From 7ce9d5c7fec81c7f844fe476a0eb14df29a207fa Mon Sep 17 00:00:00 2001 From: adrianp Date: Sat, 16 Sep 2006 08:28:36 +0000 Subject: Fix for CVE-2006-3739 and CVE-2006-3740. --- x11/XFree86-libs/Makefile | 4 +-- x11/XFree86-libs/distinfo | 5 +++- x11/XFree86-libs/patches/patch-av | 25 +++++++++++++++++++ x11/XFree86-libs/patches/patch-aw | 51 +++++++++++++++++++++++++++++++++++++++ x11/XFree86-libs/patches/patch-ax | 13 ++++++++++ 5 files changed, 95 insertions(+), 3 deletions(-) create mode 100644 x11/XFree86-libs/patches/patch-av create mode 100644 x11/XFree86-libs/patches/patch-aw create mode 100644 x11/XFree86-libs/patches/patch-ax (limited to 'x11') diff --git a/x11/XFree86-libs/Makefile b/x11/XFree86-libs/Makefile index 1478b7e690f..45e403f5cdc 100644 --- a/x11/XFree86-libs/Makefile +++ b/x11/XFree86-libs/Makefile @@ -1,8 +1,8 @@ -# $NetBSD: Makefile,v 1.29 2006/09/04 20:48:04 adrianp Exp $ +# $NetBSD: Makefile,v 1.30 2006/09/16 08:28:36 adrianp Exp $ DISTNAME= ${DISTFILES} PKGNAME= XFree86-libs-${XF_VER} -PKGREVISION= 8 +PKGREVISION= 9 CATEGORIES= x11 MASTER_SITES= ${MASTER_SITE_XFREE} DISTFILES= XFree86-${XF_VER}-src-1.tgz XFree86-${XF_VER}-src-2.tgz \ diff --git a/x11/XFree86-libs/distinfo b/x11/XFree86-libs/distinfo index ce20bbc1660..511355d4781 100644 --- a/x11/XFree86-libs/distinfo +++ b/x11/XFree86-libs/distinfo @@ -1,4 +1,4 @@ -$NetBSD: distinfo,v 1.11 2006/09/04 20:48:04 adrianp Exp $ +$NetBSD: distinfo,v 1.12 2006/09/16 08:28:36 adrianp Exp $ SHA1 (XFree86-4.4.0-src-1.tgz) = 44b38a7044c82d0b2f785b0e6a935349abcb5d79 RMD160 (XFree86-4.4.0-src-1.tgz) = 40917951f1f661bfa28450771bbe86e8f0dd2549 @@ -33,3 +33,6 @@ SHA1 (patch-ar) = c9ad52d94aedd94d7c0e0dc254d02cde5e33b637 SHA1 (patch-as) = c0b27ef82c688c535fdd46cb5de3315e24677fc6 SHA1 (patch-at) = 7cd02712c1ae4ca070564d2f7b5cb4e3e5b6e93b SHA1 (patch-au) = 8e121828d0f826f9029c0aee0f39e4e7ea2b0dac +SHA1 (patch-av) = bb9adf1a535781ef9f765d8e705a031cfabf7edb +SHA1 (patch-aw) = ee25a878725b00e6c1f4cbd592ee6e63c33a9d55 +SHA1 (patch-ax) = c90ff7bfe7dbb9d7bf3bf3300ec386da187aec29 diff --git a/x11/XFree86-libs/patches/patch-av b/x11/XFree86-libs/patches/patch-av new file mode 100644 index 00000000000..64232e7be70 --- /dev/null +++ b/x11/XFree86-libs/patches/patch-av @@ -0,0 +1,25 @@ +$NetBSD: patch-av,v 1.3 2006/09/16 08:28:36 adrianp Exp $ + +--- lib/font/Type1/afm.c.orig 2001-08-27 20:49:52.000000000 +0100 ++++ lib/font/Type1/afm.c +@@ -30,6 +30,8 @@ + #include "fontmisc.h" /* for xalloc/xfree */ + #include "AFM.h" + ++#include ++ + #define PBUF 256 + #define KBUF 20 + +@@ -111,6 +113,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { + + fi->nChars = atoi(p); + ++ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { ++ xfree(afmbuf); ++ xfree(fi); ++ return(1); ++ } + fi->metrics = (Metrics *)xalloc(fi->nChars * + sizeof(Metrics)); + if (fi->metrics == NULL) { diff --git a/x11/XFree86-libs/patches/patch-aw b/x11/XFree86-libs/patches/patch-aw new file mode 100644 index 00000000000..7708823991c --- /dev/null +++ b/x11/XFree86-libs/patches/patch-aw @@ -0,0 +1,51 @@ +$NetBSD: patch-aw,v 1.3 2006/09/16 08:28:36 adrianp Exp $ + +--- lib/font/Type1/scanfont.c.orig 2003-11-29 04:55:28.000000000 +0000 ++++ lib/font/Type1/scanfont.c +@@ -64,6 +64,8 @@ + #include "spaces.h" + #include "fontfcn.h" + #include "blues.h" ++ ++#include + + #ifdef BUILDCID + #define CID_BUFSIZE 80 +@@ -646,6 +648,7 @@ getFDArray(psobj *arrayP) + arrayP->data.valueP = tokenStartP; + + /* allocate FDArray */ ++ /* No integer overflow since arrayP->len is unsigned short */ + FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); + if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); + +@@ -842,7 +845,8 @@ BuildSubrs(psfont *FontP) + } + return(SCAN_OK); + } +- ++ if (N > INT_MAX / sizeof(psobj)) ++ return (SCAN_ERROR); + arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); + if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); + FontP->Subrs.len = N; +@@ -903,7 +907,7 @@ BuildCharStrings(psfont *FontP) + } + else return(rc); /* if next token was not an Int */ + } +- if (N<=0) return(SCAN_ERROR); ++ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); + /* save number of entries in the dictionary */ + + dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); +@@ -1711,6 +1715,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres + if (tokenType == TOKEN_INTEGER) + rangecnt = tokenValue.integer; + ++ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { ++ rc = SCAN_ERROR; ++ break; ++ } + /* ==> tokenLength, tokenTooLong, tokenType, and */ + /* tokenValue are now set */ + diff --git a/x11/XFree86-libs/patches/patch-ax b/x11/XFree86-libs/patches/patch-ax new file mode 100644 index 00000000000..c84df7fa585 --- /dev/null +++ b/x11/XFree86-libs/patches/patch-ax @@ -0,0 +1,13 @@ +$NetBSD: patch-ax,v 1.3 2006/09/16 08:28:36 adrianp Exp $ + +--- lib/font/Type1/util.c.orig 2001-01-17 19:43:24.000000000 +0000 ++++ lib/font/Type1/util.c +@@ -97,7 +97,7 @@ vm_alloc(int bytes) + bytes = (bytes + 7) & ~7; + + /* Allocate the space, if it is available */ +- if (bytes <= vm_free) { ++ if (bytes > 0 && bytes <= vm_free) { + answer = vm_next; + vm_free -= bytes; + vm_next += bytes; -- cgit v1.2.3