1 files changed, 0 insertions, 52 deletions

diff --git a/x11/xorg-libs/patches/patch-ch b/x11/xorg-libs/patches/patch-ch
deleted file mode 100644
index 562487dedcb..00000000000
--- a/x11/xorg-libs/patches/patch-ch
+++ /dev/null
@@ -1,52 +0,0 @@
-$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $
-
-Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
-
---- lib/font/Type1/scanfont.c.orig	2006-09-13 14:18:59.000000000 +0200
-+++ lib/font/Type1/scanfont.c
-@@ -57,6 +57,7 @@
- 
- #ifndef FONTMODULE
- #include <string.h>
-+#include <limits.h>
- #else
- #include "Xdefs.h"	/* Bool declaration */
- #include "Xmd.h"	/* INT32 declaration */
-@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP)
-   arrayP->data.valueP = tokenStartP;
- 
-   /* allocate FDArray */
-+  /* No integer overflow since arrayP->len is unsigned short */
-   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
-   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
- 
-@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP)
-      }
-      return(SCAN_OK);
-    }
-- 
-+   if (N > INT_MAX / sizeof(psobj))
-+     return (SCAN_ERROR);
-    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
-    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
-    FontP->Subrs.len = N;
-@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP)
-      }
-      else return(rc);  /* if next token was not an Int */
-    }
--   if (N<=0) return(SCAN_ERROR);
-+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
-    /* save number of entries in the dictionary */
-  
-    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
-@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
-     if (tokenType == TOKEN_INTEGER)
-       rangecnt = tokenValue.integer;
- 
-+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
-+      rc = SCAN_ERROR;
-+      break;
-+    }
-     /* ==> tokenLength, tokenTooLong, tokenType, and */
-     /* tokenValue are now set                        */
-