CVS commit: [netbsd-5-0] xsrc/external/mit/expat/dist
Module Name:xsrc Committed By: riz Date: Mon Nov 26 19:59:41 UTC 2012 Modified Files: xsrc/external/mit/expat/dist/lib [netbsd-5-0]: expat.h xmlparse.c xsrc/external/mit/expat/dist/xmlwf [netbsd-5-0]: readfilemap.c Log Message: xsrc/external/mit/expat/dist/lib/expat.hpatch xsrc/external/mit/expat/dist/lib/xmlparse.c patch xsrc/external/mit/expat/dist/xmlwf/readfilemap.cpatch Address CVE-2012-1147, CVE-2012-1148 and CVE-2012-0876. [spz, ticket #1821] To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 xsrc/external/mit/expat/dist/lib/expat.h cvs rdiff -u -r1.1.1.1.4.1 -r1.1.1.1.4.2 \ xsrc/external/mit/expat/dist/lib/xmlparse.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/expat/dist/xmlwf/readfilemap.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/expat/dist/lib/expat.h diff -u xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1 xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1.4.1 --- xsrc/external/mit/expat/dist/lib/expat.h:1.1.1.1 Tue Jul 29 05:35:06 2008 +++ xsrc/external/mit/expat/dist/lib/expat.h Mon Nov 26 19:59:40 2012 @@ -883,6 +883,15 @@ XMLPARSEAPI(int) XML_SetParamEntityParsing(XML_Parser parser, enum XML_ParamEntityParsing parsing); +/* Sets the hash salt to use for internal hash calculations. + Helps in preventing DoS attacks based on predicting hash + function behavior. This must be called before parsing is started. + Returns 1 if successful, 0 when called after parsing has started. +*/ +XMLPARSEAPI(int) +XML_SetHashSalt(XML_Parser parser, +unsigned long hash_salt); + /* If XML_Parse or XML_ParseBuffer have returned XML_STATUS_ERROR, then XML_GetErrorCode returns information about the error. */ Index: xsrc/external/mit/expat/dist/lib/xmlparse.c diff -u xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.4.1 xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.4.2 --- xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.4.1 Wed Jan 27 20:42:42 2010 +++ xsrc/external/mit/expat/dist/lib/xmlparse.c Mon Nov 26 19:59:40 2012 @@ -5,6 +5,8 @@ #include stddef.h #include string.h /* memset(), memcpy() */ #include assert.h +#include limits.h /* UINT_MAX */ +#include time.h /* time() */ #define XML_BUILDING_EXPAT 1 @@ -391,12 +393,13 @@ static void dtdReset(DTD *p, const XML_M static void dtdDestroy(DTD *p, XML_Bool isDocEntity, const XML_Memory_Handling_Suite *ms); static int -dtdCopy(DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms); +dtdCopy(XML_Parser oldParser, +DTD *newDtd, const DTD *oldDtd, const XML_Memory_Handling_Suite *ms); static int -copyEntityTable(HASH_TABLE *, STRING_POOL *, const HASH_TABLE *); - +copyEntityTable(XML_Parser oldParser, +HASH_TABLE *, STRING_POOL *, const HASH_TABLE *); static NAMED * -lookup(HASH_TABLE *table, KEY name, size_t createSize); +lookup(XML_Parser parser, HASH_TABLE *table, KEY name, size_t createSize); static void FASTCALL hashTableInit(HASH_TABLE *, const XML_Memory_Handling_Suite *ms); static void FASTCALL hashTableClear(HASH_TABLE *); @@ -429,11 +432,15 @@ static ELEMENT_TYPE * getElementType(XML_Parser parser, const ENCODING *enc, const char *ptr, const char *end); +static unsigned long generate_hash_secret_salt(void); +static XML_Bool startParsing(XML_Parser parser); + static XML_Parser parserCreate(const XML_Char *encodingName, const XML_Memory_Handling_Suite *memsuite, const XML_Char *nameSep, DTD *dtd); + static void parserInit(XML_Parser parser, const XML_Char *encodingName); @@ -546,6 +553,7 @@ struct XML_ParserStruct { XML_Bool m_useForeignDTD; enum XML_ParamEntityParsing m_paramEntityParsing; #endif + unsigned long m_hash_secret_salt; }; #define MALLOC(s) (parser-m_mem.malloc_fcn((s))) @@ -653,6 +661,7 @@ struct XML_ParserStruct { #define useForeignDTD (parser-m_useForeignDTD) #define paramEntityParsing (parser-m_paramEntityParsing) #endif /* XML_DTD */ +#define hash_secret_salt (parser-m_hash_secret_salt) XML_Parser XMLCALL XML_ParserCreate(const XML_Char *encodingName) @@ -677,22 +686,35 @@ static const XML_Char implicitContext[] ASCII_s, ASCII_p, ASCII_a, ASCII_c, ASCII_e, '\0' }; +static unsigned long +generate_hash_secret_salt(void) +{ + unsigned int seed = time(NULL) % UINT_MAX; + srand(seed); + return rand(); +} + +static XML_Bool /* only valid for root parser */ +startParsing(XML_Parser parser) +{ +/* hash functions must be initialized before setContext() is called */ +if (hash_secret_salt == 0) + hash_secret_salt = generate_hash_secret_salt(); +if (ns) { + /* implicit context only set for root parser, since child +
CVS commit: [netbsd-5-0] xsrc/xfree/xc/programs/Xserver
Module Name:xsrc Committed By: snj Date: Mon Jan 2 23:54:25 UTC 2012 Modified Files: xsrc/xfree/xc/programs/Xserver/fb [netbsd-5-0]: fbpict.c xsrc/xfree/xc/programs/Xserver/mi [netbsd-5-0]: miarc.c misprite.c Log Message: Pull up following revision(s) (requested by is in ticket #1707): xfree/xc/programs/Xserver/mi/misprite.c: revision 1.2 xfree/xc/programs/Xserver/mi/miarc.c: revision 1.2 xfree/xc/programs/Xserver/fb/fbpict.c: revision 1.5 This fix is taken from xorg-server 1.9.2. mod(a,b) used to be defined with a - in front of naked a, such that uses of mod with certain arithmetic expressions as a led to surprising results, namely the one in Xrender praised in CVE-2010-1166. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.4.4.1 xsrc/xfree/xc/programs/Xserver/fb/fbpict.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.22.1 \ xsrc/xfree/xc/programs/Xserver/mi/miarc.c cvs rdiff -u -r1.1.1.5 -r1.1.1.5.24.1 \ xsrc/xfree/xc/programs/Xserver/mi/misprite.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/programs/Xserver/fb/fbpict.c diff -u xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4 xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4.4.1 --- xsrc/xfree/xc/programs/Xserver/fb/fbpict.c:1.4 Sat Apr 19 19:00:39 2008 +++ xsrc/xfree/xc/programs/Xserver/fb/fbpict.c Mon Jan 2 23:54:25 2012 @@ -908,7 +908,7 @@ fbCompositeSolidMask_nx1xn (CARD8 o 0x0); } -# define mod(a,b) ((b) == 1 ? 0 : (a) = 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((b) == 1 ? 0 : (a) = 0 ? (a) % (b) : (b) - (-(a)) % (b)) void fbComposite (CARD8 op, Index: xsrc/xfree/xc/programs/Xserver/mi/miarc.c diff -u xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5.22.1 --- xsrc/xfree/xc/programs/Xserver/mi/miarc.c:1.1.1.5 Fri Mar 5 14:29:39 2004 +++ xsrc/xfree/xc/programs/Xserver/mi/miarc.c Mon Jan 2 23:54:25 2012 @@ -1554,7 +1554,7 @@ miRoundCap( # define Dsin(d) ((d) == 0.0 ? 0.0 : ((d) == 90.0 ? 1.0 : sin(d*M_PI/180.0))) # define Dcos(d) ((d) == 0.0 ? 1.0 : ((d) == 90.0 ? 0.0 : cos(d*M_PI/180.0))) -# define mod(a,b) ((a) = 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((a) = 0 ? (a) % (b) : (b) - (-(a)) % (b)) static double miDcos (double a) Index: xsrc/xfree/xc/programs/Xserver/mi/misprite.c diff -u xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5 xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5.24.1 --- xsrc/xfree/xc/programs/Xserver/mi/misprite.c:1.1.1.5 Fri Feb 28 13:20:27 2003 +++ xsrc/xfree/xc/programs/Xserver/mi/misprite.c Mon Jan 2 23:54:25 2012 @@ -1978,7 +1978,7 @@ miSpriteLineHelper() #ifdef RENDER -# define mod(a,b) ((b) == 1 ? 0 : (a) = 0 ? (a) % (b) : (b) - (-a) % (b)) +# define mod(a,b) ((b) == 1 ? 0 : (a) = 0 ? (a) % (b) : (b) - (-(a)) % (b)) static void miSpritePictureOverlap (PicturePtr pPict,
CVS commit: [netbsd-5-0] xsrc/xfree/xc/extras/freetype2/src/lzw
Module Name:xsrc Committed By: riz Date: Mon Aug 22 17:48:45 UTC 2011 Modified Files: xsrc/xfree/xc/extras/freetype2/src/lzw [netbsd-5-0]: zopen.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1661): Additional pullup to fix build on some architectures xfree/xc/extras/freetype2/src/lzw/zopen.c: revision 1.3 Don't assign errno here. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.12.1 -r1.1.1.1.12.2 \ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c diff -u xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.12.1 xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.12.2 --- xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c:1.1.1.1.12.1 Fri Aug 19 20:56:52 2011 +++ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c Mon Aug 22 17:48:45 2011 @@ -1,5 +1,5 @@ /* $XFree86: xc/extras/freetype2/src/lzw/zopen.c,v 1.2 2004/12/16 22:15:48 tsi Exp $ */ -/* $NetBSD: zopen.c,v 1.1.1.1.12.1 2011/08/19 20:56:52 riz Exp $ */ +/* $NetBSD: zopen.c,v 1.1.1.1.12.2 2011/08/22 17:48:45 riz Exp $ */ /*- * Copyright (c) 1985, 1986, 1992, 1993 @@ -47,7 +47,7 @@ #if 0 static char sccsid[] = @(#)zopen.c 8.1 (Berkeley) 6/27/93; #else -static char rcsid[] = $NetBSD: zopen.c,v 1.1.1.1.12.1 2011/08/19 20:56:52 riz Exp $; +static char rcsid[] = $NetBSD: zopen.c,v 1.1.1.1.12.2 2011/08/22 17:48:45 riz Exp $; #endif #endif /* LIBC_SCCS and not lint */ @@ -242,7 +242,6 @@ if (code = free_ent) { if (code free_ent || oldcode == -1) { /* Bad stream. */ -errno = EINVAL; return (-1); } *stackp++ = finchar;
CVS commit: [netbsd-5-0] xsrc
Module Name:xsrc Committed By: riz Date: Fri Aug 19 20:56:53 UTC 2011 Modified Files: xsrc/external/mit/freetype/dist/src/lzw [netbsd-5-0]: ftzopen.c xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-5-0]: decompress.c xsrc/xfree/xc/extras/freetype2/src/lzw [netbsd-5-0]: zopen.c xsrc/xfree/xc/lib/font/fontfile [netbsd-5-0]: decompress.c Log Message: Pull up following revision(s) (requested by joerg in ticket #1661): xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c: revision 1.2 xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c: revision 1.3 src/usr.bin/gzip/zuncompress.c: revision 1.9-1.11 src/usr.bin/compress/zopen.c: revision 1.14-1.15 xsrc/xfree/xc/lib/font/fontfile/decompress.c: revision 1.2 xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c: revision 1.2 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c: revision 1.4 P Fix CVS-2011-2895, buffer overflow in decompress provisional fix for CVS-2011-2895, buffer overflow when uncompressing provisional fix for CVE-2011-2895, buffer overflow in decompression set errno on overflow return. Do proper input validation without penalizing performance. Do proper input validation. Allow decompressing all input streams. Increase robustness of LZW decoding to avoid buffer overflow on arbitrary manipulated input streams in combination with uninitalised memory. Increase strictness of LZW parser. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1.4.1 -r1.1.1.1.4.2 \ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.12.1 \ xsrc/xfree/xc/extras/freetype2/src/lzw/zopen.c cvs rdiff -u -r1.1.1.4 -r1.1.1.4.24.1 \ xsrc/xfree/xc/lib/font/fontfile/decompress.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c diff -u xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.4.1 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.4.2 --- xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.4.1 Thu Jul 2 05:05:58 2009 +++ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c Fri Aug 19 20:56:53 2011 @@ -266,7 +266,7 @@ state-block_mode = max_bits LZW_BLOCK_MASK; state-max_free = (FT_UInt)( ( 1UL state-max_bits ) - 256 ); -if ( state-max_bits LZW_MAX_BITS ) +if ( state-max_bits LZW_MAX_BITS || state-max_bits 12) goto Eof; state-num_bits = LZW_INIT_BITS; @@ -277,19 +277,7 @@ state-free_bits = state-num_bits state-max_bits ? (FT_UInt)( ( 1UL state-num_bits ) - 256 ) : state-max_free + 1; - -c = ft_lzwstate_get_code( state ); -if ( c 0 ) - goto Eof; - -old_code = old_char = (FT_UInt)c; - -if ( buffer ) - buffer[result] = (FT_Byte)old_char; - -if ( ++result = out_size ) - goto Exit; - +old_code = -1; state-phase = FT_LZW_PHASE_CODE; } /* fall-through */ @@ -309,14 +297,10 @@ if ( code == LZW_CLEAR state-block_mode ) { - /* why not LZW_FIRST-256 ? */ - state-free_ent = ( LZW_FIRST - 1 ) - 256; + state-free_ent = LZW_FIRST - 256; state-buf_clear = 1; - c = ft_lzwstate_get_code( state ); - if ( c 0 ) -goto Eof; - - code = (FT_UInt)c; + old_code = -1; + goto NextCode; } in_code = code; /* save code for later */ @@ -326,6 +310,8 @@ /* special case for KwKwKwK */ if ( code - 256U = state-free_ent ) { +if ( code - 256U state-free_ent ) + goto Eof; /* Broken stream */ FTLZW_STACK_PUSH( old_char ); code = old_code; } @@ -361,7 +347,7 @@ } /* now create new entry */ -if ( state-free_ent state-max_free ) +if ( state-free_ent state-max_free old_code != -1) { if ( state-free_ent = state-prefix_size ft_lzwstate_prefix_grow( state ) 0 ) Index: xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c diff -u xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1 xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1.4.1 --- xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c:1.1.1.1 Wed Jul 30 02:48:46 2008 +++ xsrc/external/mit/libXfont/dist/src/fontfile/decompress.c Fri Aug 19 20:56:52 2011 @@ -99,7 +99,7 @@ #define FIRST 257 /* first free entry */ #define CLEAR 256 /* table clear output code */ -#define STACK_SIZE 8192 +#define STACK_SIZE 65300 typedef struct _compressedFILE { BufFilePtr file; @@
CVS commit: [netbsd-5-0] xsrc/external/mit/expat/dist/lib
Module Name:xsrc Committed By: bouyer Date: Wed Jan 27 20:42:42 UTC 2010 Modified Files: xsrc/external/mit/expat/dist/lib [netbsd-5-0]: xmlparse.c Log Message: Pull up following revision(s) (requested by tron in ticket #1283): xsrc/external/mit/expat/dist/lib/xmlparse.c: revision 1.2 Add patch from upstream CVS to fix CVE-2009-3560 (possible DOS due to crash on bad input). To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/expat/dist/lib/xmlparse.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/expat/dist/lib/xmlparse.c diff -u xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1 xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1.4.1 --- xsrc/external/mit/expat/dist/lib/xmlparse.c:1.1.1.1 Tue Jul 29 05:35:07 2008 +++ xsrc/external/mit/expat/dist/lib/xmlparse.c Wed Jan 27 20:42:42 2010 @@ -3703,6 +3703,9 @@ return XML_ERROR_UNCLOSED_TOKEN; case XML_TOK_PARTIAL_CHAR: return XML_ERROR_PARTIAL_CHAR; + case -XML_TOK_PROLOG_S: + tok = -tok; + break; case XML_TOK_NONE: #ifdef XML_DTD /* for internal PE NOT referenced between declarations */
CVS commit: [netbsd-5-0] xsrc/xfree/xc/extras/expat/lib
Module Name:xsrc Committed By: bouyer Date: Wed Jan 27 20:44:11 UTC 2010 Modified Files: xsrc/xfree/xc/extras/expat/lib [netbsd-5-0]: xmlparse.c Log Message: Pull up following revision(s) (requested by tron in ticket #1284): xsrc/xfree/xc/extras/expat/lib/xmlparse.c: revision 1.2 Add patch from upstream CVS to fix CVE-2009-3560 (possible DOS due to crash on bad input). To generate a diff of this commit: cvs rdiff -u -r1.1.1.2 -r1.1.1.2.22.1 \ xsrc/xfree/xc/extras/expat/lib/xmlparse.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/extras/expat/lib/xmlparse.c diff -u xsrc/xfree/xc/extras/expat/lib/xmlparse.c:1.1.1.2 xsrc/xfree/xc/extras/expat/lib/xmlparse.c:1.1.1.2.22.1 --- xsrc/xfree/xc/extras/expat/lib/xmlparse.c:1.1.1.2 Fri Mar 5 14:26:08 2004 +++ xsrc/xfree/xc/extras/expat/lib/xmlparse.c Wed Jan 27 20:44:11 2010 @@ -3253,6 +3253,9 @@ return XML_ERROR_UNCLOSED_TOKEN; case XML_TOK_PARTIAL_CHAR: return XML_ERROR_PARTIAL_CHAR; + case -XML_TOK_PROLOG_S: + tok = -tok; + break; case XML_TOK_NONE: #ifdef XML_DTD if (enc != encoding)
CVS commit: [netbsd-5-0] xsrc
Module Name:xsrc Committed By: bouyer Date: Fri Sep 11 23:02:02 UTC 2009 Modified Files: xsrc/external/mit/expat/dist/lib [netbsd-5-0]: xmltok_impl.c xsrc/xfree/xc/extras/expat/lib [netbsd-5-0]: xmltok_impl.c Log Message: Pull up following revision(s) (requested by snj in ticket #951): external/mit/expat/dist/lib/xmltok_impl.c: revision 1.2 xfree/xc/extras/expat/lib/xmltok_impl.c: revision 1.2 Apply revisions 1.14 and 1.15 from expat CVS to fix SA36425. To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/expat/dist/lib/xmltok_impl.c cvs rdiff -u -r1.1.1.2 -r1.1.1.2.22.1 \ xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/expat/dist/lib/xmltok_impl.c diff -u xsrc/external/mit/expat/dist/lib/xmltok_impl.c:1.1.1.1 xsrc/external/mit/expat/dist/lib/xmltok_impl.c:1.1.1.1.4.1 --- xsrc/external/mit/expat/dist/lib/xmltok_impl.c:1.1.1.1 Tue Jul 29 05:35:07 2008 +++ xsrc/external/mit/expat/dist/lib/xmltok_impl.c Fri Sep 11 23:02:02 2009 @@ -1744,7 +1744,7 @@ const char *end, POSITION *pos) { - while (ptr != end) { + while (ptr end) { switch (BYTE_TYPE(enc, ptr)) { #define LEAD_CASE(n) \ case BT_LEAD ## n: \ Index: xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c diff -u xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c:1.1.1.2 xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c:1.1.1.2.22.1 --- xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c:1.1.1.2 Fri Mar 5 14:26:09 2004 +++ xsrc/xfree/xc/extras/expat/lib/xmltok_impl.c Fri Sep 11 23:02:02 2009 @@ -1741,7 +1741,7 @@ const char *end, POSITION *pos) { - while (ptr != end) { + while (ptr end) { switch (BYTE_TYPE(enc, ptr)) { #define LEAD_CASE(n) \ case BT_LEAD ## n: \
CVS commit: [netbsd-5-0] xsrc/external/mit/freetype/dist/src
Module Name:xsrc Committed By: snj Date: Thu Jul 2 05:05:58 UTC 2009 Modified Files: xsrc/external/mit/freetype/dist/src/cff [netbsd-5-0]: cffload.c xsrc/external/mit/freetype/dist/src/lzw [netbsd-5-0]: ftzopen.c xsrc/external/mit/freetype/dist/src/sfnt [netbsd-5-0]: ttcmap.c xsrc/external/mit/freetype/dist/src/smooth [netbsd-5-0]: ftsmooth.c Log Message: Pull up following revision(s) (requested by mrg in ticket #848): external/mit/freetype/dist/src/cff/cffload.c: revision 1.2 external/mit/freetype/dist/src/lzw/ftzopen.c: revision 1.2 external/mit/freetype/dist/src/sfnt/ttcmap.c: revision 1.2 external/mit/freetype/dist/src/smooth/ftsmooth.c: revision 1.2 apply fixes from CVE-2009-0946 To generate a diff of this commit: cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/cff/cffload.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c cvs rdiff -u -r1.1.1.1 -r1.1.1.1.4.1 \ xsrc/external/mit/freetype/dist/src/smooth/ftsmooth.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/external/mit/freetype/dist/src/cff/cffload.c diff -u xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/cff/cffload.c:1.1.1.1 Wed Jul 30 02:36:07 2008 +++ xsrc/external/mit/freetype/dist/src/cff/cffload.c Thu Jul 2 05:05:58 2009 @@ -841,7 +841,20 @@ goto Exit; for ( j = 1; j num_glyphs; j++ ) -charset-sids[j] = FT_GET_USHORT(); + { +FT_UShort sid = FT_GET_USHORT(); + + +/* this constant is given in the CFF specification */ +if ( sid 65000 ) + charset-sids[j] = sid; +else +{ + FT_ERROR(( cff_charset_load: + invalid SID value %d set to zero\n, sid )); + charset-sids[j] = 0; +} + } FT_FRAME_EXIT(); } @@ -874,6 +887,20 @@ goto Exit; } +/* check whether the range contains at least one valid glyph; */ +/* the constant is given in the CFF specification */ +if ( glyph_sid = 65000 ) { + FT_ERROR(( cff_charset_load: invalid SID range\n )); + error = CFF_Err_Invalid_File_Format; + goto Exit; +} + +/* try to rescue some of the SIDs if `nleft' is too large */ +if ( nleft 65000 - 1 || glyph_sid = 65000 - nleft ) { + FT_ERROR(( cff_charset_load: invalid SID range trimmed\n )); + nleft = 65000 - 1 - glyph_sid; +} + /* Fill in the range of sids -- `nleft + 1' glyphs. */ for ( i = 0; j num_glyphs i = nleft; i++, j++, glyph_sid++ ) charset-sids[j] = glyph_sid; Index: xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c diff -u xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c:1.1.1.1 Wed Jul 30 02:36:13 2008 +++ xsrc/external/mit/freetype/dist/src/lzw/ftzopen.c Thu Jul 2 05:05:58 2009 @@ -332,6 +332,9 @@ while ( code = 256U ) { +if ( !state-prefix ) + goto Eof; + FTLZW_STACK_PUSH( state-suffix[code - 256] ); code = state-prefix[code - 256]; } Index: xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c diff -u xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1 xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1.4.1 --- xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c:1.1.1.1 Wed Jul 30 02:36:16 2008 +++ xsrc/external/mit/freetype/dist/src/sfnt/ttcmap.c Thu Jul 2 05:05:58 2009 @@ -1571,7 +1571,7 @@ FT_INVALID_TOO_SHORT; length = TT_NEXT_ULONG( p ); -if ( table + length valid-limit || length 8208 ) +if ( length (FT_UInt32)( valid-limit - table ) || length 8192 + 16 ) FT_INVALID_TOO_SHORT; is32 = table + 12; @@ -1799,7 +1799,8 @@ p = table + 16; count = TT_NEXT_ULONG( p ); -if ( table + length valid-limit || length 20 + count * 2 ) +if ( length (FT_ULong)( valid-limit - table ) || + length 20 + count * 2 ) FT_INVALID_TOO_SHORT; /* check glyph indices */ @@ -1984,7 +1985,8 @@ p = table + 12; num_groups = TT_NEXT_ULONG( p ); -if ( table + length valid-limit || length 16 + 12 * num_groups ) +if ( length (FT_ULong)( valid-limit - table ) || + length 16 + 12 * num_groups )