diff options
author | Baptiste Daroussin <bapt@FreeBSD.org> | 2014-07-20 22:56:22 +0000 |
---|---|---|
committer | Baptiste Daroussin <bapt@FreeBSD.org> | 2014-07-20 22:56:22 +0000 |
commit | d325a025fb0a995292cf32f11e81653db8e1b648 (patch) | |
tree | c7be1d1e05d38a701a0c577ea249bc80f6fa6eca /x11-fonts/libXfont | |
parent | ac9773161b0336d88af44f88439043465d114ed5 (diff) | |
download | ports-d325a025fb0a995292cf32f11e81653db8e1b648.tar.gz ports-d325a025fb0a995292cf32f11e81653db8e1b648.zip |
Notes
Diffstat (limited to 'x11-fonts/libXfont')
-rw-r--r-- | x11-fonts/libXfont/Makefile | 4 | ||||
-rw-r--r-- | x11-fonts/libXfont/distinfo | 4 | ||||
-rw-r--r-- | x11-fonts/libXfont/files/patch-src_fc_fsconvert.c | 46 | ||||
-rw-r--r-- | x11-fonts/libXfont/files/patch-src_fc_fserve.c | 525 | ||||
-rw-r--r-- | x11-fonts/libXfont/files/patch-src_fontfile_dirfile.c | 22 | ||||
-rw-r--r-- | x11-fonts/libXfont/files/patch-src_fontfile_fontdir.c | 16 |
6 files changed, 4 insertions, 613 deletions
diff --git a/x11-fonts/libXfont/Makefile b/x11-fonts/libXfont/Makefile index e4a8e6285961..409f782741e9 100644 --- a/x11-fonts/libXfont/Makefile +++ b/x11-fonts/libXfont/Makefile @@ -2,8 +2,7 @@ # $FreeBSD$ PORTNAME= libXfont -PORTVERSION= 1.4.7 -PORTREVISION= 3 +PORTVERSION= 1.5.0 PORTEPOCH= 1 CATEGORIES= x11-fonts @@ -14,6 +13,7 @@ LIB_DEPENDS= libfreetype.so:${PORTSDIR}/print/freetype2 XORG_CAT= lib USE_XORG= xproto:both xtrans fontsproto:both fontenc +INSTALL_TARGET= install-strip CONFIGURE_ARGS=--without-xmlto --disable-devel-docs diff --git a/x11-fonts/libXfont/distinfo b/x11-fonts/libXfont/distinfo index 363080de22dc..4eb208b29304 100644 --- a/x11-fonts/libXfont/distinfo +++ b/x11-fonts/libXfont/distinfo @@ -1,2 +1,2 @@ -SHA256 (xorg/lib/libXfont-1.4.7.tar.bz2) = d16ea3541835d296b19cfb05d7e64fc62173d8e7eb93284402ec761b951d1543 -SIZE (xorg/lib/libXfont-1.4.7.tar.bz2) = 482851 +SHA256 (xorg/lib/libXfont-1.5.0.tar.bz2) = 3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f +SIZE (xorg/lib/libXfont-1.5.0.tar.bz2) = 491483 diff --git a/x11-fonts/libXfont/files/patch-src_fc_fsconvert.c b/x11-fonts/libXfont/files/patch-src_fc_fsconvert.c deleted file mode 100644 index ab5131532862..000000000000 --- a/x11-fonts/libXfont/files/patch-src_fc_fsconvert.c +++ /dev/null @@ -1,46 +0,0 @@ -CVE-2014-0210 -CVE-2014-0211 - ---- src/fc/fsconvert.c.orig 2014-01-07 17:25:08.000000000 +0100 -+++ src/fc/fsconvert.c 2014-05-13 18:14:43.000000000 +0200 -@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsProp - for (i = 0; i < nprops; i++, dprop++, is_str++) - { - memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); -+ if ((local_off.name.position >= pi->data_len) || -+ (local_off.name.length > -+ (pi->data_len - local_off.name.position))) -+ goto bail; - dprop->name = MakeAtom(&pdc[local_off.name.position], - local_off.name.length, 1); - if (local_off.type != PropTypeString) { -@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsProp - dprop->value = local_off.value.position; - } else { - *is_str = TRUE; -+ if ((local_off.value.position >= pi->data_len) || -+ (local_off.value.length > -+ (pi->data_len - local_off.value.position))) -+ goto bail; - dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], - local_off.value.length, 1); - if (dprop->value == BAD_RESOURCE) - { -+ bail: - free (pfi->props); - pfi->nprops = 0; - pfi->props = 0; -@@ -712,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size - FSGlyphPtr glyphs; - FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - -- glyphs = malloc (sizeof (FSGlyphRec) + size); -+ if (size < (INT_MAX - sizeof (FSGlyphRec))) -+ glyphs = malloc (sizeof (FSGlyphRec) + size); -+ else -+ glyphs = NULL; -+ if (glyphs == NULL) -+ return NULL; - glyphs->next = fsfont->glyphs; - fsfont->glyphs = glyphs; - return (pointer) (glyphs + 1); diff --git a/x11-fonts/libXfont/files/patch-src_fc_fserve.c b/x11-fonts/libXfont/files/patch-src_fc_fserve.c deleted file mode 100644 index 568fb10c4fcc..000000000000 --- a/x11-fonts/libXfont/files/patch-src_fc_fserve.c +++ /dev/null @@ -1,525 +0,0 @@ -CVE-2014-0210 -CVE-2014-0211 - ---- src/fc/fserve.c.orig 2014-01-07 17:25:08.000000000 +0100 -+++ src/fc/fserve.c 2014-05-13 18:12:13.000000000 +0200 -@@ -70,6 +70,7 @@ in this Software without prior written a - #include "fservestr.h" - #include <X11/fonts/fontutil.h> - #include <errno.h> -+#include <limits.h> - - #include <time.h> - #define Time_t time_t -@@ -91,6 +92,15 @@ in this Software without prior written a - (pci)->descent || \ - (pci)->characterWidth) - -+/* -+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words, -+ * so this converts for doing size comparisons. -+ */ -+#define LENGTHOF(r) (SIZEOF(r) >> 2) -+ -+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ -+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -206,9 +216,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGeneri - rep->sequenceNumber, - conn->reqbuffer[i].opcode); - } -+ -+#define _fs_reply_failed(rep, name, op) do { \ -+ if (rep) { \ -+ if (rep->type == FS_Error) \ -+ fprintf (stderr, "Error: %d Request: %s\n", \ -+ ((fsError *)rep)->request, #name); \ -+ else \ -+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \ -+ #name, rep->length, op, LENGTHOF(name)); \ -+ } \ -+} while (0) -+ - #else - #define _fs_add_req_log(conn,op) ((conn)->current_seq++) - #define _fs_add_rep_log(conn,rep) -+#define _fs_reply_failed(rep,name,op) - #endif - - static Bool -@@ -600,6 +623,21 @@ fs_get_reply (FSFpePtr conn, int *error) - - rep = (fsGenericReply *) buf; - -+ /* -+ * Refuse to accept replies longer than a maximum reasonable length, -+ * before we pass to _fs_start_read, since it will try to resize the -+ * incoming connection buffer to this size. Also avoids integer overflow -+ * on 32-bit systems. -+ */ -+ if (rep->length > MAX_REPLY_LENGTH) -+ { -+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" -+ " from font server\n", rep->length); -+ _fs_connection_died (conn); -+ *error = FSIO_ERROR; -+ return 0; -+ } -+ - ret = _fs_start_read (conn, rep->length << 2, &buf); - if (ret != FSIO_READY) - { -@@ -682,13 +720,15 @@ fs_read_open_font(FontPathElementPtr fpe - int ret; - - rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length != LENGTHOF(fsOpenBitmapFontReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!="); - return BadFontName; - } - -@@ -815,6 +855,7 @@ fs_read_query_info(FontPathElementPtr fp - FSFpePtr conn = (FSFpePtr) fpe->private; - fsQueryXInfoReply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsPropInfo *pi; - fsPropOffset *po; - pointer pd; -@@ -824,13 +865,15 @@ fs_read_query_info(FontPathElementPtr fp - int ret; - - rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXInfoReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXInfoReply, "<"); - return BadFontName; - } - -@@ -844,6 +887,9 @@ fs_read_query_info(FontPathElementPtr fp - buf = (char *) rep; - buf += SIZEOF(fsQueryXInfoReply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF(fsQueryXInfoReply); -+ - /* move the data over */ - fsUnpack_XFontInfoHeader(rep, pInfo); - -@@ -851,17 +897,50 @@ fs_read_query_info(FontPathElementPtr fp - _fs_init_fontinfo(conn, pInfo); - - /* Compute offsets into the reply */ -+ if (bufleft < SIZEOF(fsPropInfo)) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", -+ bufleft); -+#endif -+ goto bail; -+ } - pi = (fsPropInfo *) buf; - buf += SIZEOF (fsPropInfo); -+ bufleft -= SIZEOF(fsPropInfo); - -+ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n", -+ bufleft, pi->num_offsets); -+#endif -+ goto bail; -+ } - po = (fsPropOffset *) buf; - buf += pi->num_offsets * SIZEOF(fsPropOffset); -+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - -+ if (bufleft < pi->data_len) -+ { -+ ret = -1; -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", -+ bufleft, pi->data_len); -+#endif -+ goto bail; -+ } - pd = (pointer) buf; - buf += pi->data_len; -+ bufleft -= pi->data_len; - - /* convert the properties and step over the reply */ - ret = _fs_convert_props(pi, po, pd, pInfo); -+ bail: - _fs_done_read (conn, rep->length << 2); - - if (ret == -1) -@@ -951,13 +1030,15 @@ fs_read_extent_info(FontPathElementPtr f - FontInfoRec *fi = &bfont->pfont->info; - - rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXExtents16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - fs_cleanup_bfont (bfont); -+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<"); - return BadFontName; - } - -@@ -970,7 +1051,26 @@ fs_read_extent_info(FontPathElementPtr f - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) -+ / LENGTHOF(fsXCharInfo))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", -+ numExtents, rep->length, -+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { -@@ -1111,7 +1211,7 @@ fs_read_extent_info(FontPathElementPtr f - } - - #ifdef DEBUG --static char *fs_open_states[] = { -+static const char *fs_open_states[] = { - "OPEN_REPLY ", - "INFO_REPLY ", - "EXTENT_REPLY", -@@ -1381,7 +1481,6 @@ fs_wakeup(FontPathElementPtr fpe, unsign - { - FSBlockDataPtr blockrec; - FSBlockedFontPtr bfont; -- FSBlockedListPtr blist; - static CARD32 lastState; - static FSBlockDataPtr lastBlock; - -@@ -1405,7 +1504,6 @@ fs_wakeup(FontPathElementPtr fpe, unsign - "<freed>"); - break; - case FS_LIST_FONTS: -- blist = (FSBlockedListPtr) blockrec->data; - fprintf (stderr, " Blocked list errcode %d sequence %d\n", - blockrec->errcode, blockrec->sequenceNumber); - break; -@@ -1809,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -1825,22 +1924,48 @@ fs_read_glyphs(FontPathElementPtr fpe, F - unsigned long minchar, maxchar; - - rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); - err = AllocError; -+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<"); - goto bail; - } - - buf = (char *) rep; - buf += SIZEOF (fsQueryXBitmaps16Reply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); -+ -+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", -+ rep->num_chars, bufleft, SIZEOF (fsOffset32)); -+#endif -+ err = AllocError; -+ goto bail; -+ } - ppbits = (fsOffset32 *) buf; - buf += SIZEOF (fsOffset32) * (rep->num_chars); -+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); - -+ if (bufleft < rep->nbytes) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", -+ rep->nbytes, bufleft); -+#endif -+ err = AllocError; -+ goto bail; -+ } - pbitmaps = (pointer ) buf; - - if (blockrec->type == FS_LOAD_GLYPHS) -@@ -1898,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F - */ - if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) - { -- if (local_off.length) -+ if (local_off.length && -+ (local_off.position < rep->nbytes) && -+ (local_off.length <= (rep->nbytes - local_off.position))) - { - bits = allbits; - allbits += local_off.length; -@@ -2228,31 +2355,48 @@ fs_read_list(FontPathElementPtr fpe, FSB - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; - int err; - - rep = (fsListFontsReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ (rep->length < LENGTHOF(fsListFontsReply))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - if (rep) - _fs_done_read (conn, rep->length << 2); -+ _fs_reply_failed (rep, fsListFontsReply, "<"); - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; -@@ -2347,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe - FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; - fsListFontsWithXInfoReply *rep; - char *buf; -+ long bufleft; - FSFpePtr conn = (FSFpePtr) fpe->private; - fsPropInfo *pi; - fsPropOffset *po; -@@ -2358,12 +2503,15 @@ fs_read_list_info(FontPathElementPtr fpe - _fs_free_props (&binfo->info); - - rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret); -- if (!rep || rep->type == FS_Error) -+ if (!rep || rep->type == FS_Error || -+ ((rep->nameLength != 0) && -+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply)))) - { - if (ret == FSIO_BLOCK) - return StillWorking; - binfo->status = FS_LFWI_FINISHED; - err = AllocError; -+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<"); - goto done; - } - /* -@@ -2380,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe - } - - buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); -+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); - - /* - * The original FS implementation didn't match -@@ -2388,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe - */ - if (conn->fsMajorVersion <= 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - pi = (fsPropInfo *) buf; -+ if (SIZEOF (fsPropInfo) > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", -+ (int) SIZEOF (fsPropInfo), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= SIZEOF (fsPropInfo); - buf += SIZEOF (fsPropInfo); - po = (fsPropOffset *) buf; -+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", -+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); - buf += pi->num_offsets * SIZEOF (fsPropOffset); - pd = (pointer) buf; -+ if (pi->data_len > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", -+ pi->data_len, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->data_len; - buf += pi->data_len; - if (conn->fsMajorVersion > 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - - #ifdef DEBUG -@@ -2786,7 +2987,7 @@ _fs_recv_conn_setup (FSFpePtr conn) - int ret = FSIO_ERROR; - fsConnSetup *setup; - FSFpeAltPtr alts; -- int i, alt_len; -+ unsigned int i, alt_len; - int setup_len; - char *alt_save, *alt_names; - -@@ -2813,8 +3014,9 @@ _fs_recv_conn_setup (FSFpePtr conn) - } - if (setup->num_alternates) - { -+ size_t alt_name_len = setup->alternate_len << 2; - alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) + -- (setup->alternate_len << 2)); -+ alt_name_len); - if (alts) - { - alt_names = (char *) (setup + 1); -@@ -2823,10 +3025,25 @@ _fs_recv_conn_setup (FSFpePtr conn) - { - alts[i].subset = alt_names[0]; - alt_len = alt_names[1]; -+ if (alt_len >= alt_name_len) { -+ /* -+ * Length is longer than setup->alternate_len -+ * told us to allocate room for, assume entire -+ * alternate list is corrupted. -+ */ -+#ifdef DEBUG -+ fprintf (stderr, -+ "invalid alt list (length %lx >= %lx)\n", -+ (long) alt_len, (long) alt_name_len); -+#endif -+ free(alts); -+ return FSIO_ERROR; -+ } - alts[i].name = alt_save; - memcpy (alt_save, alt_names + 2, alt_len); - alt_save[alt_len] = '\0'; - alt_save += alt_len + 1; -+ alt_name_len -= alt_len + 1; - alt_names += _fs_pad_length (alt_len + 2); - } - conn->numAlts = setup->num_alternates; -@@ -2964,6 +3181,7 @@ _fs_send_cat_sync (FSFpePtr conn) - * by a bogus catalogue - */ - lcreq.reqType = FS_ListCatalogues; -+ lcreq.data = 0; - lcreq.length = (SIZEOF(fsListCataloguesReq)) >> 2; - lcreq.maxNames = 0; - lcreq.nbytes = 0; diff --git a/x11-fonts/libXfont/files/patch-src_fontfile_dirfile.c b/x11-fonts/libXfont/files/patch-src_fontfile_dirfile.c deleted file mode 100644 index 2a0af63f6c8a..000000000000 --- a/x11-fonts/libXfont/files/patch-src_fontfile_dirfile.c +++ /dev/null @@ -1,22 +0,0 @@ -CVE-2014-0209 - ---- src/fontfile/dirfile.c.orig 2014-01-07 17:25:08.000000000 +0100 -+++ src/fontfile/dirfile.c 2014-05-13 18:15:26.000000000 +0200 -@@ -42,6 +42,7 @@ in this Software without prior written a - #include <sys/types.h> - #include <sys/stat.h> - #include <errno.h> -+#include <limits.h> - - static Bool AddFileNameAliases ( FontDirectoryPtr dir ); - static int ReadFontAlias ( char *directory, Bool isFile, -@@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken) - int nsize; - char *nbuf; - -+ if (tokenSize >= (INT_MAX >> 2)) -+ /* Stop before we overflow */ -+ return EALLOC; - nsize = tokenSize ? (tokenSize << 1) : 64; - nbuf = realloc(tokenBuf, nsize); - if (!nbuf) diff --git a/x11-fonts/libXfont/files/patch-src_fontfile_fontdir.c b/x11-fonts/libXfont/files/patch-src_fontfile_fontdir.c deleted file mode 100644 index 5b5826018e93..000000000000 --- a/x11-fonts/libXfont/files/patch-src_fontfile_fontdir.c +++ /dev/null @@ -1,16 +0,0 @@ -CVE-2014-0209 - ---- src/fontfile/fontdir.c.orig 2014-01-07 17:25:08.000000000 +0100 -+++ src/fontfile/fontdir.c 2014-05-13 18:13:40.000000000 +0200 -@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, Fon - if (table->sorted) - return (FontEntryPtr) 0; /* "cannot" happen */ - if (table->used == table->size) { -+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) -+ /* If we've read so many entries we're going to ask for 2gb -+ or more of memory, something is so wrong with this font -+ directory that we should just give up before we overflow. */ -+ return NULL; - newsize = table->size + 100; - entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); - if (!entry) |