From 0d0c8b0486823303b6e5b9726086d4cde31d2444 Mon Sep 17 00:00:00 2001 From: drochner Date: Tue, 3 Apr 2007 20:27:20 +0000 Subject: fix a possible memory corruption due to integer overflow, caused by lack of validation of bdf font files (CVE 2007-1351) fix a possible memory corruption due to integer overflow, caused by lack of validation of fonts.dir files (CVE 2007-1352) bump PKGREVISION --- x11/libXfont/Makefile | 3 ++- x11/libXfont/distinfo | 4 +++- x11/libXfont/patches/patch-aa | 29 +++++++++++++++++++++++++++++ x11/libXfont/patches/patch-ab | 22 ++++++++++++++++++++++ 4 files changed, 56 insertions(+), 2 deletions(-) create mode 100644 x11/libXfont/patches/patch-aa create mode 100644 x11/libXfont/patches/patch-ab (limited to 'x11/libXfont') diff --git a/x11/libXfont/Makefile b/x11/libXfont/Makefile index 72c1a038e9f..3331edb0ecb 100644 --- a/x11/libXfont/Makefile +++ b/x11/libXfont/Makefile @@ -1,7 +1,8 @@ -# $NetBSD: Makefile,v 1.3 2007/01/23 15:49:37 joerg Exp $ +# $NetBSD: Makefile,v 1.4 2007/04/03 20:27:20 drochner Exp $ # DISTNAME= libXfont-1.2.7 +PKGREVISION= 1 CATEGORIES= x11 devel fonts MASTER_SITES= http://xorg.freedesktop.org/releases/individual/lib/ EXTRACT_SUFX= .tar.bz2 diff --git a/x11/libXfont/distinfo b/x11/libXfont/distinfo index 21f769f4226..07a0c768b8a 100644 --- a/x11/libXfont/distinfo +++ b/x11/libXfont/distinfo @@ -1,5 +1,7 @@ -$NetBSD: distinfo,v 1.2 2007/01/23 15:49:37 joerg Exp $ +$NetBSD: distinfo,v 1.3 2007/04/03 20:27:20 drochner Exp $ SHA1 (libXfont-1.2.7.tar.bz2) = 60deba746e544785ca05c7c68ccfbd5d71370a29 RMD160 (libXfont-1.2.7.tar.bz2) = 33e2688d1e3490d8b588ca2304b3d4068568dcae Size (libXfont-1.2.7.tar.bz2) = 573915 bytes +SHA1 (patch-aa) = c5914dee0f48eee37e7c389bfcd5cbe2e4f0b015 +SHA1 (patch-ab) = cebfd94e8f12c24e65c912b31652265ff798402f diff --git a/x11/libXfont/patches/patch-aa b/x11/libXfont/patches/patch-aa new file mode 100644 index 00000000000..515eafd385c --- /dev/null +++ b/x11/libXfont/patches/patch-aa @@ -0,0 +1,29 @@ +$NetBSD: patch-aa,v 1.1 2007/04/03 20:27:21 drochner Exp $ + +--- src/bitmap/bdfread.c.orig 2007-04-03 19:01:20.000000000 +0200 ++++ src/bitmap/bdfread.c +@@ -65,6 +65,12 @@ from The Open Group. + #include + #include + ++#if HAVE_STDINT_H ++#include ++#elif !defined(INT32_MAX) ++#define INT32_MAX 0x7fffffff ++#endif ++ + #define INDICES 256 + #define MAXENCODING 0xFFFF + #define BDFLINELEN 1024 +@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, Font + bdfError("invalid number of CHARS in BDF file\n"); + return (FALSE); + } ++ if (nchars > INT32_MAX / sizeof(CharInfoRec)) { ++ bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, ++ sizeof(CharInfoRec)); ++ goto BAILOUT; ++ } + ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec)); + if (!ci) { + bdfError("Couldn't allocate pCI (%d*%d)\n", nchars, diff --git a/x11/libXfont/patches/patch-ab b/x11/libXfont/patches/patch-ab new file mode 100644 index 00000000000..84065b279fe --- /dev/null +++ b/x11/libXfont/patches/patch-ab @@ -0,0 +1,22 @@ +$NetBSD: patch-ab,v 1.1 2007/04/03 20:27:21 drochner Exp $ + +--- src/fontfile/fontdir.c.orig 2007-04-03 19:04:16.000000000 +0200 ++++ src/fontfile/fontdir.c +@@ -38,9 +38,17 @@ in this Software without prior written a + #include + #include + ++#if HAVE_STDINT_H ++#include ++#elif !defined(INT32_MAX) ++#define INT32_MAX 0x7fffffff ++#endif ++ + Bool + FontFileInitTable (FontTablePtr table, int size) + { ++ if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) ++ return FALSE; + if (size) + { + table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size); -- cgit v1.2.3