From b4b6c4f7811646da57c9c03eaa90233acbf8f16e Mon Sep 17 00:00:00 2001 From: sbd Date: Fri, 19 Aug 2011 08:18:32 +0000 Subject: Pullup ticket #3501 - requested by joerg x11/libXfont buffer overflow fix Revisions pulled up: - x11/libXfont/Makefile 1.18 - x11/libXfont/distinfo 1.16 - x11/libXfont/patches/patch-src-fontfile-decompress.c 1.1 --- Module Name: pkgsrc Committed By: joerg Date: Thu Aug 18 22:58:24 UTC 2011 Modified Files: pkgsrc/x11/libXfont: Makefile distinfo Added Files: pkgsrc/x11/libXfont/patches: patch-src-fontfile-decompress.c Log Message: Fix buffer overflow in LZW handler. --- x11/libXfont/Makefile | 3 +- x11/libXfont/distinfo | 3 +- .../patches/patch-src-fontfile-decompress.c | 84 ++++++++++++++++++++++ 3 files changed, 88 insertions(+), 2 deletions(-) create mode 100644 x11/libXfont/patches/patch-src-fontfile-decompress.c diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile index 8a4cd5f69a9..6abf84c1926 100644 --- a/x11/libXfont/Makefile +++ b/x11/libXfont/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.17 2010/09/10 18:49:43 joerg Exp $ +# $NetBSD: Makefile,v 1.17.8.1 2011/08/19 08:18:32 sbd Exp $ # DISTNAME= libXfont-1.4.2 +PKGREVISION= 1 CATEGORIES= x11 devel fonts MASTER_SITES= ${MASTER_SITE_XORG:=lib/} EXTRACT_SUFX= .tar.bz2 diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo index 6117b627c17..090159cbf85 100644 --- a/x11/libXfont/distinfo +++ b/x11/libXfont/distinfo @@ -1,5 +1,6 @@ -$NetBSD: distinfo,v 1.15 2010/09/10 18:49:43 joerg Exp $ +$NetBSD: distinfo,v 1.15.8.1 2011/08/19 08:18:32 sbd Exp $ SHA1 (libXfont-1.4.2.tar.bz2) = 79c2089fec014da4b7976e6762f1e9e447fd5767 RMD160 (libXfont-1.4.2.tar.bz2) = 5812959009f15b321ebe6cfb9bea9c7abbbef940 Size (libXfont-1.4.2.tar.bz2) = 433887 bytes +SHA1 (patch-src-fontfile-decompress.c) = 9a51f6be0a40e3d785d6cf7d14f09c165be09f0b diff --git a/x11/libXfont/patches/patch-src-fontfile-decompress.c b/x11/libXfont/patches/patch-src-fontfile-decompress.c new file mode 100644 index 00000000000..22dbf3ff9b7 --- /dev/null +++ b/x11/libXfont/patches/patch-src-fontfile-decompress.c @@ -0,0 +1,84 @@ +$NetBSD: patch-src-fontfile-decompress.c,v 1.1.2.2 2011/08/19 08:18:32 sbd Exp $ + +Fix buffer overflow in LZW handler. + +--- src/fontfile/decompress.c.orig 2010-06-23 11:18:18.000000000 +0000 ++++ src/fontfile/decompress.c +@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\03 + #define FIRST 257 /* first free entry */ + #define CLEAR 256 /* table clear output code */ + +-#define STACK_SIZE 8192 ++#define STACK_SIZE 65300 + + typedef struct _compressedFILE { + BufFilePtr file; +@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) + file->tab_suffix[code] = (char_type) code; + } + file->free_ent = ((file->block_compress) ? FIRST : 256 ); ++ file->oldcode = -1; + file->clear_flg = 0; + file->offset = 0; + file->size = 0; + file->stackp = file->de_stack; + bzero(file->buf, BITS); +- file->finchar = file->oldcode = getcode (file); +- if (file->oldcode != -1) +- *file->stackp++ = file->finchar; + return BufFileCreate ((char *) file, + BufCompressedFill, + 0, +@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) + if (buf == bufend) + break; + +- if (oldcode == -1) +- break; +- + code = getcode (file); + if (code == -1) + break; +@@ -243,19 +238,29 @@ BufCompressedFill (BufFilePtr f) + for ( code = 255; code >= 0; code-- ) + file->tab_prefix[code] = 0; + file->clear_flg = 1; +- file->free_ent = FIRST - 1; +- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ +- break; ++ file->free_ent = FIRST; ++ oldcode = -1; ++ continue; + } + incode = code; + /* + * Special case for KwKwK string. + */ + if ( code >= file->free_ent ) { ++ if ( code > file->free_ent || oldcode == -1 ) { ++ /* Bad stream. */ ++ return BUFFILEEOF; ++ } + *stackp++ = finchar; + code = oldcode; + } +- ++ /* ++ * The above condition ensures that code < free_ent. ++ * The construction of tab_prefixof in turn guarantees that ++ * each iteration decreases code and therefore stack usage is ++ * bound by 1 << BITS - 256. ++ */ ++ + /* + * Generate output characters in reverse order + */ +@@ -270,7 +275,7 @@ BufCompressedFill (BufFilePtr f) + /* + * Generate the new entry. + */ +- if ( (code=file->free_ent) < file->maxmaxcode ) { ++ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + file->tab_prefix[code] = (unsigned short)oldcode; + file->tab_suffix[code] = finchar; + file->free_ent = code+1; -- cgit v1.2.3