configure.ac | 4 +++- difs/dispatch.c | 13 +++++++++++++ difs/fontinfo.c | 19 +++++++++++++++++++ xfs.man | 39 ++++++++++++++++++++++++++++++++++++--- 4 files changed, 71 insertions(+), 4 deletions(-)
New commits: commit 0bd59b5938059c7ff5501b928ebe80ecea27f008 Author: Matthieu Herrb <[EMAIL PROTECTED]> Date: Mon Oct 1 21:55:52 2007 +0200 Bump to 1.0.5 diff --git a/configure.ac b/configure.ac index 6924e10..a4ebb65 100644 --- a/configure.ac +++ b/configure.ac @@ -22,7 +22,7 @@ dnl dnl Process this file with autoconf to create configure. AC_PREREQ([2.57]) -AC_INIT(xfs,[1.0.4], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg],xfs) +AC_INIT(xfs,[1.0.5], [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg],xfs) AM_INIT_AUTOMAKE([dist-bzip2]) AM_MAINTAINER_MODE commit ec3ca8fd4c599f41e6f977ce912805ac8ac74f32 Author: Matthieu Herrb <[EMAIL PROTECTED]> Date: Mon Oct 1 21:53:41 2007 +0200 Fix for heap overwrite in swap_char2b() CVE-2007-4568. diff --git a/difs/dispatch.c b/difs/dispatch.c index f1a0a85..9a6b87c 100644 --- a/difs/dispatch.c +++ b/difs/dispatch.c @@ -933,6 +933,13 @@ ProcQueryXExtents(ClientPtr client) } item_size = (stuff->reqType == FS_QueryXExtents8) ? 1 : 2; + if (stuff->num_ranges > + ((stuff->length << 2) - SIZEOF(fsQueryXExtents8Req))/item_size) { + int num_ranges = stuff->num_ranges; + SendErrToClient(client, FSBadLength, (pointer)&num_ranges); + return FSBadLength; + } + /* get the extents */ err = QueryExtents(client, cfp, item_size, stuff->num_ranges, stuff->range, @@ -969,6 +976,12 @@ ProcQueryXBitmaps(ClientPtr client) assert((stuff->reqType == FS_QueryXBitmaps8) || (stuff->reqType == FS_QueryXBitmaps16)); item_size = (stuff->reqType == FS_QueryXBitmaps8) ? 1 : 2; + if (stuff->num_ranges > + ((stuff->length << 2) - SIZEOF(fsQueryXBitmaps8Req))/item_size) { + int num_ranges = stuff->num_ranges; + SendErrToClient(client, FSBadLength, (pointer)&num_ranges); + return FSBadLength; + } /* get the glyphs */ err = QueryBitmaps(client, cfp, item_size, stuff->format, stuff->num_ranges, stuff->range, commit 380fb68316f13012ff7cb2ac4addc2626fa2dad0 Author: Matthieu Herrb <[EMAIL PROTECTED]> Date: Mon Oct 1 21:51:40 2007 +0200 fix for integer overflows in build_range(). CVE-4568. diff --git a/configure.ac b/configure.ac index 748b8ce..6924e10 100644 --- a/configure.ac +++ b/configure.ac @@ -41,6 +41,8 @@ case $host_os in ;; esac +AC_CHECK_HEADERS([stdint.h]) + # Checks for pkg-config packages PKG_CHECK_MODULES(XFS, libfs xfont xtrans) XFS_CFLAGS="$XFS_CFLAGS $OS_CFLAGS" diff --git a/difs/fontinfo.c b/difs/fontinfo.c index 23893e0..e7e627d 100644 --- a/difs/fontinfo.c +++ b/difs/fontinfo.c @@ -62,6 +62,21 @@ in this Software without prior written authorization from The Open Group. #include <swapreq.h> #include <swaprep.h> +#ifdef HAVE_CONFIG_H +#include <config.h> +#endif +#ifdef HAVE_STDINT_H +#include <stdint.h> +#endif +#include <limits.h> +#ifndef SIZE_MAX +# ifdef ULONG_MAX +# define SIZE_MAX ULONG_MAX +# else +# define SIZE_MAX UINT_MAX +# endif +#endif + void CopyCharInfo( CharInfoPtr ci, @@ -181,6 +196,8 @@ build_range( return new; } + if (src_num >= SIZE_MAX / sizeof(fsRange) * 2 - 1) + return NULL; np = new = (fsRange *) fsalloc(sizeof(fsRange) * (src_num + 1) / 2); if (!np) return np; @@ -210,6 +227,8 @@ build_range( unsigned char *pp = src; src_num = *num; + if (src_num >= SIZE_MAX / sizeof(fsRange)) + return NULL; np = new = (fsRange *) fsalloc(SIZEOF(fsRange) * src_num); if (!np) return np; commit 63596c80ec1c406a35780f45ea43d8004b020869 Author: Ademar de Souza Reis Jr <[EMAIL PROTECTED]> Date: Wed Jun 20 13:31:40 2007 -0300 Document catalogue:<dir> feature diff --git a/xfs.man b/xfs.man index 1a5cd11..049e60a 100644 --- a/xfs.man +++ b/xfs.man @@ -124,9 +124,10 @@ Recognized keywords include: .\" Size in bytes of the font server cache. .IP "catalogue (list of string)" Ordered list of font path element names. -Use of the keyword "catalogue" is very misleading at present, -the current implementation only supports a single catalogue ("all"), -containing all of the specified fonts. +The current implementation only supports a single catalogue ("all") +containing all of the specified fonts. A special directory with +symlinks to font paths can be specified using a catalogue:<dir> +entry. See the CATALOGUE DIR section below for details. .IP "alternate-servers (list of string)" List of alternate servers for this font server. .IP "client-limit (cardinal)" @@ -167,6 +168,38 @@ enabled for all fonts, and "16", meaning it is enabled only for .\" Those clients the fontserver will talk to. Others .\" will be refused for the initial connection. An empty .\" list means the server will talk to any client. +.SH "CATALOGUE DIR" +You can specify a special kind of font path in the form \fBcatalogue:<dir>\fR. +The directory specified after the catalogue: prefix will be scanned for symlinks +and each symlink destination will be added as a local fontfile FPE. +.PP +The symlink can be suffixed by attributes such as '\fBunscaled\fR', which +will be passed through to the underlying fontfile FPE. The only exception is +the newly introduced '\fBpri\fR' attribute, which will be used for ordering +the font paths specified by the symlinks. + +An example configuration: + +.nf + 75dpi:unscaled:pri=20 \-> /usr/share/X11/fonts/75dpi + ghostscript:pri=60 \-> /usr/share/fonts/default/ghostscript + misc:unscaled:pri=10 \-> /usr/share/X11/fonts/misc + type1:pri=40 \-> /usr/share/X11/fonts/Type1 + type1:pri=50 \-> /usr/share/fonts/default/Type1 +.fi + +This will add /usr/share/X11/fonts/misc as the first FPE with the attribute +'unscaled', second FPE will be /usr/share/X11/fonts/75dpi, also with +the attribute unscaled etc. This is functionally equivalent to setting +the following font path: + +.nf + /usr/share/X11/fonts/misc:unscaled, + /usr/share/X11/fonts/75dpi:unscaled, + /usr/share/X11/fonts/Type1, + /usr/share/fonts/default/Type1, + /usr/share/fonts/default/ghostscript +.fi .SH "EXAMPLE" .nf XCOMM -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]