From 75d15f3f80823be6097fb8f3547ed35752632e8a Mon Sep 17 00:00:00 2001 From: tron Date: Wed, 21 May 2014 13:14:03 +0000 Subject: Pullup ticket #4413 - requested by he x11/fontsproto: security update x11/libXfont: security patch MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Revisions pulled up: - x11/fontsproto/Makefile 1.7 - x11/fontsproto/distinfo 1.4 - x11/libXfont/Makefile 1.31-1.32 - x11/libXfont/distinfo 1.22-1.23 - x11/libXfont/patches/patch-src_fc_fsconvert.c 1.1 - x11/libXfont/patches/patch-src_fc_fserve.c 1.1 - x11/libXfont/patches/patch-src_util_patcache.c 1.1 --- Module Name: pkgsrc Committed By: wiz Date: Tue Apr 15 08:22:53 UTC 2014 Modified Files: pkgsrc/x11/fontsproto: Makefile distinfo Log Message: Update to 2.1.3: 2.1.3: This release features a number of spec formatting improvements, and some header adjustments for current xserver. Adam Jackson (1): configure: Remove AM_MAINTAINER_MODE Alan Coopersmith (35): spec: Replace ASCII => & -> arrows with Unicode ▶ & ◀ spec: add olinks to X11 protocol & XLFD specs spec: fixup bibliography entries (correct authors, link to references) spec: convert from article with sections to book with chapters spec: markup introduction of new terms with spec: fixup markup/formatting of the naming syntax section spec: change ids for encoding sections from *_2 to Encoding::* spec: add links to references to other sections spec: Use
markup for figure labels spec: remove some extra quotes from nroff conversion spec: add markup spec: convert list of license models from itemizedlist to variablelist spec: Convert .IN comments to indexterm tags spec: add autogenerated index spec: fix boundaries of tags spec: Use instead of for error names spec: Convert Requests chapter to have a section per request spec: Convert Events chapter to have a section per request spec: Convert Errors chapter to have a section per request spec: make links from encoding section to definitions spec: Use markup in Acknowledgements spec: Use tables for contents of Requests, Events & Errors spec: Convert a bunch of AccessContext references from to spec: Use for exponents spec: markup data type names with spec: Finish replacing nroff .sp macros with breaks spec: Convert Data Types section to have a section per type, with tables spec: give footnotes ids for more stable links spec: fixup quote characters spec: add enumerated constants to index spec: markup enumerated constant names with spec: Make links to data types, requests, events & errors spec: Remove comments leftover from nroff migration spec: use markup for elements of requests & replies spec: Make alignment of columns in Encoding section more consistent Colin Walters (1): autogen.sh: Implement GNOME Build API Gaetan Nadon (1): config: replace deprecated use of AC_OUTPUT with AC_CONFIG_FILES Julien Cristau (1): fontsproto 2.1.3 Keith Packard (2): Replace 'pointer' with the equivalent 'void *'. Allow paths and patterns to be const --- Module Name: pkgsrc Committed By: wiz Date: Tue Apr 15 16:47:26 UTC 2014 Modified Files: pkgsrc/x11/libXfont: Makefile distinfo Added Files: pkgsrc/x11/libXfont/patches: patch-src_util_patcache.c Log Message: Fix compatibility with fontsproto-2.1.3 and depend on it. Bump PKGREVISION. --- Module Name: pkgsrc Committed By: joerg Date: Thu May 15 23:48:05 UTC 2014 Modified Files: pkgsrc/x11/libXfont: Makefile distinfo Added Files: pkgsrc/x11/libXfont/patches: patch-src_fc_fsconvert.c patch-src_fc_fserve.c Log Message: Fix CVE-2014-0209, CVE-2014-0210 and CVE-2014-0211, validation errors triggerable via XFS or local font directories under user control. Bump revision. --- x11/fontsproto/Makefile | 5 +- x11/fontsproto/distinfo | 8 +- x11/libXfont/Makefile | 4 +- x11/libXfont/distinfo | 5 +- x11/libXfont/patches/patch-src_fc_fsconvert.c | 45 +++ x11/libXfont/patches/patch-src_fc_fserve.c | 403 +++++++++++++++++++++++++ x11/libXfont/patches/patch-src_util_patcache.c | 24 ++ 7 files changed, 485 insertions(+), 9 deletions(-) create mode 100644 x11/libXfont/patches/patch-src_fc_fsconvert.c create mode 100644 x11/libXfont/patches/patch-src_fc_fserve.c create mode 100644 x11/libXfont/patches/patch-src_util_patcache.c diff --git a/x11/fontsproto/Makefile b/x11/fontsproto/Makefile index 55be39b0ec9..cb85fd77ae8 100644 --- a/x11/fontsproto/Makefile +++ b/x11/fontsproto/Makefile @@ -1,7 +1,6 @@ -# $NetBSD: Makefile,v 1.6 2012/10/29 05:06:12 asau Exp $ -# +# $NetBSD: Makefile,v 1.6.12.1 2014/05/21 13:14:03 tron Exp $ -DISTNAME= fontsproto-2.1.2 +DISTNAME= fontsproto-2.1.3 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XORG:=proto/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/fontsproto/distinfo b/x11/fontsproto/distinfo index bacebe917ce..a45f34b0270 100644 --- a/x11/fontsproto/distinfo +++ b/x11/fontsproto/distinfo @@ -1,5 +1,5 @@ -$NetBSD: distinfo,v 1.3 2012/06/03 19:43:14 wiz Exp $ +$NetBSD: distinfo,v 1.3.16.1 2014/05/21 13:14:03 tron Exp $ -SHA1 (fontsproto-2.1.2.tar.bz2) = 538f0880faa6981cb1a348ced93dc715c42840f7 -RMD160 (fontsproto-2.1.2.tar.bz2) = 5a196c43dab89c7f4887dc14b419d53604e5672b -Size (fontsproto-2.1.2.tar.bz2) = 141990 bytes +SHA1 (fontsproto-2.1.3.tar.bz2) = 28c108bd6438c332122c10871c1fc6415591755f +RMD160 (fontsproto-2.1.3.tar.bz2) = caa89b1818cc4ee5bd202faa25224aa6c89db1ed +Size (fontsproto-2.1.3.tar.bz2) = 154087 bytes diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile index 4dd02a30358..e4ef84a0ce1 100644 --- a/x11/libXfont/Makefile +++ b/x11/libXfont/Makefile @@ -1,6 +1,7 @@ -# $NetBSD: Makefile,v 1.30 2014/01/07 20:09:18 wiz Exp $ +# $NetBSD: Makefile,v 1.30.2.1 2014/05/21 13:14:03 tron Exp $ DISTNAME= libXfont-1.4.7 +PKGREVISION= 2 CATEGORIES= x11 devel fonts MASTER_SITES= ${MASTER_SITE_XORG:=lib/} EXTRACT_SUFX= .tar.bz2 @@ -24,6 +25,7 @@ CONFIGURE_ARGS+= --disable-devel-docs .include "../../graphics/freetype2/buildlink3.mk" .include "../../x11/fontcacheproto/buildlink3.mk" .include "../../fonts/libfontenc/buildlink3.mk" +BUILDLINK_API_DEPENDS.fontsproto+= fontsproto>=2.1.3 .include "../../x11/fontsproto/buildlink3.mk" .include "../../x11/xproto/buildlink3.mk" .include "../../x11/xtrans/buildlink3.mk" diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo index beea638cabb..f8a5e386df4 100644 --- a/x11/libXfont/distinfo +++ b/x11/libXfont/distinfo @@ -1,5 +1,8 @@ -$NetBSD: distinfo,v 1.21 2014/01/07 20:09:18 wiz Exp $ +$NetBSD: distinfo,v 1.21.2.1 2014/05/21 13:14:03 tron Exp $ SHA1 (libXfont-1.4.7.tar.bz2) = 77f60d0a2190cb36c07c2217693f46d5e8942ca2 RMD160 (libXfont-1.4.7.tar.bz2) = 9ed172b89586d7f1b8342045c75f5aa861c6f661 Size (libXfont-1.4.7.tar.bz2) = 482851 bytes +SHA1 (patch-src_fc_fsconvert.c) = 7efe7b1a761756739fb4aef2416e4e1b33c509fd +SHA1 (patch-src_fc_fserve.c) = c62a9fb13dc22e48088d89d4b183573769e8c00b +SHA1 (patch-src_util_patcache.c) = 4b21d5fddae374e43e5ec37efd3da98171f1625d diff --git a/x11/libXfont/patches/patch-src_fc_fsconvert.c b/x11/libXfont/patches/patch-src_fc_fsconvert.c new file mode 100644 index 00000000000..0649b1a05c3 --- /dev/null +++ b/x11/libXfont/patches/patch-src_fc_fsconvert.c @@ -0,0 +1,45 @@ +$NetBSD: patch-src_fc_fsconvert.c,v 1.2.2.2 2014/05/21 13:14:03 tron Exp $ + +--- src/fc/fsconvert.c.orig 2014-01-07 16:25:08.000000000 +0000 ++++ src/fc/fsconvert.c +@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp + for (i = 0; i < nprops; i++, dprop++, is_str++) + { + memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); ++ if ((local_off.name.position >= pi->data_len) || ++ (local_off.name.length > ++ (pi->data_len - local_off.name.position))) ++ goto bail; + dprop->name = MakeAtom(&pdc[local_off.name.position], + local_off.name.length, 1); + if (local_off.type != PropTypeString) { +@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp + dprop->value = local_off.value.position; + } else { + *is_str = TRUE; ++ if ((local_off.name.position >= pi->data_len) || ++ (local_off.name.length > ++ (pi->data_len - local_off.name.position))) ++ goto bail; + dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], + local_off.value.length, 1); + if (dprop->value == BAD_RESOURCE) + { ++ bail: + free (pfi->props); + pfi->nprops = 0; + pfi->props = 0; +@@ -712,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size + FSGlyphPtr glyphs; + FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; + +- glyphs = malloc (sizeof (FSGlyphRec) + size); ++ if (size < (INT_MAX - sizeof (FSGlyphRec))) ++ glyphs = malloc (sizeof (FSGlyphRec) + size); ++ else ++ glyphs = NULL; ++ if (glyphs == NULL) ++ return NULL; + glyphs->next = fsfont->glyphs; + fsfont->glyphs = glyphs; + return (pointer) (glyphs + 1); diff --git a/x11/libXfont/patches/patch-src_fc_fserve.c b/x11/libXfont/patches/patch-src_fc_fserve.c new file mode 100644 index 00000000000..636e67f561d --- /dev/null +++ b/x11/libXfont/patches/patch-src_fc_fserve.c @@ -0,0 +1,403 @@ +$NetBSD: patch-src_fc_fserve.c,v 1.2.2.2 2014/05/21 13:14:03 tron Exp $ + +--- src/fc/fserve.c.orig 2014-01-07 16:25:08.000000000 +0000 ++++ src/fc/fserve.c +@@ -70,6 +70,7 @@ in this Software without prior written a + #include "fservestr.h" + #include + #include ++#include + + #include + #define Time_t time_t +@@ -91,6 +92,15 @@ in this Software without prior written a + (pci)->descent || \ + (pci)->characterWidth) + ++/* ++ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, ++ * so this converts for doing size comparisons. ++ */ ++#define LENGTHOF(r) (SIZEOF(r) >> 2) ++ ++/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ ++#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) ++ + extern void ErrorF(const char *f, ...); + + static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); +@@ -206,9 +216,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri + rep->sequenceNumber, + conn->reqbuffer[i].opcode); + } ++ ++#define _fs_reply_failed(rep, name, op) do { \ ++ if (rep) { \ ++ if (rep->type == FS_Error) \ ++ fprintf (stderr, "Error: %d Request: %s\n", \ ++ ((fsError *)rep)->request, #name); \ ++ else \ ++ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ ++ #name, rep->length, op, LENGTHOF(name)); \ ++ } \ ++} while (0) ++ + #else + #define _fs_add_req_log(conn,op) ((conn)->current_seq++) + #define _fs_add_rep_log(conn,rep) ++#define _fs_reply_failed(rep,name,op) + #endif + + static Bool +@@ -600,6 +623,21 @@ fs_get_reply (FSFpePtr conn, int *error) + + rep = (fsGenericReply *) buf; + ++ /* ++ * Refuse to accept replies longer than a maximum reasonable length, ++ * before we pass to _fs_start_read, since it will try to resize the ++ * incoming connection buffer to this size. Also avoids integer overflow ++ * on 32-bit systems. ++ */ ++ if (rep->length > MAX_REPLY_LENGTH) ++ { ++ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" ++ " from font server\n", rep->length); ++ _fs_connection_died (conn); ++ *error = FSIO_ERROR; ++ return 0; ++ } ++ + ret = _fs_start_read (conn, rep->length << 2, &buf); + if (ret != FSIO_READY) + { +@@ -682,13 +720,15 @@ fs_read_open_font(FontPathElementPtr fpe + int ret; + + rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); + return BadFontName; + } + +@@ -815,6 +855,7 @@ fs_read_query_info(FontPathElementPtr fp + FSFpePtr conn = (FSFpePtr) fpe->private; + fsQueryXInfoReply *rep; + char *buf; ++ long bufleft; /* length of reply left to use */ + fsPropInfo *pi; + fsPropOffset *po; + pointer pd; +@@ -824,13 +865,15 @@ fs_read_query_info(FontPathElementPtr fp + int ret; + + rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXInfoReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); + return BadFontName; + } + +@@ -844,6 +887,9 @@ fs_read_query_info(FontPathElementPtr fp + buf = (char *) rep; + buf += SIZEOF(fsQueryXInfoReply); + ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF(fsQueryXInfoReply); ++ + /* move the data over */ + fsUnpack_XFontInfoHeader(rep, pInfo); + +@@ -851,17 +897,50 @@ fs_read_query_info(FontPathElementPtr fp + _fs_init_fontinfo(conn, pInfo); + + /* Compute offsets into the reply */ ++ if (bufleft < SIZEOF(fsPropInfo)) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", ++ bufleft); ++#endif ++ goto bail; ++ } + pi = (fsPropInfo *) buf; + buf += SIZEOF (fsPropInfo); ++ bufleft -= SIZEOF(fsPropInfo); + ++ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n", ++ bufleft, pi->num_offsets); ++#endif ++ goto bail; ++ } + po = (fsPropOffset *) buf; + buf += pi->num_offsets * SIZEOF(fsPropOffset); ++ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); + ++ if (bufleft < pi->data_len) ++ { ++ ret = -1; ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", ++ bufleft, pi->data_len); ++#endif ++ goto bail; ++ } + pd = (pointer) buf; + buf += pi->data_len; ++ bufleft -= pi->data_len; + + /* convert the properties and step over the reply */ + ret = _fs_convert_props(pi, po, pd, pInfo); ++ bail: + _fs_done_read (conn, rep->length << 2); + + if (ret == -1) +@@ -951,13 +1030,15 @@ fs_read_extent_info(FontPathElementPtr f + FontInfoRec *fi = &bfont->pfont->info; + + rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + fs_cleanup_bfont (bfont); ++ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); + return BadFontName; + } + +@@ -970,7 +1051,26 @@ fs_read_extent_info(FontPathElementPtr f + numInfos *= 2; + haveInk = TRUE; + } +- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos); ++ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXExtents16: numInfos (%d) >= %ld\n", ++ numInfos, (INT_MAX / sizeof(CharInfoRec))); ++#endif ++ pCI = NULL; ++ } ++ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) ++ / LENGTHOF(fsXCharInfo))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", ++ numExtents, rep->length, ++ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); ++#endif ++ pCI = NULL; ++ } ++ else ++ pCI = malloc(sizeof(CharInfoRec) * numInfos); + + if (!pCI) + { +@@ -1809,6 +1909,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F + FontInfoPtr pfi = &pfont->info; + fsQueryXBitmaps16Reply *rep; + char *buf; ++ long bufleft; /* length of reply left to use */ + fsOffset32 *ppbits; + fsOffset32 local_off; + char *off_adr; +@@ -1825,21 +1926,48 @@ fs_read_glyphs(FontPathElementPtr fpe, F + unsigned long minchar, maxchar; + + rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); + err = AllocError; ++ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); + goto bail; + } + + buf = (char *) rep; + buf += SIZEOF (fsQueryXBitmaps16Reply); + ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); ++ ++ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", ++ rep->num_chars, bufleft, SIZEOF (fsOffset32)); ++#endif ++ err = AllocError; ++ goto bail; ++ } + ppbits = (fsOffset32 *) buf; + buf += SIZEOF (fsOffset32) * (rep->num_chars); ++ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); ++ ++ if (bufleft < rep->nbytes) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", ++ rep->nbytes, bufleft); ++#endif ++ err = AllocError; ++ goto bail; ++ } + + pbitmaps = (pointer ) buf; + +@@ -1898,7 +2026,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F + */ + if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) + { +- if (local_off.length) ++ if (local_off.length && ++ (local_off.position < rep->nbytes) && ++ (local_off.length <= (rep->nbytes - local_off.position))) + { + bits = allbits; + allbits += local_off.length; +@@ -2228,31 +2358,48 @@ fs_read_list(FontPathElementPtr fpe, FSB + FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; + fsListFontsReply *rep; + char *data; ++ long dataleft; /* length of reply left to use */ + int length, + i, + ret; + int err; + + rep = (fsListFontsReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ (rep->length < LENGTHOF(fsListFontsReply))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + if (rep) + _fs_done_read (conn, rep->length << 2); ++ _fs_reply_failed (rep, fsListFontsReply, "<"); + return AllocError; + } + data = (char *) rep + SIZEOF (fsListFontsReply); ++ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); + + err = Successful; + /* copy data into FontPathRecord */ + for (i = 0; i < rep->nFonts; i++) + { ++ if (dataleft < 1) ++ break; + length = *(unsigned char *)data++; ++ dataleft--; /* used length byte */ ++ if (length > dataleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFonts: name length (%d) > dataleft (%ld)\n", ++ length, dataleft); ++#endif ++ err = BadFontName; ++ break; ++ } + err = AddFontNamesName(blist->names, data, length); + if (err != Successful) + break; + data += length; ++ dataleft -= length; + } + _fs_done_read (conn, rep->length << 2); + return err; +@@ -2358,12 +2505,15 @@ fs_read_list_info(FontPathElementPtr fpe + _fs_free_props (&binfo->info); + + rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); +- if (!rep || rep->type == FS_Error) ++ if (!rep || rep->type == FS_Error || ++ ((rep->nameLength != 0) && ++ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) + { + if (ret == FSIO_BLOCK) + return StillWorking; + binfo->status = FS_LFWI_FINISHED; + err = AllocError; ++ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); + goto done; + } + /* +@@ -2786,7 +2936,7 @@ _fs_recv_conn_setup (FSFpePtr conn) + int ret = FSIO_ERROR; + fsConnSetup *setup; + FSFpeAltPtr alts; +- int i, alt_len; ++ unsigned int i, alt_len; + int setup_len; + char *alt_save, *alt_names; + +@@ -2813,8 +2963,9 @@ _fs_recv_conn_setup (FSFpePtr conn) + } + if (setup->num_alternates) + { ++ size_t alt_name_len = setup->alternate_len << 2; + alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) + +- (setup->alternate_len << 2)); ++ alt_name_len); + if (alts) + { + alt_names = (char *) (setup + 1); +@@ -2823,10 +2974,25 @@ _fs_recv_conn_setup (FSFpePtr conn) + { + alts[i].subset = alt_names[0]; + alt_len = alt_names[1]; ++ if (alt_len >= alt_name_len) { ++ /* ++ * Length is longer than setup->alternate_len ++ * told us to allocate room for, assume entire ++ * alternate list is corrupted. ++ */ ++#ifdef DEBUG ++ fprintf (stderr, ++ "invalid alt list (length %lx >= %lx)\n", ++ (long) alt_len, (long) alt_name_len); ++#endif ++ free(alts); ++ return FSIO_ERROR; ++ } + alts[i].name = alt_save; + memcpy (alt_save, alt_names + 2, alt_len); + alt_save[alt_len] = '\0'; + alt_save += alt_len + 1; ++ alt_name_len -= alt_len + 1; + alt_names += _fs_pad_length (alt_len + 2); + } + conn->numAlts = setup->num_alternates; diff --git a/x11/libXfont/patches/patch-src_util_patcache.c b/x11/libXfont/patches/patch-src_util_patcache.c new file mode 100644 index 00000000000..1508d85b6b6 --- /dev/null +++ b/x11/libXfont/patches/patch-src_util_patcache.c @@ -0,0 +1,24 @@ +$NetBSD: patch-src_util_patcache.c,v 1.1.2.2 2014/05/21 13:14:03 tron Exp $ + +Fix compatibility with fontsproto-2.1.3. + +--- src/util/patcache.c.orig 2014-01-07 16:25:08.000000000 +0000 ++++ src/util/patcache.c +@@ -128,7 +128,7 @@ Hash (const char *string, int len) + /* add entry */ + void + CacheFontPattern (FontPatternCachePtr cache, +- char *pattern, ++ const char *pattern, + int patlen, + FontPtr pFont) + { +@@ -174,7 +174,7 @@ CacheFontPattern (FontPatternCachePtr ca + /* find matching entry */ + FontPtr + FindCachedFontPattern (FontPatternCachePtr cache, +- char *pattern, ++ const char *pattern, + int patlen) + { + int hash; -- cgit v1.2.3