[arch-commits] Commit in libxfont/trunk (3 files)
Laurent Carlier
lcarlier at archlinux.org
Fri Jul 18 16:46:17 UTC 2014
Date: Friday, July 18, 2014 @ 18:46:17
Author: lcarlier
Revision: 217470
upgpkg: libxfont 1.4.99.901-1
upstream update 1.4.99.901
Modified:
libxfont/trunk/PKGBUILD
Deleted:
libxfont/trunk/CVE-2014-209-210-211.patch
libxfont/trunk/fix-for-fontsproto213.patch
-----------------------------+
CVE-2014-209-210-211.patch | 925 ------------------------------------------
PKGBUILD | 22
fix-for-fontsproto213.patch | 70 ---
3 files changed, 5 insertions(+), 1012 deletions(-)
Deleted: CVE-2014-209-210-211.patch
===================================================================
--- CVE-2014-209-210-211.patch 2014-07-18 14:56:43 UTC (rev 217469)
+++ CVE-2014-209-210-211.patch 2014-07-18 16:46:17 UTC (rev 217470)
@@ -1,925 +0,0 @@
-From 2f5e57317339c526e6eaee1010b0e2ab8089c42e Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:01:11 -0700
-Subject: [PATCH 01/12] CVE-2014-0209: integer overflow of realloc() size in
- FontFileAddEntry()
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-FontFileReadDirectory() opens a fonts.dir file, and reads over every
-line in an fscanf loop. For each successful entry read (font name,
-file name) a call is made to FontFileAddFontFile().
-
-FontFileAddFontFile() will add a font file entry (for the font name
-and file) each time it’s called, by calling FontFileAddEntry().
-FontFileAddEntry() will do the actual adding. If the table it has
-to add to is full, it will do a realloc, adding 100 more entries
-to the table size without checking to see if that will overflow the
-int used to store the size.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fontfile/fontdir.c | 5 +++++
- 1 file changed, 5 insertions(+)
-
-diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
-index ef7ffa5..7271603 100644
---- a/src/fontfile/fontdir.c
-+++ b/src/fontfile/fontdir.c
-@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
- if (table->sorted)
- return (FontEntryPtr) 0; /* "cannot" happen */
- if (table->used == table->size) {
-+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
-+ /* If we've read so many entries we're going to ask for 2gb
-+ or more of memory, something is so wrong with this font
-+ directory that we should just give up before we overflow. */
-+ return NULL;
- newsize = table->size + 100;
- entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
- if (!entry)
---
-1.9.2
-
-
-From 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:01:48 -0700
-Subject: [PATCH 02/12] CVE-2014-0209: integer overflow of realloc() size in
- lexAlias()
-
-lexAlias() reads from a file in a loop. It does this by starting with a
-64 byte buffer. If that size limit is hit, it does a realloc of the
-buffer size << 1, basically doubling the needed length every time the
-length limit is hit.
-
-Eventually, this will shift out to 0 (for a length of ~4gig), and that
-length will be passed on to realloc(). A length of 0 (with a valid
-pointer) causes realloc to free the buffer on most POSIX platforms,
-but the caller will still have a pointer to it, leading to use after
-free issues.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fontfile/dirfile.c | 4 ++++
- 1 file changed, 4 insertions(+)
-
-diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c
-index cb28333..38ced75 100644
---- a/src/fontfile/dirfile.c
-+++ b/src/fontfile/dirfile.c
-@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
- #include <sys/types.h>
- #include <sys/stat.h>
- #include <errno.h>
-+#include <limits.h>
-
- static Bool AddFileNameAliases ( FontDirectoryPtr dir );
- static int ReadFontAlias ( char *directory, Bool isFile,
-@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken)
- int nsize;
- char *nbuf;
-
-+ if (tokenSize >= (INT_MAX >> 2))
-+ /* Stop before we overflow */
-+ return EALLOC;
- nsize = tokenSize ? (tokenSize << 1) : 64;
- nbuf = realloc(tokenBuf, nsize);
- if (!nbuf)
---
-1.9.2
-
-
-From 891e084b26837162b12f841060086a105edde86d Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:00 -0700
-Subject: [PATCH 03/12] CVE-2014-0210: unvalidated length in
- _fs_recv_conn_setup()
-
-The connection setup reply from the font server can include a list
-of alternate servers to contact if this font server stops working.
-
-The reply specifies a total size of all the font server names, and
-then provides a list of names. _fs_recv_conn_setup() allocated the
-specified total size for copying the names to, but didn't check to
-make sure it wasn't copying more data to that buffer than the size
-it had allocated.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 20 ++++++++++++++++++--
- 1 file changed, 18 insertions(+), 2 deletions(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3585951..aa9acdb 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
- int ret = FSIO_ERROR;
- fsConnSetup *setup;
- FSFpeAltPtr alts;
-- int i, alt_len;
-+ unsigned int i, alt_len;
- int setup_len;
- char *alt_save, *alt_names;
-
-@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
- }
- if (setup->num_alternates)
- {
-+ size_t alt_name_len = setup->alternate_len << 2;
- alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
-- (setup->alternate_len << 2));
-+ alt_name_len);
- if (alts)
- {
- alt_names = (char *) (setup + 1);
-@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
- {
- alts[i].subset = alt_names[0];
- alt_len = alt_names[1];
-+ if (alt_len >= alt_name_len) {
-+ /*
-+ * Length is longer than setup->alternate_len
-+ * told us to allocate room for, assume entire
-+ * alternate list is corrupted.
-+ */
-+#ifdef DEBUG
-+ fprintf (stderr,
-+ "invalid alt list (length %lx >= %lx)\n",
-+ (long) alt_len, (long) alt_name_len);
-+#endif
-+ free(alts);
-+ return FSIO_ERROR;
-+ }
- alts[i].name = alt_save;
- memcpy (alt_save, alt_names + 2, alt_len);
- alt_save[alt_len] = '\0';
- alt_save += alt_len + 1;
-+ alt_name_len -= alt_len + 1;
- alt_names += _fs_pad_length (alt_len + 2);
- }
- conn->numAlts = setup->num_alternates;
---
-1.9.2
-
-
-From cbb64aef35960b2882be721f4b8fbaa0fb649d12 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:12 -0700
-Subject: [PATCH 04/12] CVE-2014-0210: unvalidated lengths when reading replies
- from font server
-
-Functions to handle replies to font server requests were casting replies
-from the generic form to reply specific structs without first checking
-that the reply was at least as long as the struct being cast to.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 44 ++++++++++++++++++++++++++++++++++++++------
- 1 file changed, 38 insertions(+), 6 deletions(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index aa9acdb..f08028f 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
- (pci)->descent || \
- (pci)->characterWidth)
-
-+/*
-+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
-+ * so this converts for doing size comparisons.
-+ */
-+#define LENGTHOF(r) (SIZEOF(r) >> 2)
-+
- extern void ErrorF(const char *f, ...);
-
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
- rep->sequenceNumber,
- conn->reqbuffer[i].opcode);
- }
-+
-+#define _fs_reply_failed(rep, name, op) do { \
-+ if (rep) { \
-+ if (rep->type == FS_Error) \
-+ fprintf (stderr, "Error: %d Request: %s\n", \
-+ ((fsError *)rep)->request, #name); \
-+ else \
-+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
-+ #name, rep->length, op, LENGTHOF(name)); \
-+ } \
-+} while (0)
-+
- #else
- #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
- #define _fs_add_rep_log(conn,rep)
-+#define _fs_reply_failed(rep,name,op)
- #endif
-
- static Bool
-@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- int ret;
-
- rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
- return BadFontName;
- }
-
-@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- int ret;
-
- rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXInfoReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
- return BadFontName;
- }
-
-@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FontInfoRec *fi = &bfont->pfont->info;
-
- rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- fs_cleanup_bfont (bfont);
-+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
- return BadFontName;
- }
-
-@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- unsigned long minchar, maxchar;
-
- rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
- err = AllocError;
-+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
- goto bail;
- }
-
-@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- int err;
-
- rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ (rep->length < LENGTHOF(fsListFontsReply)))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- if (rep)
- _fs_done_read (conn, rep->length << 2);
-+ _fs_reply_failed (rep, fsListFontsReply, "<");
- return AllocError;
- }
- data = (char *) rep + SIZEOF (fsListFontsReply);
-@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- _fs_free_props (&binfo->info);
-
- rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
-- if (!rep || rep->type == FS_Error)
-+ if (!rep || rep->type == FS_Error ||
-+ ((rep->nameLength != 0) &&
-+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
- {
- if (ret == FSIO_BLOCK)
- return StillWorking;
- binfo->status = FS_LFWI_FINISHED;
- err = AllocError;
-+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
- goto done;
- }
- /*
---
-1.9.2
-
-
-From 0f1a5d372c143f91a602bdf10c917d7eabaee09b Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:25 -0700
-Subject: [PATCH 05/12] CVE-2014-0211: Integer overflow in
- fs_get_reply/_fs_start_read
-
-fs_get_reply() would take any reply size, multiply it by 4 and pass to
-_fs_start_read. If that size was bigger than the current reply buffer
-size, _fs_start_read would add it to the existing buffer size plus the
-buffer size increment constant and realloc the buffer to that result.
-
-This math could overflow, causing the code to allocate a smaller
-buffer than the amount it was about to read into that buffer from
-the network. It could also succeed, allowing the remote font server
-to cause massive allocations in the X server, possibly using up all
-the address space in a 32-bit X server, allowing the triggering of
-other bugs in code that fails to handle malloc failure properly.
-
-This patch protects against both problems, by disconnecting any
-font server trying to feed us more than (the somewhat arbitrary)
-64 mb in a single reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 18 ++++++++++++++++++
- 1 file changed, 18 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index f08028f..3abbacf 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
- */
- #define LENGTHOF(r) (SIZEOF(r) >> 2)
-
-+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
-+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
-+
- extern void ErrorF(const char *f, ...);
-
- static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
-@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
-
- rep = (fsGenericReply *) buf;
-
-+ /*
-+ * Refuse to accept replies longer than a maximum reasonable length,
-+ * before we pass to _fs_start_read, since it will try to resize the
-+ * incoming connection buffer to this size. Also avoids integer overflow
-+ * on 32-bit systems.
-+ */
-+ if (rep->length > MAX_REPLY_LENGTH)
-+ {
-+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
-+ " from font server\n", rep->length);
-+ _fs_connection_died (conn);
-+ *error = FSIO_ERROR;
-+ return 0;
-+ }
-+
- ret = _fs_start_read (conn, rep->length << 2, &buf);
- if (ret != FSIO_READY)
- {
---
-1.9.2
-
-
-From 491291cabf78efdeec8f18b09e14726a9030cc8f Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:34 -0700
-Subject: [PATCH 06/12] CVE-2014-0210: unvalidated length fields in
- fs_read_query_info()
-
-fs_read_query_info() parses a reply from the font server. The reply
-contains embedded length fields, none of which are validated. This
-can cause out of bound reads in either fs_read_query_info() or in
-_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fsconvert.c | 9 +++++++++
- src/fc/fserve.c | 37 +++++++++++++++++++++++++++++++++++++
- 2 files changed, 46 insertions(+)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index 75b5372..dfa1317 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -118,6 +118,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
- for (i = 0; i < nprops; i++, dprop++, is_str++)
- {
- memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
-+ if ((local_off.name.position >= pi->data_len) ||
-+ (local_off.name.length >
-+ (pi->data_len - local_off.name.position)))
-+ goto bail;
- dprop->name = MakeAtom(&pdc[local_off.name.position],
- local_off.name.length, 1);
- if (local_off.type != PropTypeString) {
-@@ -125,10 +129,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
- dprop->value = local_off.value.position;
- } else {
- *is_str = TRUE;
-+ if ((local_off.value.position >= pi->data_len) ||
-+ (local_off.value.length >
-+ (pi->data_len - local_off.value.position)))
-+ goto bail;
- dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
- local_off.value.length, 1);
- if (dprop->value == BAD_RESOURCE)
- {
-+ bail:
- free (pfi->props);
- pfi->nprops = 0;
- pfi->props = 0;
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 3abbacf..ec5336e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -854,6 +854,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FSFpePtr conn = (FSFpePtr) fpe->private;
- fsQueryXInfoReply *rep;
- char *buf;
-+ long bufleft; /* length of reply left to use */
- fsPropInfo *pi;
- fsPropOffset *po;
- pointer pd;
-@@ -885,6 +886,9 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- buf = (char *) rep;
- buf += SIZEOF(fsQueryXInfoReply);
-
-+ bufleft = rep->length << 2;
-+ bufleft -= SIZEOF(fsQueryXInfoReply);
-+
- /* move the data over */
- fsUnpack_XFontInfoHeader(rep, pInfo);
-
-@@ -892,17 +896,50 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- _fs_init_fontinfo(conn, pInfo);
-
- /* Compute offsets into the reply */
-+ if (bufleft < SIZEOF(fsPropInfo))
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
-+ bufleft);
-+#endif
-+ goto bail;
-+ }
- pi = (fsPropInfo *) buf;
- buf += SIZEOF (fsPropInfo);
-+ bufleft -= SIZEOF(fsPropInfo);
-
-+ if ((bufleft / SIZEOF(fsPropOffset)) < pi->num_offsets)
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXInfo: bufleft (%ld) / SIZEOF(fsPropOffset) < %d\n",
-+ bufleft, pi->num_offsets);
-+#endif
-+ goto bail;
-+ }
- po = (fsPropOffset *) buf;
- buf += pi->num_offsets * SIZEOF(fsPropOffset);
-+ bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
-
-+ if (bufleft < pi->data_len)
-+ {
-+ ret = -1;
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-+ bufleft, pi->data_len);
-+#endif
-+ goto bail;
-+ }
- pd = (pointer) buf;
- buf += pi->data_len;
-+ bufleft -= pi->data_len;
-
- /* convert the properties and step over the reply */
- ret = _fs_convert_props(pi, po, pd, pInfo);
-+ bail:
- _fs_done_read (conn, rep->length << 2);
-
- if (ret == -1)
---
-1.9.2
-
-
-From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:42 -0700
-Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in
- fs_read_extent_info()
-
-fs_read_extent_info() parses a reply from the font server.
-The reply contains a 32bit number of elements field which is used
-to calculate a buffer length. There is an integer overflow in this
-calculation which can lead to memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 12 +++++++++++-
- 1 file changed, 11 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index ec5336e..96abd0e 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.
- #include "fservestr.h"
- #include <X11/fonts/fontutil.h>
- #include <errno.h>
-+#include <limits.h>
-
- #include <time.h>
- #define Time_t time_t
-@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- numInfos *= 2;
- haveInk = TRUE;
- }
-- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos);
-+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXExtents16: numInfos (%d) >= %ld\n",
-+ numInfos, (INT_MAX / sizeof(CharInfoRec)));
-+#endif
-+ pCI = NULL;
-+ }
-+ else
-+ pCI = malloc(sizeof(CharInfoRec) * numInfos);
-
- if (!pCI)
- {
---
-1.9.2
-
-
-From a42f707f8a62973f5e8bbcd08afb10a79e9cee33 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:02:54 -0700
-Subject: [PATCH 08/12] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
-
-fs_alloc_glyphs() is a malloc wrapper used by the font code.
-It contains a classic integer overflow in the malloc() call,
-which can cause memory corruption.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fsconvert.c | 7 ++++++-
- 1 file changed, 6 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
-index dfa1317..18b0c0d 100644
---- a/src/fc/fsconvert.c
-+++ b/src/fc/fsconvert.c
-@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
- FSGlyphPtr glyphs;
- FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
-
-- glyphs = malloc (sizeof (FSGlyphRec) + size);
-+ if (size < (INT_MAX - sizeof (FSGlyphRec)))
-+ glyphs = malloc (sizeof (FSGlyphRec) + size);
-+ else
-+ glyphs = NULL;
-+ if (glyphs == NULL)
-+ return NULL;
- glyphs->next = fsfont->glyphs;
- fsfont->glyphs = glyphs;
- return (pointer) (glyphs + 1);
---
-1.9.2
-
-
-From a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:03:05 -0700
-Subject: [PATCH 09/12] CVE-2014-0210: unvalidated length fields in
- fs_read_extent_info()
-
-Looping over the extents in the reply could go past the end of the
-reply buffer if the reply indicated more extents than could fit in
-the specified reply length.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 10 ++++++++++
- 1 file changed, 10 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 96abd0e..232e969 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- #endif
- pCI = NULL;
- }
-+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
-+ / LENGTHOF(fsXCharInfo))) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
-+ numExtents, rep->length,
-+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
-+#endif
-+ pCI = NULL;
-+ }
- else
- pCI = malloc(sizeof(CharInfoRec) * numInfos);
-
---
-1.9.2
-
-
-From 520683652564c2a4e42328ae23eef9bb63271565 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 25 Apr 2014 23:03:24 -0700
-Subject: [PATCH 10/12] CVE-2014-0210: unvalidated length fields in
- fs_read_glyphs()
-
-fs_read_glyphs() parses a reply from the font server. The reply
-contains embedded length fields, none of which are validated.
-This can cause out of bound reads when looping over the glyph
-bitmaps in the reply.
-
-Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
-Reviewed-by: Adam Jackson <ajax at redhat.com>
-Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
----
- src/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
- 1 file changed, 28 insertions(+), 1 deletion(-)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 232e969..581bb1b 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FontInfoPtr pfi = &pfont->info;
- fsQueryXBitmaps16Reply *rep;
- char *buf;
-+ long bufleft; /* length of reply left to use */
- fsOffset32 *ppbits;
- fsOffset32 local_off;
- char *off_adr;
-@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- buf = (char *) rep;
- buf += SIZEOF (fsQueryXBitmaps16Reply);
-
-+ bufleft = rep->length << 2;
-+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply);
-+
-+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)
-+ {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",
-+ rep->num_chars, bufleft, SIZEOF (fsOffset32));
-+#endif
-+ err = AllocError;
-+ goto bail;
-+ }
- ppbits = (fsOffset32 *) buf;
- buf += SIZEOF (fsOffset32) * (rep->num_chars);
-+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);
-
-+ if (bufleft < rep->nbytes)
-+ {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",
-+ rep->nbytes, bufleft);
-+#endif
-+ err = AllocError;
-+ goto bail;
-+ }
- pbitmaps = (pointer ) buf;
-
- if (blockrec->type == FS_LOAD_GLYPHS)
-@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- */
- if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))
- {
-- if (local_off.length)
-+ if (local_off.length &&
-+ (local_off.position < rep->nbytes) &&
-+ (local_off.length <= (rep->nbytes - local_off.position)))
- {
- bits = allbits;
- allbits += local_off.length;
---
-1.9.2
-
-
-From 5fa73ac18474be3032ee7af9c6e29deab163ea39 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 2 May 2014 19:24:17 -0700
-Subject: [PATCH 11/12] CVE-2014-0210: unvalidated length fields in
- fs_read_list()
-
-fs_read_list() parses a reply from the font server. The reply
-contains a list of strings with embedded length fields, none of
-which are validated. This can cause out of bound reads when looping
-over the strings in the reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- src/fc/fserve.c | 15 +++++++++++++++
- 1 file changed, 15 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 581bb1b..4dcdc04 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
- fsListFontsReply *rep;
- char *data;
-+ long dataleft; /* length of reply left to use */
- int length,
- i,
- ret;
-@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- return AllocError;
- }
- data = (char *) rep + SIZEOF (fsListFontsReply);
-+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
-
- err = Successful;
- /* copy data into FontPathRecord */
- for (i = 0; i < rep->nFonts; i++)
- {
-+ if (dataleft < 1)
-+ break;
- length = *(unsigned char *)data++;
-+ dataleft--; /* used length byte */
-+ if (length > dataleft) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFonts: name length (%d) > dataleft (%ld)\n",
-+ length, dataleft);
-+#endif
-+ err = BadFontName;
-+ break;
-+ }
- err = AddFontNamesName(blist->names, data, length);
- if (err != Successful)
- break;
- data += length;
-+ dataleft -= length;
- }
- _fs_done_read (conn, rep->length << 2);
- return err;
---
-1.9.2
-
-
-From d338f81df1e188eb16e1d6aeea7f4800f89c1218 Mon Sep 17 00:00:00 2001
-From: Alan Coopersmith <alan.coopersmith at oracle.com>
-Date: Fri, 2 May 2014 19:24:17 -0700
-Subject: [PATCH 12/12] CVE-2014-0210: unvalidated length fields in
- fs_read_list_info()
-
-fs_read_list_info() parses a reply from the font server. The reply
-contains a number of additional data items with embedded length or
-count fields, none of which are validated. This can cause out of
-bound reads when looping over these items in the reply.
-
-Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
----
- src/fc/fserve.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
- 1 file changed, 54 insertions(+)
-
-diff --git a/src/fc/fserve.c b/src/fc/fserve.c
-index 4dcdc04..c1cf9d6 100644
---- a/src/fc/fserve.c
-+++ b/src/fc/fserve.c
-@@ -2491,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
- fsListFontsWithXInfoReply *rep;
- char *buf;
-+ long bufleft;
- FSFpePtr conn = (FSFpePtr) fpe->private;
- fsPropInfo *pi;
- fsPropOffset *po;
-@@ -2527,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- }
-
- buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
-+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply);
-
- /*
- * The original FS implementation didn't match
-@@ -2535,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
- */
- if (conn->fsMajorVersion <= 1)
- {
-+ if (rep->nameLength > bufleft) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
-+ (int) rep->nameLength, bufleft);
-+#endif
-+ err = AllocError;
-+ goto done;
-+ }
-+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
- memcpy (binfo->name, buf, rep->nameLength);
- buf += _fs_pad_length (rep->nameLength);
-+ bufleft -= _fs_pad_length (rep->nameLength);
- }
- pi = (fsPropInfo *) buf;
-+ if (SIZEOF (fsPropInfo) > bufleft) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n",
-+ (int) SIZEOF (fsPropInfo), bufleft);
-+#endif
-+ err = AllocError;
-+ goto done;
-+ }
-+ bufleft -= SIZEOF (fsPropInfo);
- buf += SIZEOF (fsPropInfo);
- po = (fsPropOffset *) buf;
-+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n",
-+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft);
-+#endif
-+ err = AllocError;
-+ goto done;
-+ }
-+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset);
- buf += pi->num_offsets * SIZEOF (fsPropOffset);
- pd = (pointer) buf;
-+ if (pi->data_len > bufleft) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n",
-+ pi->data_len, bufleft);
-+#endif
-+ err = AllocError;
-+ goto done;
-+ }
-+ bufleft -= pi->data_len;
- buf += pi->data_len;
- if (conn->fsMajorVersion > 1)
- {
-+ if (rep->nameLength > bufleft) {
-+#ifdef DEBUG
-+ fprintf(stderr,
-+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
-+ (int) rep->nameLength, bufleft);
-+#endif
-+ err = AllocError;
-+ goto done;
-+ }
-+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
- memcpy (binfo->name, buf, rep->nameLength);
- buf += _fs_pad_length (rep->nameLength);
-+ bufleft -= _fs_pad_length (rep->nameLength);
- }
-
- #ifdef DEBUG
---
-1.9.2
-
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2014-07-18 14:56:43 UTC (rev 217469)
+++ PKGBUILD 2014-07-18 16:46:17 UTC (rev 217470)
@@ -2,29 +2,17 @@
# Maintainer: Jan de Groot <jgc at archlinux.org>
pkgname=libxfont
-pkgver=1.4.7
-pkgrel=3
+pkgver=1.4.99.901
+pkgrel=1
pkgdesc="X11 font rasterisation library"
arch=(i686 x86_64)
url="http://xorg.freedesktop.org/"
license=('custom')
-depends=('freetype2' 'libfontenc' 'xproto' 'fontsproto')
+depends=('freetype2' 'libfontenc' 'xproto' 'fontsproto>=2.1.3')
makedepends=('xorg-util-macros' 'xtrans')
-source=(${url}/archive/individual/lib/libXfont-${pkgver}.tar.bz2
- fix-for-fontsproto213.patch
- CVE-2014-209-210-211.patch)
-sha256sums=('d16ea3541835d296b19cfb05d7e64fc62173d8e7eb93284402ec761b951d1543'
- '9c8298cc9f4dc3981f19107353b2e4373dfb7882768bbf0b3ae027820a2dcad9'
- '9e70cafaf67636baea1295027d4bb197a74a8ac8469674e4be5776dd27b1741a')
+source=(${url}/archive/individual/lib/libXfont-${pkgver}.tar.bz2)
+sha256sums=('483645ae5a7c1728026ef9eb32f61cc9017bc6f9e09edb9694d487891ab44e4e')
-prepare() {
- cd "${srcdir}/libXfont-${pkgver}"
- # FS#40044 - merged for branch 1.5
- patch -Np1 -i ../fix-for-fontsproto213.patch
- # fix CVE-2014-209 CVE-2014-210 CVE-2014-211 - merged upstream
- patch -Np1 -i ../CVE-2014-209-210-211.patch
-}
-
build() {
cd "${srcdir}/libXfont-${pkgver}"
./configure --prefix=/usr --sysconfdir=/etc --disable-static
Deleted: fix-for-fontsproto213.patch
===================================================================
--- fix-for-fontsproto213.patch 2014-07-18 14:56:43 UTC (rev 217469)
+++ fix-for-fontsproto213.patch 2014-07-18 16:46:17 UTC (rev 217470)
@@ -1,70 +0,0 @@
-diff --git a/src/util/patcache.c b/src/util/patcache.c
-index 9c05fa1..2101015 100644
---- a/src/util/patcache.c
-+++ b/src/util/patcache.c
-@@ -50,7 +50,7 @@ typedef unsigned char EntryPtr;
- typedef struct _FontPatternCacheEntry {
- struct _FontPatternCacheEntry *next, **prev;
- short patlen;
-- char *pattern;
-+ const char *pattern;
- int hash;
- FontPtr pFont; /* associated font */
- } FontPatternCacheEntryRec, *FontPatternCacheEntryPtr;
-@@ -74,7 +74,7 @@ EmptyFontPatternCache (FontPatternCachePtr cache)
- cache->entries[i].next = &cache->entries[i+1];
- cache->entries[i].prev = 0;
- cache->entries[i].pFont = 0;
-- free (cache->entries[i].pattern);
-+ free ((void *) cache->entries[i].pattern);
- cache->entries[i].pattern = 0;
- cache->entries[i].patlen = 0;
- }
-@@ -107,7 +107,7 @@ FreeFontPatternCache (FontPatternCachePtr cache)
- int i;
-
- for (i = 0; i < NENTRIES; i++)
-- free (cache->entries[i].pattern);
-+ free ((void *) cache->entries[i].pattern);
- free (cache);
- }
-
-@@ -128,7 +128,7 @@ Hash (const char *string, int len)
- /* add entry */
- void
- CacheFontPattern (FontPatternCachePtr cache,
-- char *pattern,
-+ const char *pattern,
- int patlen,
- FontPtr pFont)
- {
-@@ -154,7 +154,7 @@ CacheFontPattern (FontPatternCachePtr cache,
- if (e->next)
- e->next->prev = e->prev;
- *e->prev = e->next;
-- free (e->pattern);
-+ free ((void *) e->pattern);
- }
- /* set pattern */
- memcpy (newpat, pattern, patlen);
-@@ -174,7 +174,7 @@ CacheFontPattern (FontPatternCachePtr cache,
- /* find matching entry */
- FontPtr
- FindCachedFontPattern (FontPatternCachePtr cache,
-- char *pattern,
-+ const char *pattern,
- int patlen)
- {
- int hash;
-@@ -211,7 +211,7 @@ RemoveCachedFontPattern (FontPatternCachePtr cache,
- *e->prev = e->next;
- e->next = cache->free;
- cache->free = e;
-- free (e->pattern);
-+ free ((void *) e->pattern);
- e->pattern = 0;
- }
- }
---
-cgit v0.9.0.2-2-gbebe
-
More information about the arch-commits
mailing list