs/patches/patch-ci15
5 files changed, 100 insertions, 3 deletions
diff --git a/x11/xorg-libs/Makefile b/x11/xorg-libs/Makefile
index 882c4d133d6..633ec3dc3be 100644
--- a/x11/xorg-libs/Makefile
+++ b/x11/xorg-libs/Makefile
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.42 2006/08/26 15:20:44 joerg Exp $
+# $NetBSD: Makefile,v 1.43 2006/09/13 12:27:26 joerg Exp $
DISTNAME= ${DISTFILES}
PKGNAME= xorg-libs-${XORG_VER}
-PKGREVISION= 8
+PKGREVISION= 9
CATEGORIES= x11
MASTER_SITES= ${MASTER_SITE_XORG}
DISTFILES= X11R${XORG_VER}-src1.tar.gz X11R${XORG_VER}-src2.tar.gz \
diff --git a/x11/xorg-libs/distinfo b/x11/xorg-libs/distinfo
index 6e198784790..993a9fd26b6 100644
--- a/x11/xorg-libs/distinfo
+++ b/x11/xorg-libs/distinfo
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2006/08/22 18:12:14 joerg Exp $
+$NetBSD: distinfo,v 1.53 2006/09/13 12:27:26 joerg Exp $
SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef
RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8
@@ -59,3 +59,6 @@ SHA1 (patch-cc) = d5d72e525f9564eda7f2ea21ddb179800fb153b5
SHA1 (patch-cd) = e4bb522f4f3e896627aab68e39b0c643e4a6a5be
SHA1 (patch-ce) = ce68c16dde6a924dbb43b44653bd4bc7c26c34ef
SHA1 (patch-cf) = ec178ce36dbcd9b65d49584aa80e080b6f11132a
+SHA1 (patch-cg) = 82b40c8e39305bd320a88498c7202dc6e1e11743
+SHA1 (patch-ch) = e09e3fe3dd14caa70d2bcee1b58a72db0851632c
+SHA1 (patch-ci) = eaba43892d9968cf268ce1c0efe31a14c1a56ed5
diff --git a/x11/xorg-libs/patches/patch-cg b/x11/xorg-libs/patches/patch-cg
new file mode 100644
index 00000000000..b811dc030b6
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-cg
@@ -0,0 +1,27 @@
+$NetBSD: patch-cg,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/afm.c.orig 2006-09-13 14:17:16.000000000 +0200
++++ lib/font/Type1/afm.c
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h" /* For INT32 declaration */
+ #include "Xdefs.h" /* For Bool */
+@@ -118,6 +119,12 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
+
+ fi->nChars = atoi(p);
+
++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++ xfree(afmbuf);
++ xfree(fi);
++ return(1);
++ }
++
+ fi->metrics = (Metrics *)xalloc(fi->nChars *
+ sizeof(Metrics));
+ if (fi->metrics == NULL) {
diff --git a/x11/xorg-libs/patches/patch-ch b/x11/xorg-libs/patches/patch-ch
new file mode 100644
index 00000000000..562487dedcb
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-ch
@@ -0,0 +1,52 @@
+$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/scanfont.c.orig 2006-09-13 14:18:59.000000000 +0200
++++ lib/font/Type1/scanfont.c
+@@ -57,6 +57,7 @@
+
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h" /* Bool declaration */
+ #include "Xmd.h" /* INT32 declaration */
+@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP)
+ arrayP->data.valueP = tokenStartP;
+
+ /* allocate FDArray */
++ /* No integer overflow since arrayP->len is unsigned short */
+ FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+ if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+
+@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP)
+ }
+ return(SCAN_OK);
+ }
+-
++ if (N > INT_MAX / sizeof(psobj))
++ return (SCAN_ERROR);
+ arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+ if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+ FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP)
+ }
+ else return(rc); /* if next token was not an Int */
+ }
+- if (N<=0) return(SCAN_ERROR);
++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+ /* save number of entries in the dictionary */
+
+ dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres
+ if (tokenType == TOKEN_INTEGER)
+ rangecnt = tokenValue.integer;
+
++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++ rc = SCAN_ERROR;
++ break;
++ }
+ /* ==> tokenLength, tokenTooLong, tokenType, and */
+ /* tokenValue are now set */
+
diff --git a/x11/xorg-libs/patches/patch-ci b/x11/xorg-libs/patches/patch-ci
new file mode 100644
index 00000000000..c598bb4319e
--- /dev/null
+++ b/x11/xorg-libs/patches/patch-ci
@@ -0,0 +1,15 @@
+$NetBSD: patch-ci,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/util.c.orig 2006-09-13 14:22:13.000000000 +0200
++++ lib/font/Type1/util.c
+@@ -104,7 +104,7 @@ vm_alloc(int bytes)
+ bytes = (bytes + 7) & ~7;
+
+ /* Allocate the space, if it is available */
+- if (bytes <= vm_free) {
++ if (bytes > 0 && bytes <= vm_free) {
+ answer = vm_next;
+ vm_free -= bytes;
+ vm_next += bytes;