diff options
Diffstat (limited to 'x11-fonts/libXfont')
| -rw-r--r-- | x11-fonts/libXfont/Makefile | 1 | ||||
| -rw-r--r-- | x11-fonts/libXfont/files/patch-src_fontfile_decompress.c | 103 |
2 files changed, 104 insertions, 0 deletions
diff --git a/x11-fonts/libXfont/Makefile b/x11-fonts/libXfont/Makefile index 12f4a06c16ad..90945a8b8916 100644 --- a/x11-fonts/libXfont/Makefile +++ b/x11-fonts/libXfont/Makefile @@ -7,6 +7,7 @@ PORTNAME= libXfont PORTVERSION= 1.4.4 +PORTREVISION= 1 PORTEPOCH= 1 CATEGORIES= x11-fonts diff --git a/x11-fonts/libXfont/files/patch-src_fontfile_decompress.c b/x11-fonts/libXfont/files/patch-src_fontfile_decompress.c new file mode 100644 index 000000000000..1cfa1fa62235 --- /dev/null +++ b/x11-fonts/libXfont/files/patch-src_fontfile_decompress.c @@ -0,0 +1,103 @@ +From bd48ad11fd11412c62c3ac8ed5d52c4f10a985aa Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger <joerg@britannica.bec.de> +Date: Sun, 21 Aug 2011 16:51:53 +0000 +Subject: Do proper input validation to fix for CVE-2011-2895. + +It ensures that all valid input can be decompressed, checks that the +overflow conditions doesn't happen and generally tightens the +validation of the LZW stream and doesn't pessimize the inner loop for +no good reason. It's derived from a change in libarchive from 2004. + +Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> +Reviewed-by: Tomas Hoger <thoger@redhat.com> +--- +diff --git a/src/fontfile/decompress.c b/src/fontfile/decompress.c +index 0f28c3f..6405d76 100644 +--- src/fontfile/decompress.c ++++ src/fontfile/decompress.c +@@ -97,7 +97,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ + #define FIRST 257 /* first free entry */ + #define CLEAR 256 /* table clear output code */ + +-#define STACK_SIZE 8192 ++#define STACK_SIZE 65300 + + typedef struct _compressedFILE { + BufFilePtr file; +@@ -178,14 +178,12 @@ BufFilePushCompressed (BufFilePtr f) + file->tab_suffix[code] = (char_type) code; + } + file->free_ent = ((file->block_compress) ? FIRST : 256 ); ++ file->oldcode = -1; + file->clear_flg = 0; + file->offset = 0; + file->size = 0; + file->stackp = file->de_stack; + bzero(file->buf, BITS); +- file->finchar = file->oldcode = getcode (file); +- if (file->oldcode != -1) +- *file->stackp++ = file->finchar; + return BufFileCreate ((char *) file, + BufCompressedFill, + 0, +@@ -230,9 +228,6 @@ BufCompressedFill (BufFilePtr f) + if (buf == bufend) + break; + +- if (oldcode == -1) +- break; +- + code = getcode (file); + if (code == -1) + break; +@@ -241,26 +236,34 @@ BufCompressedFill (BufFilePtr f) + for ( code = 255; code >= 0; code-- ) + file->tab_prefix[code] = 0; + file->clear_flg = 1; +- file->free_ent = FIRST - 1; +- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ +- break; ++ file->free_ent = FIRST; ++ oldcode = -1; ++ continue; + } + incode = code; + /* + * Special case for KwKwK string. + */ + if ( code >= file->free_ent ) { ++ if ( code > file->free_ent || oldcode == -1 ) { ++ /* Bad stream. */ ++ return BUFFILEEOF; ++ } + *stackp++ = finchar; + code = oldcode; + } ++ /* ++ * The above condition ensures that code < free_ent. ++ * The construction of tab_prefixof in turn guarantees that ++ * each iteration decreases code and therefore stack usage is ++ * bound by 1 << BITS - 256. ++ */ + + /* + * Generate output characters in reverse order + */ + while ( code >= 256 ) + { +- if (stackp - de_stack >= STACK_SIZE - 1) +- return BUFFILEEOF; + *stackp++ = file->tab_suffix[code]; + code = file->tab_prefix[code]; + } +@@ -270,7 +273,7 @@ BufCompressedFill (BufFilePtr f) + /* + * Generate the new entry. + */ +- if ( (code=file->free_ent) < file->maxmaxcode ) { ++ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + file->tab_prefix[code] = (unsigned short)oldcode; + file->tab_suffix[code] = finchar; + file->free_ent = code+1; +-- +cgit v0.9.0.2-2-gbebe |