Timo Aaltonen pushed to branch debian-unstable at X Strike Force / lib / libxfont
Commits: f476c0a0 by Guillem Jover at 2022-10-06T00:39:38+00:00 Switch from libbsd to libbsd-overlay This is the preferred usage form for libbsd, as it makes the code more portable and requires no special includes for libbsd, by transparently injects the needed standard headers that would be used on a BSD. Signed-off-by: Guillem Jover <[email protected]> - - - - - 644bea5c by Alan Coopersmith at 2022-11-05T09:16:14-07:00 Only link with libbsd if needed for reallocarray() or strlcat() Avoid unnecessary library dependency when using a libc with these functions included Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 5ca90ec8 by Peter Harris at 2022-11-10T18:12:20+00:00 Fix font server reconnection timeout The great libxfont2 rewrite 135fb032e940ce226c9feb13e6e903f3ecbc5eb0 split fs_wakeup into fs_wakeup and fs_fd_handler. The fs_fd_handler side is called when there is new data on the socket. The fs_wakeup side is called on a timeout. If there's a connection timeout, the block handler will set the timeout to zero, expecting fs_wakeup to handle the timeout. Therefore, we need to call _fs_check_reconnect in fs_wakeup to handle the connection timeout. If we don't, the X server will go to 100% CPU (and the font server connection will not be retried). Signed-off-by: Peter Harris <[email protected]> - - - - - 572d9d52 by Jeremy Huddleston Sequoia at 2022-11-26T22:35:40-08:00 atom: Update Hash() to be unsigned This avoids undefined behavior (left shift overflow in signed integer type) Signed-off-by: Jeremy Huddleston Sequoia <[email protected]> - - - - - 0bee0362 by Alan Coopersmith at 2023-02-16T19:02:29-08:00 configure: raise minimum autoconf requirement to 2.70 Needed for builds on NetBSD to work correctly, since it depends on AC_USE_SYSTEM_EXTENSIONS defining _OPENBSD_SOURCE to expose the prototype for reallocarray() in the system headers. Signed-off-by: Alan Coopersmith <[email protected]> - - - - - a3a85df9 by Alan Coopersmith at 2023-02-25T09:26:20-08:00 Remove "All rights reserved" from Oracle copyright notices Oracle no longer includes this term in our copyright & license notices. Signed-off-by: Alan Coopersmith <[email protected]> - - - - - a5ee0e9a by Alan Coopersmith at 2023-03-04T15:18:07-08:00 configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL AC_PROG_LIBTOOL was replaced by LT_INIT in libtool 2 in 2008, so it's time to rely on it. Clears autoconf warnings: configure.ac:38: warning: The macro `AC_PROG_LIBTOOL' is obsolete. configure.ac:38: You should run autoupdate. aclocal.m4:3640: AC_PROG_LIBTOOL is expanded from... configure.ac:38: the top level libtoolize: Consider adding 'AC_CONFIG_MACRO_DIRS([m4])' to configure.ac, libtoolize: and rerunning libtoolize and aclocal. Signed-off-by: Alan Coopersmith <[email protected]> - - - - - c0ab2a2c by Alan Coopersmith at 2023-03-25T10:40:19-07:00 Set close-on-exec when opening fonts.dir & fonts.alias files Signed-off-by: Alan Coopersmith <[email protected]> - - - - - b4b35189 by Alan Coopersmith at 2024-01-24T17:42:19-08:00 Modernize lseek() calls Position should be stored in an off_t, not an int, and the "whence" arg should use symbolic constants instead of raw numbers. Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 87b05995 by Alan Coopersmith at 2024-01-24T17:44:38-08:00 configure: Use AC_SYS_LARGEFILE to enable large file support While font files should never be more than 2gb in size, they may be stored on filesystems with large inodes or timestamps outside of the 32-bit range. Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 42d2b5ad by Alan Coopersmith at 2024-02-03T02:48:03+00:00 bitscale.c: ensure SCORE2 macro expands properly Handles warning from Oracle Parfait 11.2 static analyzer: Error: Misleading macro Misleading macro [misleading-macro]: misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses at line 299 of src/bitmap/bitscale.c. '/' operator has lower precedence than '/' operator inside macro body at line 438 low precedence '/' operator is hidden by expansion of macro argument m at line 299 Misleading macro [misleading-macro]: misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses at line 299 of src/bitmap/bitscale.c. binary '*' operator has lower precedence than '/' operator inside macro body at line 440 low precedence binary '*' operator is hidden by expansion of macro argument m at line 299 Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 0be12a9f by Alan Coopersmith at 2024-02-03T02:48:03+00:00 bitscale.c: ensure SCORE macro expands properly Signed-off-by: Alan Coopersmith <[email protected]> - - - - - c908d277 by Alan Coopersmith at 2024-02-03T02:48:03+00:00 bitscale.c: remove unused MAX() macro Code that used it was removed in commit 632a2e90a4b209facc Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 24951703 by Alan Coopersmith at 2024-02-17T12:19:18-08:00 unifdef sony Signed-off-by: Alan Coopersmith <[email protected]> - - - - - e38d1d27 by Alan Coopersmith at 2024-02-17T12:20:37-08:00 unifdef __OSF1__ Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 1f7b4edf by Alan Coopersmith at 2024-02-17T12:21:15-08:00 unifdef ISC Signed-off-by: Alan Coopersmith <[email protected]> - - - - - bac7adac by Alan Coopersmith at 2024-02-17T12:22:09-08:00 unifdef Lynx Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 3d412575 by Alan Coopersmith at 2024-02-17T12:25:15-08:00 unifdef NCD Signed-off-by: Alan Coopersmith <[email protected]> - - - - - c47d610a by Alan Coopersmith at 2024-02-17T12:56:52-08:00 Use autoconf to check for float.h instead of platform-specific ifdefs Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 00067372 by José Expósito at 2024-07-01T16:28:12+02:00 stubs/atom.c: Fix memory leak in __libxfont_internal__MakeAtom Reported by a static analysis tool: 9. libXfont2-2.0.6/src/stubs/atom.c:179:5: alloc_fn: Storage is returned from allocation function "malloc". 10. libXfont2-2.0.6/src/stubs/atom.c:179:5: var_assign: Assigning: "a" = storage returned from "malloc(24UL + len + 1UL)". 16. libXfont2-2.0.6/src/stubs/atom.c:194:6: leaked_storage: Variable "a" going out of scope leaks the storage it points to. # 192| if ((ResizeHashTable() == FALSE) && # 193| ((hashTable == NULL) || (hashUsed == hashSize))) # 194|-> return None; # 195| h = hash & hashMask; # 196| if (hashTable[h]) { Fixes: 78085e6b683b ("stubs/atom.c: check for ResizeHashTable failure") Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/27> - - - - - dbc2fbc5 by Enrico Weigelt, metux IT consult at 2024-07-19T13:35:11+02:00 include: libxfont2: fix missing includes of fontproto.h * needs types from X11/fonts/fontproto.h (eg. NameCheckFunc) from this header, but forgot to include it. * needs NULL, which is defined in stddef.h Signed-off-by: Enrico Weigelt, metux IT consult <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/28> - - - - - 2c2e44c9 by Alan Coopersmith at 2024-08-01T15:53:10-07:00 libXfont2 2.0.7 Signed-off-by: Alan Coopersmith <[email protected]> - - - - - 67520db2 by Alan Coopersmith at 2026-01-25T15:25:32-08:00 gitlab CI: drop the ci-fairy check-mr job The only thing this checked was the checkbox for allowing maintainers to edit the MR. Changed permissions checks now fail this job but luckily the setting it checked has been the default for years anyway so we can drop it. https://gitlab.freedesktop.org/freedesktop/ci-templates/-/issues/81 Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/30> - - - - - b1d2868b by Alan Coopersmith at 2026-06-02T10:39:29-07:00 gitlab CI: move back to Debian stable image Debian 'testing' was needed to get autoconf >= 2.70 in 2023, but it's made its way into the stable release now, so we can move back. Signed-off-by: Alan Coopersmith <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/31> - - - - - 63bdfc6f by Peter Hutterer at 2026-06-09T10:48:06+10:00 pcfread: fix strings memory leak in pcfGetProperties error path The Bail label in pcfGetProperties() freed props and isStringProp but not the strings buffer, leaking it on any error after allocation. Initialize strings to NULL and free it in the Bail path. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32> - - - - - 6594d129 by Peter Hutterer at 2026-06-09T10:48:06+10:00 bdfread: fix copy-paste error in RESOLUTION_X/Y property generation Both the RESOLUTION_X and RESOLUTION_Y generation blocks incorrectly set pState->resolutionProp instead of their respective pState->resolutionXProp and pState->resolutionYProp fields. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32> - - - - - 09d1c927 by Peter Hutterer at 2026-06-09T10:48:06+10:00 bdfread: fix BDF_GENPROPS undercount causing heap buffer overflow BDF_GENPROPS was defined as 6, but up to 8 generated properties can be appended in bdfReadProperties when the BDF file omits all optional properties: POINT_SIZE, FONT, WEIGHT, RESOLUTION (when resolution_x == resolution_y), RESOLUTION_X, RESOLUTION_Y, X_HEIGHT, QUAD_WIDTH. Change BDF_GENPROPS to 8 to match the actual maximum number of generated properties. Note: the overflow is not currently exploitable because the BDF parser requires nProps >= 1 and both FONT_ASCENT and FONT_DESCENT (nProps >= 2), and both are consumed by bdfSpecialProperty without occupying props[] slots, so allocation is always nProps + BDF_GENPROPS >= 8 which fits all 8 generated properties. The constant is fixed for correctness and defense in depth. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32> - - - - - 39959747 by Peter Hutterer at 2026-06-09T10:48:06+10:00 fsio: fix unchecked realloc Check the realloc return value and keep the existing buffer if the reallocation fails. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32> - - - - - 9cc9c4a7 by Peter Hutterer at 2026-06-09T10:48:06+10:00 render: use calloc for FontRec to prevent use of uninitialized memory BuiltinOpenBitmap allocates a FontRec with malloc and only initializes three fields before passing it to pcfReadFont. If pcfReadFont fails partway through, error cleanup paths may access uninitialized fields in the FontRec. This shouldn't ever happen for the builtin fonts but it's a trivial change so let's do this. It also matches CreateFontRec() in private.c which uses malloc+bzero. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32> - - - - - 6141975c by Adam Jackson at 2026-06-24T01:38:58+00:00 freetype: Fix encoding string assembly The code was building charset identifier strings as "encoding-registry" (e.g. "1-iso10646") instead of the correct "registry-encoding" (e.g. "iso10646-1"), causing charset comparisons to always fail. Also remove a stale debug ErrorF left in from development. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33> - - - - - e3f40cb1 by Peter Hutterer at 2026-06-24T01:38:58+00:00 freetype: Remove premature break in find_cmap() Unicode fallback Remove a premature break that made the Apple Unicode and ISO Unicode cmap fallback loops unreachable when Microsoft Unicode was not available. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33> - - - - - 2097fc4a by Adam Jackson at 2026-06-24T01:38:58+00:00 freetype: Remove misguided ifdef around BDF charset query XFONT_BDFFORMAT controls whether libXfont builds its own BDF reader. FT_Get_BDF_Charset_ID() is a FreeType library function whose availability is orthogonal to our own BDF support. The call should always be made when FreeType is available. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33> - - - - - dd5ff354 by Adam Jackson at 2026-06-24T01:38:58+00:00 fontfile: Remove ridiculously old compat API Remove the binary compatibility shims for the old fontenc function names (font_encoding_from_xlfd, font_encoding_find, etc). These have been superseded by the FontEnc* names for years. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33> - - - - - be0b08e2 by Peter Hutterer at 2026-07-06T10:05:27+10:00 bitscale: fix integer overflow in BitmapScaleBitmaps bytestoalloc bytestoalloc is declared as unsigned int (32-bit). When the sum of per-glyph byte counts exceeds 2^32, the value wraps around and calloc() allocates a buffer that is too small. The subsequent ScaleBitmap loop then writes past the end of the allocated buffer. Change bytestoalloc from unsigned int to size_t to match the actual allocation size type, and add an explicit overflow check in the accumulation loop to bail out if the total would exceed SIZE_MAX. This vulnerability was discovered by: Anonymous working with TrendAI Zero Day Initiative CVE-2026-56001/ZDI-CAN-30558 Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34> - - - - - b4389e0b by Peter Hutterer at 2026-07-06T10:05:35+10:00 pcfread: validate bitmap sizes and offsets against per-glyph metrics pcfReadFont() uses bitmapSizes[] read directly from the PCF file to allocate the repadded bitmap buffer. However, per-glyph metrics (also from the file) control how much data RepadBitmap() writes. A malicious PCF font can declare a small bitmapSizes[] value while having per-glyph metrics that require more space, causing a heap buffer overflow. A similar issue happens with the encoding offsets: pcfReadFont reads encoding offsets from the PCF file and uses them to index into the metrics array without bounds checking. A crafted font can set an encoding offset larger than nmetrics, causing an out-of-bounds pointer that is later dereferenced when glyphs are accessed through the encoding table. And the no-repad bitmap path (when PCF_GLYPH_PAD matches the requested glyph pad) only validated that each glyph's offset was within the bitmap buffer, but did not check that the full glyph extent (offset + BYTES_PER_ROW * height) fits within the buffer. A crafted font with a glyph offset near the end of a small bitmap buffer but large glyph metrics causes a heap buffer over-read when the glyph is later rendered. This vulnerability was discovered by: Anonymous working with TrendAI Zero Day Initiative CVE-2026-56002/ZDI-CAN-30559 Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34> - - - - - dff957a5 by Peter Hutterer at 2026-07-06T10:05:35+10:00 bitscale: add bounds check to computeProps for property buffer ComputeScaledProperties allocates a fixed-size property buffer of 70 slots. computeProps iterates the source font's properties and writes 1 slot for unscaled properties or 2 slots for scaledX/scaledY properties, with no bounds check. A malicious font with many duplicate properties matching fontPropTable entries can overflow the allocated buffer. Fix this by passing the remaining buffer capacity to computeProps and checking it before each write. Properties that would exceed the buffer are silently skipped. The function is also restructured to handle the buffer writes for scaledX/scaledY inside the switch cases directly, rather than in a separate block after the switch. This makes the control flow clearer and ensures the bounds check covers all writes. This vulnerability was discovered by: Anonymous working with TrendAI Zero Day Initiative CVE-2026-56003/ZDI-CAN-30560 Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34> - - - - - 6f2cc6e7 by Peter Hutterer at 2026-07-06T10:05:35+10:00 test: fix stubs in font-test-utils for use outside the X server Several callback stubs in font-test-utils.c call err() (fatal) when invoked, preventing test code from exercising font paths that use atoms, font server initialization, or time queries. Set the atom callbacks to NULL so that libxfontstubs falls back to the internal atom implementation. Return Successful from init_fs_handlers and 0 from get_time_in_millis so that font path initialization completes without crashing. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34> - - - - - 0cbdbe78 by Peter Hutterer at 2026-07-06T10:05:35+10:00 test: add PCF security regression tests Add regression tests for five PCF font parsing and scaling vulnerabilities. Python scripts generate crafted PCF fonts at build time. Each test binary loads its font through the font path element API and verifies the library handles it without crashing. Under ASAN, these tests would detect the heap buffer overflows that the fixes prevent. Test fonts (built sources): gen_evil_pcf_repad.py - Mismatched bitmapSizes vs per-glyph metrics gen_evil_pcf_norepad.py - Out-of-bounds read in no-repad bitmap path gen_evil_pcf_props.py - 40 duplicate MIN_SPACE properties gen_evil_pcf_encoding.py - Out-of-bounds encoding offset gen_evil_pcf_bitmapscale.py - Many glyphs that expand during scaling Tests require Python 3; skipped automatically if unavailable. Assisted-by: Claude:claude-opus-4-6 Signed-off-by: Peter Hutterer <[email protected]> Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34> - - - - - 88b9df88 by Peter Hutterer at 2026-07-08T11:02:20+10:00 libXfont2 2.0.8 Signed-off-by: Peter Hutterer <[email protected]> - - - - - 836b44e0 by Timo Aaltonen at 2026-07-09T21:02:35+03:00 Merge branch 'upstream-unstable' into debian-unstable - - - - - 41652ab6 by Timo Aaltonen at 2026-07-09T21:03:57+03:00 version bump - - - - - 359b9e56 by Timo Aaltonen at 2026-07-09T21:10:44+03:00 upstream: Add key from Peter Hutterer - - - - - 75fb971a by Timo Aaltonen at 2026-07-09T21:12:16+03:00 releasing package libxfont version 1:2.0.8-1 - - - - - 41 changed files: - .gitlab-ci.yml - COPYING - Makefile.am - configure.ac - debian/changelog - debian/upstream/signing-key.asc - include/X11/fonts/bdfint.h - − include/X11/fonts/fontencc.h - include/X11/fonts/libxfont2.h - src/FreeType/ftenc.c - src/bitmap/bdfread.c - src/bitmap/bitscale.c - src/bitmap/pcfread.c - src/builtins/render.c - src/fc/fserve.c - src/fc/fsio.c - src/fc/fsio.h - src/fc/fslibos.h - src/fontfile/bufio.c - src/fontfile/bunzip2.c - src/fontfile/dirfile.c - − src/fontfile/fontencc.c - src/fontfile/fontfile.c - src/stubs/atom.c - src/util/fontxlfd.c - src/util/replace.h - + test/gen_evil_pcf_bitmapscale.py - + test/gen_evil_pcf_encoding.py - + test/gen_evil_pcf_norepad.py - + test/gen_evil_pcf_props.py - + test/gen_evil_pcf_repad.py - + test/pcf-test-common.c - + test/pcf-test-common.h - + test/test-pcf-bitmapscale.c - + test/test-pcf-encoding.c - + test/test-pcf-norepad.c - + test/test-pcf-props.c - + test/test-pcf-repad.c - test/utils/font-test-utils.c - test/utils/font-test-utils.h - test/utils/lsfontdir.c The diff was not included because it is too large. View it on GitLab: https://salsa.debian.org/xorg-team/lib/libxfont/-/compare/80a8ed1784f5c18618d42acb94c7d57a4107e523...75fb971aa41c5a1291b87c2eb8d1c2eb2626192b -- View it on GitLab: https://salsa.debian.org/xorg-team/lib/libxfont/-/compare/80a8ed1784f5c18618d42acb94c7d57a4107e523...75fb971aa41c5a1291b87c2eb8d1c2eb2626192b You're receiving this email because of your account on salsa.debian.org. Manage all notifications: https://salsa.debian.org/-/profile/notifications | Help: https://salsa.debian.org/help

