Author: dparsons Date: 2006-08-16 18:01:58 -0400 (Wed, 16 Aug 2006) New Revision: 2853
Added: branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch Modified: branches/7.1/lib/libxfont/debian/changelog branches/7.1/lib/libxfont/debian/patches/series Log: * Apply upstream patch 10_pcf_font.patch (security vulnerability CVE-2006-3467). Closes: #383353. * Upload to unstable to ensure patch is propagated quickly. * Apply patch 10_freetype_buffer_overflow.patch while we're at it (no known exploits). Modified: branches/7.1/lib/libxfont/debian/changelog =================================================================== --- branches/7.1/lib/libxfont/debian/changelog 2006-08-16 05:05:47 UTC (rev 2852) +++ branches/7.1/lib/libxfont/debian/changelog 2006-08-16 22:01:58 UTC (rev 2853) @@ -1,3 +1,13 @@ +libxfont (1:1.2.0-2) unstable; urgency=high + + * Apply upstream patch 10_pcf_font.patch (security vulnerability + CVE-2006-3467). Closes: #383353. + * Upload to unstable to ensure patch is propagated quickly. + * Apply patch 10_freetype_buffer_overflow.patch while we're at it + (no known exploits). + + -- Drew Parsons <[EMAIL PROTECTED]> Thu, 17 Aug 2006 07:45:40 +1000 + libxfont (1:1.2.0-1) experimental; urgency=low * New upstream version. Closes: #364854. Added: branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch =================================================================== --- branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-08-16 05:05:47 UTC (rev 2852) +++ branches/7.1/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-08-16 22:01:58 UTC (rev 2853) @@ -0,0 +1,32 @@ +From: Matthieu Herrb <[EMAIL PROTECTED]> +Date: Thu, 13 Jul 2006 14:18:38 +0000 (-0400) +Subject: Bug #7397: Fix a buffer overflow in Freetype font support. +X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=1bf657186d19887a0916340b544b5534e29da081 + +Bug #7397: Fix a buffer overflow in Freetype font support. +--- + +--- a/src/FreeType/fttools.c ++++ b/src/FreeType/fttools.c +@@ -77,7 +77,7 @@ FTu2a(int slen, FT_Byte *from, char *to, + + n = 0; + for (i = 0; i < slen; i += 2) { +- if(n >= max) ++ if(n >= max - 1) + break; + if(HIBYTE(from+i, byte)!=0) + *to++='?'; +@@ -143,9 +143,10 @@ FTGetEnglishName(FT_Face face, int nid, + /* Pretend that Apple Roman is ISO 8859-1. */ + if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN, &name)) { + len = name.string_len; +- if(len > name_len) +- len = name_len; ++ if(len > name_len - 1) ++ len = name_len - 1; + memcpy(name_return, name.string, len); ++ name_return[len] = '\0'; /* ensure nul terminaison */ + return len; + } + Added: branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch =================================================================== --- branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch 2006-08-16 05:05:47 UTC (rev 2852) +++ branches/7.1/lib/libxfont/debian/patches/10_pcf_font.patch 2006-08-16 22:01:58 UTC (rev 2853) @@ -0,0 +1,109 @@ +From: Matthieu Herrb <[EMAIL PROTECTED]> +Date: Sun, 23 Jul 2006 20:42:43 +0000 (+0200) +Subject: More check on PCF file reading. Bugzilla #7535 +X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=8d171fe61e564d8ed8f75034d4191062cecf190b + +More check on PCF file reading. Bugzilla #7535 +--- + +--- a/src/bitmap/pcfread.c ++++ b/src/bitmap/pcfread.c +@@ -45,6 +45,7 @@ from The Open Group. + #endif + + #include <stdarg.h> ++#include <stdint.h> + + void + pcfError(const char* message, ...) +@@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp + return (PCFTablePtr) NULL; + count = pcfGetLSB32(file); + if (IS_EOF(file)) return (PCFTablePtr) NULL; ++ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) { ++ pcfError("pcfReadTOC(): invalid file format\n"); ++ return NULL; ++ } + tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec)); + if (!tables) { + pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec)); +@@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo, + if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT)) + goto Bail; + nprops = pcfGetINT32(file, format); ++ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) { ++ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops); ++ goto Bail; ++ } + if (IS_EOF(file)) goto Bail; + props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec)); + if (!props) { +@@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo, + props[i].name = pcfGetINT32(file, format); + isStringProp[i] = pcfGetINT8(file, format); + props[i].value = pcfGetINT32(file, format); ++ if (props[i].name < 0 ++ || (isStringProp[i] != 0 && isStringProp[i] != 1) ++ || (isStringProp[i] && props[i].value < 0)) { ++ pcfError("pcfGetProperties(): invalid file format %d %d %d\n", ++ props[i].name, isStringProp[i], props[i].value); ++ goto Bail; ++ } + if (IS_EOF(file)) goto Bail; + } + /* pad the property array */ +@@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo, + } + if (IS_EOF(file)) goto Bail; + string_size = pcfGetINT32(file, format); ++ if (string_size < 0) goto Bail; + if (IS_EOF(file)) goto Bail; + strings = (char *) xalloc(string_size); + if (!strings) { +@@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f + else + nmetrics = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { ++ pcfError("pcfReadFont(): invalid file format\n"); ++ goto Bail; ++ } + metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); + if (!metrics) { + pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); +@@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f + nbitmaps = pcfGetINT32(file, format); + if (nbitmaps != nmetrics || IS_EOF(file)) + goto Bail; +- ++ /* nmetrics is alreadt ok, so nbitmap also is */ + offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32)); + if (!offsets) { + pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32)); +@@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f + for (i = 0; i < GLYPHPADOPTIONS; i++) { + bitmapSizes[i] = pcfGetINT32(file, format); + if (IS_EOF(file)) goto Bail; ++ if (bitmapSizes[i] < 0) goto Bail; + } + + sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)]; +@@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f + if (IS_EOF(file)) goto Bail; + if (nink_metrics != nmetrics) + goto Bail; ++ /* nmetrics already checked */ + ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo)); + if (!ink_metrics) { + pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo)); +@@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f + else + nmetrics = pcfGetINT16(file, format); + if (IS_EOF(file)) goto Bail; ++ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { ++ pcfError("pmfReadFont(): invalid file format\n"); ++ goto Bail; ++ } + metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); + if (!metrics) { + pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); Modified: branches/7.1/lib/libxfont/debian/patches/series =================================================================== --- branches/7.1/lib/libxfont/debian/patches/series 2006-08-16 05:05:47 UTC (rev 2852) +++ branches/7.1/lib/libxfont/debian/patches/series 2006-08-16 22:01:58 UTC (rev 2853) @@ -0,0 +1,2 @@ +10_freetype_buffer_overflow.patch +10_pcf_font.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]