diff options
Diffstat (limited to 'x11/xorg-libs/patches/patch-ch')
-rw-r--r-- | x11/xorg-libs/patches/patch-ch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/x11/xorg-libs/patches/patch-ch b/x11/xorg-libs/patches/patch-ch deleted file mode 100644 index 562487dedcb..00000000000 --- a/x11/xorg-libs/patches/patch-ch +++ /dev/null @@ -1,52 +0,0 @@ -$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $ - -Fixes for CVE-2006-2006-3739 and CVE-2006-3740. - ---- lib/font/Type1/scanfont.c.orig 2006-09-13 14:18:59.000000000 +0200 -+++ lib/font/Type1/scanfont.c -@@ -57,6 +57,7 @@ - - #ifndef FONTMODULE - #include <string.h> -+#include <limits.h> - #else - #include "Xdefs.h" /* Bool declaration */ - #include "Xmd.h" /* INT32 declaration */ -@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP) - arrayP->data.valueP = tokenStartP; - - /* allocate FDArray */ -+ /* No integer overflow since arrayP->len is unsigned short */ - FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); - if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); - -@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP) - } - return(SCAN_OK); - } -- -+ if (N > INT_MAX / sizeof(psobj)) -+ return (SCAN_ERROR); - arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); - if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); - FontP->Subrs.len = N; -@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP) - } - else return(rc); /* if next token was not an Int */ - } -- if (N<=0) return(SCAN_ERROR); -+ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); - /* save number of entries in the dictionary */ - - dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); -@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres - if (tokenType == TOKEN_INTEGER) - rangecnt = tokenValue.integer; - -+ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { -+ rc = SCAN_ERROR; -+ break; -+ } - /* ==> tokenLength, tokenTooLong, tokenType, and */ - /* tokenValue are now set */ - |