CVS commit: xsrc/xfree/xc/lib/font/bitmap
Module Name:xsrc Committed By: mrg Date: Tue Mar 17 18:13:24 UTC 2015 Modified Files: xsrc/xfree/xc/lib/font/bitmap: bdfread.c Log Message: pull across bfdread.c fixes from libXfont 1.5.1, which fixes: CVE-2015-1802: bdfReadProperties: property count needs range check The bdf parser reads a count for the number of properties defined in a font from the font file, and allocates arrays with entries for each property based on that count. It never checked to see if that count was negative, or large enough to overflow when multiplied by the size of the structures being allocated, and could thus allocate the wrong buffer size, leading to out of bounds writes. - CVE-2015-1803: bdfReadCharacters: bailout if a char's bitmap cannot be read If the bdf parser failed to parse the data for the bitmap for any character, it would proceed with an invalid pointer to the bitmap data and later crash when trying to read the bitmap from that pointer. - CVE-2015-1804: bdfReadCharacters: ensure metrics fit into xCharInfo struct The bdf parser read metrics values as 32-bit integers, but stored them into 16-bit integers. Overflows could occur in various operations leading to out-of-bounds memory access. To generate a diff of this commit: cvs rdiff -u -r1.4 -r1.5 xsrc/xfree/xc/lib/font/bitmap/bdfread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.4 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.5 --- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.4 Tue Jan 7 07:43:47 2014 +++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Mar 17 18:13:24 2015 @@ -63,8 +63,16 @@ from The Open Group. #if HAVE_STDINT_H #include -#elif !defined(INT32_MAX) -#define INT32_MAX 0x7fff +#else +# ifndef INT32_MAX +# define INT32_MAX 0x7fff +# endif +# ifndef INT16_MAX +# define INT16_MAX 0x7fff +# endif +# ifndef INT16_MIN +# define INT16_MIN (0 - 0x8000) +# endif #endif #define INDICES 256 @@ -420,6 +428,12 @@ bdfReadCharacters(FontFilePtr file, Font bdfError("DWIDTH y value must be zero\n"); goto BAILOUT; } + /* xCharInfo metrics are stored as INT16 */ + if ((wx < 0) || (wx > INT16_MAX)) { + bdfError("character '%s' has out of range width, %d\n", + charName, wx); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { bdfError("bad 'BBX'\n"); @@ -430,6 +444,14 @@ bdfReadCharacters(FontFilePtr file, Font charName, bw, bh); goto BAILOUT; } + /* xCharInfo metrics are read as int, but stored as INT16 */ + if ((bl > INT16_MAX) || (bl < INT16_MIN) || + (bb > INT16_MAX) || (bb < INT16_MIN) || + (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { + bdfError("character '%s' has out of range metrics, %d %d %d %d\n", + charName, bl, (bl+bw), (bh+bb), -bb); + goto BAILOUT; + } line = bdfGetLine(file, lineBuf, BDFLINELEN); if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { for (p = line + strlen("ATTRIBUTES "); @@ -461,7 +483,10 @@ bdfReadCharacters(FontFilePtr file, Font ci->metrics.descent = -bb; ci->metrics.characterWidth = wx; ci->bits = NULL; - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { + bdfError("could not read bitmap for character '%s'\n", charName); + goto BAILOUT; + } ci++; ndx++; } else @@ -609,7 +634,9 @@ bdfReadProperties(FontFilePtr file, Font bdfError("missing 'STARTPROPERTIES'\n"); return (FALSE); } -if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { +if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || + (nProps <= 0) || + (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { bdfError("bad 'STARTPROPERTIES'\n"); return (FALSE); }
CVS commit: xsrc/xfree/xc/lib/font/bitmap
Module Name:xsrc Committed By: wiz Date: Tue Jan 7 07:43:47 UTC 2014 Modified Files: xsrc/xfree/xc/lib/font/bitmap: bdfread.c Log Message: Additional hardening after CVE-2013-6462: >From f8b21df399fbedd08da88752181b8a290a38d890 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 23 Dec 2013 19:01:11 -0800 Subject: [PATCH:libXfont 2/2] Limit additional sscanf strings to fit buffer sizes None of these could currently result in buffer overflow, as the input and output buffers were the same size, but adding limits helps ensure we keep it that way, if we ever resize any of these in the future. Fixes cppcheck warnings: [lib/libXfont/src/bitmap/bdfread.c:547]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:553]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:636]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith Reviewed-by: Matthieu Herrb Reviewed-by: Jeremy Huddleston Sequoia --- src/bitmap/bdfread.c | 14 +++--- 1 file changed, 11 insertions(+), 3 deletions(-) To generate a diff of this commit: cvs rdiff -u -r1.3 -r1.4 xsrc/xfree/xc/lib/font/bitmap/bdfread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.3 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.4 --- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.3 Tue Jan 7 07:43:16 2014 +++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Jan 7 07:43:47 2014 @@ -70,6 +70,7 @@ from The Open Group. #define INDICES 256 #define MAXENCODING 0x #define BDFLINELEN 1024 +#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */ static Bool bdfPadToTerminal(FontPtr pFont); extern int bdfFileLineNum; @@ -549,13 +550,18 @@ bdfReadHeader(FontFilePtr file, bdfFileS unsigned charlineBuf[BDFLINELEN]; line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 || +if (!line || +sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 || !bdfStrEqual(namebuf, "2.1")) { bdfError("bad 'STARTFONT'\n"); return (FALSE); } line = bdfGetLine(file, lineBuf, BDFLINELEN); -if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) { +#if MAXFONTNAMELEN != 1024 +# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1" +#endif +if (!line || +sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) { bdfError("bad 'FONT'\n"); return (FALSE); } @@ -639,7 +645,9 @@ bdfReadProperties(FontFilePtr file, Font while (*line && isspace(*line)) line++; - switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) { + switch (sscanf((char *) line, + BDFLINESTR BDFLINESTR BDFLINESTR, + namebuf, secondbuf, thirdbuf)) { default: bdfError("missing '%s' parameter value\n", namebuf); goto BAILOUT;
CVS commit: xsrc/xfree/xc/lib/font/bitmap
Module Name:xsrc Committed By: wiz Date: Tue Jan 7 07:43:16 UTC 2014 Modified Files: xsrc/xfree/xc/lib/font/bitmap: bdfread.c Log Message: CVE-2013-6462: >From aeabb3efa6905e11c479e2e5319f2b6b3ab22009 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Mon, 23 Dec 2013 18:34:02 -0800 Subject: [PATCH:libXfont 1/2] CVE-2013-: unlimited sscanf can overflow stack buffer in bdfReadCharacters() Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith Reviewed-by: Matthieu Herrb Reviewed-by: Jeremy Huddleston Sequoia --- src/bitmap/bdfread.c |2 +- 1 file changed, 1 insertion(+), 1 deletion(-) To generate a diff of this commit: cvs rdiff -u -r1.2 -r1.3 xsrc/xfree/xc/lib/font/bitmap/bdfread.c Please note that diffs are not public domain; they are subject to the copyright notices on the relevant files. Modified files: Index: xsrc/xfree/xc/lib/font/bitmap/bdfread.c diff -u xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.3 --- xsrc/xfree/xc/lib/font/bitmap/bdfread.c:1.2 Tue Apr 3 20:10:34 2007 +++ xsrc/xfree/xc/lib/font/bitmap/bdfread.c Tue Jan 7 07:43:16 2014 @@ -340,7 +340,7 @@ bdfReadCharacters(FontFilePtr file, Font charcharName[100]; int ignore; - if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) { + if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) { bdfError("bad character name in BDF file\n"); goto BAILOUT; /* bottom of function, free and return error */ }