Author: dparsons Date: 2006-09-13 03:52:44 -0400 (Wed, 13 Sep 2006) New Revision: 3205
Removed: trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch trunk/lib/libxfont/debian/patches/10_pcf_font.patch Modified: trunk/lib/libxfont/debian/changelog trunk/lib/libxfont/debian/patches/series Log: * New upstream version. - closes security bug in CID encoded fonts (iDefense CVE-ID 2006-3739, 2006-3740) - applies patches 10_freetype_buffer_overflow.patch, 10_pcf_font.patch Modified: trunk/lib/libxfont/debian/changelog =================================================================== --- trunk/lib/libxfont/debian/changelog 2006-09-13 07:40:37 UTC (rev 3204) +++ trunk/lib/libxfont/debian/changelog 2006-09-13 07:52:44 UTC (rev 3205) @@ -1,9 +1,12 @@ -libxfont (1:1.2.0-3) unstable; urgency=low +libxfont (1:1.2.2-1) unstable; urgency=high - [ Drew Parsons ] + * New upstream version. + - closes security bug in CID encoded fonts (iDefense CVE-ID + 2006-3739, 2006-3740) + - applies patches 10_freetype_buffer_overflow.patch, 10_pcf_font.patch * dbg package has priority extra. - -- David Nusinow <[EMAIL PROTECTED]> Wed, 30 Aug 2006 18:54:09 -0400 + -- Drew Parsons <[EMAIL PROTECTED]> Wed, 13 Sep 2006 17:50:06 +1000 libxfont (1:1.2.0-2) unstable; urgency=high Deleted: trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch =================================================================== --- trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-09-13 07:40:37 UTC (rev 3204) +++ trunk/lib/libxfont/debian/patches/10_freetype_buffer_overflow.patch 2006-09-13 07:52:44 UTC (rev 3205) @@ -1,32 +0,0 @@ -From: Matthieu Herrb <[EMAIL PROTECTED]> -Date: Thu, 13 Jul 2006 14:18:38 +0000 (-0400) -Subject: Bug #7397: Fix a buffer overflow in Freetype font support. -X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=1bf657186d19887a0916340b544b5534e29da081 - -Bug #7397: Fix a buffer overflow in Freetype font support. ---- - ---- a/src/FreeType/fttools.c -+++ b/src/FreeType/fttools.c -@@ -77,7 +77,7 @@ FTu2a(int slen, FT_Byte *from, char *to, - - n = 0; - for (i = 0; i < slen; i += 2) { -- if(n >= max) -+ if(n >= max - 1) - break; - if(HIBYTE(from+i, byte)!=0) - *to++='?'; -@@ -143,9 +143,10 @@ FTGetEnglishName(FT_Face face, int nid, - /* Pretend that Apple Roman is ISO 8859-1. */ - if(FTGetName(face, nid, TT_PLATFORM_MACINTOSH, TT_MAC_ID_ROMAN, &name)) { - len = name.string_len; -- if(len > name_len) -- len = name_len; -+ if(len > name_len - 1) -+ len = name_len - 1; - memcpy(name_return, name.string, len); -+ name_return[len] = '\0'; /* ensure nul terminaison */ - return len; - } - Deleted: trunk/lib/libxfont/debian/patches/10_pcf_font.patch =================================================================== --- trunk/lib/libxfont/debian/patches/10_pcf_font.patch 2006-09-13 07:40:37 UTC (rev 3204) +++ trunk/lib/libxfont/debian/patches/10_pcf_font.patch 2006-09-13 07:52:44 UTC (rev 3205) @@ -1,109 +0,0 @@ -From: Matthieu Herrb <[EMAIL PROTECTED]> -Date: Sun, 23 Jul 2006 20:42:43 +0000 (+0200) -Subject: More check on PCF file reading. Bugzilla #7535 -X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=8d171fe61e564d8ed8f75034d4191062cecf190b - -More check on PCF file reading. Bugzilla #7535 ---- - ---- a/src/bitmap/pcfread.c -+++ b/src/bitmap/pcfread.c -@@ -45,6 +45,7 @@ from The Open Group. - #endif - - #include <stdarg.h> -+#include <stdint.h> - - void - pcfError(const char* message, ...) -@@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp - return (PCFTablePtr) NULL; - count = pcfGetLSB32(file); - if (IS_EOF(file)) return (PCFTablePtr) NULL; -+ if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) { -+ pcfError("pcfReadTOC(): invalid file format\n"); -+ return NULL; -+ } - tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec)); - if (!tables) { - pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec)); -@@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo, - if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT)) - goto Bail; - nprops = pcfGetINT32(file, format); -+ if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) { -+ pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops); -+ goto Bail; -+ } - if (IS_EOF(file)) goto Bail; - props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec)); - if (!props) { -@@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo, - props[i].name = pcfGetINT32(file, format); - isStringProp[i] = pcfGetINT8(file, format); - props[i].value = pcfGetINT32(file, format); -+ if (props[i].name < 0 -+ || (isStringProp[i] != 0 && isStringProp[i] != 1) -+ || (isStringProp[i] && props[i].value < 0)) { -+ pcfError("pcfGetProperties(): invalid file format %d %d %d\n", -+ props[i].name, isStringProp[i], props[i].value); -+ goto Bail; -+ } - if (IS_EOF(file)) goto Bail; - } - /* pad the property array */ -@@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo, - } - if (IS_EOF(file)) goto Bail; - string_size = pcfGetINT32(file, format); -+ if (string_size < 0) goto Bail; - if (IS_EOF(file)) goto Bail; - strings = (char *) xalloc(string_size); - if (!strings) { -@@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f - else - nmetrics = pcfGetINT16(file, format); - if (IS_EOF(file)) goto Bail; -+ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { -+ pcfError("pcfReadFont(): invalid file format\n"); -+ goto Bail; -+ } - metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); - if (!metrics) { - pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); -@@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f - nbitmaps = pcfGetINT32(file, format); - if (nbitmaps != nmetrics || IS_EOF(file)) - goto Bail; -- -+ /* nmetrics is alreadt ok, so nbitmap also is */ - offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32)); - if (!offsets) { - pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32)); -@@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f - for (i = 0; i < GLYPHPADOPTIONS; i++) { - bitmapSizes[i] = pcfGetINT32(file, format); - if (IS_EOF(file)) goto Bail; -+ if (bitmapSizes[i] < 0) goto Bail; - } - - sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)]; -@@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f - if (IS_EOF(file)) goto Bail; - if (nink_metrics != nmetrics) - goto Bail; -+ /* nmetrics already checked */ - ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo)); - if (!ink_metrics) { - pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo)); -@@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f - else - nmetrics = pcfGetINT16(file, format); - if (IS_EOF(file)) goto Bail; -+ if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) { -+ pcfError("pmfReadFont(): invalid file format\n"); -+ goto Bail; -+ } - metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec)); - if (!metrics) { - pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec)); Modified: trunk/lib/libxfont/debian/patches/series =================================================================== --- trunk/lib/libxfont/debian/patches/series 2006-09-13 07:40:37 UTC (rev 3204) +++ trunk/lib/libxfont/debian/patches/series 2006-09-13 07:52:44 UTC (rev 3205) @@ -1,2 +0,0 @@ -10_freetype_buffer_overflow.patch -10_pcf_font.patch -- To UNSUBSCRIBE, email to [EMAIL PROTECTED] with a subject of "unsubscribe". Trouble? Contact [EMAIL PROTECTED]