Module Name: xsrc
Committed By: snj
Date: Sat Dec 2 10:52:31 UTC 2017
Modified Files:
xsrc/external/mit/libXcursor/dist/src [netbsd-7-0]: file.c library.c
xsrc/external/mit/libXfont/dist/src/bitmap [netbsd-7-0]: pcfread.c
xsrc/external/mit/libXfont/dist/src/fontfile [netbsd-7-0]: dirfile.c
fileio.c fontdir.c
xsrc/xfree/xc/lib/Xcursor [netbsd-7-0]: file.c library.c
xsrc/xfree/xc/lib/font/bitmap [netbsd-7-0]: pcfread.c
xsrc/xfree/xc/lib/font/fontfile [netbsd-7-0]: dirfile.c fileio.c
fontdir.c
Log Message:
Apply patch, requested by mrg in ticket #1535:
Pull up fixes to libXfont and libXcurses for CVEs 2017-13722, 2017-13720,
2017-16611, and 2017-16612.
To generate a diff of this commit:
cvs rdiff -u -r1.1.1.4 -r1.1.1.4.6.1 \
xsrc/external/mit/libXcursor/dist/src/file.c
cvs rdiff -u -r1.1.1.3 -r1.1.1.3.6.1 \
xsrc/external/mit/libXcursor/dist/src/library.c
cvs rdiff -u -r1.3 -r1.3.6.1 \
xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c
cvs rdiff -u -r1.3.2.1 -r1.3.2.1.2.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
cvs rdiff -u -r1.1.1.3.4.1 -r1.1.1.3.4.1.2.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c
cvs rdiff -u -r1.1.1.6 -r1.1.1.6.4.1 \
xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c
cvs rdiff -u -r1.1.1.1 -r1.1.1.1.40.1 xsrc/xfree/xc/lib/Xcursor/file.c
cvs rdiff -u -r1.1.1.2 -r1.1.1.2.38.1 xsrc/xfree/xc/lib/Xcursor/library.c
cvs rdiff -u -r1.3 -r1.3.20.1 xsrc/xfree/xc/lib/font/bitmap/pcfread.c
cvs rdiff -u -r1.5 -r1.5.4.1 xsrc/xfree/xc/lib/font/fontfile/dirfile.c
cvs rdiff -u -r1.1.1.5 -r1.1.1.5.40.1 \
xsrc/xfree/xc/lib/font/fontfile/fileio.c
cvs rdiff -u -r1.2 -r1.2.20.1 xsrc/xfree/xc/lib/font/fontfile/fontdir.c
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
Modified files:
Index: xsrc/external/mit/libXcursor/dist/src/file.c
diff -u xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.4 xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.4.6.1
--- xsrc/external/mit/libXcursor/dist/src/file.c:1.1.1.4 Thu May 30 20:23:56 2013
+++ xsrc/external/mit/libXcursor/dist/src/file.c Sat Dec 2 10:52:31 2017
@@ -29,6 +29,11 @@ XcursorImageCreate (int width, int heigh
{
XcursorImage *image;
+ if (width < 0 || height < 0)
+ return NULL;
+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@@ -102,7 +107,7 @@ XcursorCommentCreate (XcursorUInt commen
{
XcursorComment *comment;
- if (length > XCURSOR_COMMENT_MAX_LEN)
+ if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
return NULL;
comment = malloc (sizeof (XcursorComment) + length + 1);
@@ -449,7 +454,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return NULL;
/* sanity check data */
- if (head.width >= 0x10000 || head.height > 0x10000)
+ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
+ head.height > XCURSOR_IMAGE_MAX_SIZE)
return NULL;
if (head.width == 0 || head.height == 0)
return NULL;
@@ -458,6 +464,8 @@ _XcursorReadImage (XcursorFile *file,
/* Create the image and initialize it */
image = XcursorImageCreate (head.width, head.height);
+ if (image == NULL)
+ return NULL;
if (chunkHeader.version < image->version)
image->version = chunkHeader.version;
image->size = chunkHeader.subtype;
Index: xsrc/external/mit/libXcursor/dist/src/library.c
diff -u xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.3 xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.3.6.1
--- xsrc/external/mit/libXcursor/dist/src/library.c:1.1.1.3 Thu May 30 20:23:56 2013
+++ xsrc/external/mit/libXcursor/dist/src/library.c Sat Dec 2 10:52:31 2017
@@ -180,7 +180,7 @@ _XcursorThemeInherits (const char *full)
if (*l != '=') continue;
l++;
while (*l == ' ') l++;
- result = malloc (strlen (l));
+ result = malloc (strlen (l) + 1);
if (result)
{
r = result;
Index: xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c
diff -u xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c:1.3 xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c:1.3.6.1
--- xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c:1.3 Fri May 31 01:18:45 2013
+++ xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c Sat Dec 2 10:52:31 2017
@@ -44,6 +44,7 @@ from The Open Group.
#include <stdarg.h>
#include <stdint.h>
+#include <string.h>
void
pcfError(const char* message, ...)
@@ -310,11 +311,19 @@ pcfGetProperties(FontInfoPtr pFontInfo,
if (IS_EOF(file)) goto Bail;
position += string_size;
for (i = 0; i < nprops; i++) {
+ if (props[i].name >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
+ goto Bail;
+ }
props[i].name = MakeAtom(strings + props[i].name,
- strlen(strings + props[i].name), TRUE);
+ strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
if (isStringProp[i]) {
+ if (props[i].value >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
+ goto Bail;
+ }
props[i].value = MakeAtom(strings + props[i].value,
- strlen(strings + props[i].value), TRUE);
+ strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
}
}
free(strings);
Index: xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c
diff -u xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c:1.3.2.1 xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c:1.3.2.1.2.1
--- xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c:1.3.2.1 Wed Mar 11 07:19:48 2015
+++ xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c Sat Dec 2 10:52:31 2017
@@ -41,6 +41,7 @@ in this Software without prior written a
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <fcntl.h>
#include <errno.h>
#include <limits.h>
@@ -60,8 +61,9 @@ FontFileReadDirectory (const char *direc
char dir_file[MAXFONTFILENAMELEN];
char dir_path[MAXFONTFILENAMELEN];
char *ptr;
- FILE *file;
- int count,
+ FILE *file = 0;
+ int file_fd,
+ count,
num_fonts,
status;
struct stat statb;
@@ -91,7 +93,14 @@ FontFileReadDirectory (const char *direc
if (dir_file[strlen(dir_file) - 1] != '/')
strcat(dir_file, "/");
strcat(dir_file, FontDirFile);
+#ifndef WIN32
+ file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW);
+ if (file_fd >= 0) {
+ file = fdopen(file_fd, "rt");
+ }
+#else
file = fopen(dir_file, "rt");
+#endif
if (file) {
#ifndef WIN32
if (fstat (fileno(file), &statb) == -1)
@@ -261,7 +270,8 @@ ReadFontAlias(char *directory, Bool isFi
char alias[MAXFONTNAMELEN];
char font_name[MAXFONTNAMELEN];
char alias_file[MAXFONTFILENAMELEN];
- FILE *file;
+ int file_fd;
+ FILE *file = 0;
FontDirectoryPtr dir;
int token;
char *lexToken;
@@ -279,7 +289,16 @@ ReadFontAlias(char *directory, Bool isFi
strcat(alias_file, "/");
strcat(alias_file, FontAliasFile);
}
+
+#ifndef WIN32
+ file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW);
+ if (file_fd >= 0) {
+ file = fdopen(file_fd, "rt");
+ }
+#else
file = fopen(alias_file, "rt");
+#endif
+
if (!file)
return ((errno == ENOENT) ? Successful : BadFontPath);
if (!dir)
Index: xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c
diff -u xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c:1.1.1.3.4.1 xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c:1.1.1.3.4.1.2.1
--- xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c:1.1.1.3.4.1 Wed Mar 11 07:19:48 2015
+++ xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c Sat Dec 2 10:52:31 2017
@@ -39,6 +39,9 @@ in this Software without prior written a
#ifndef O_CLOEXEC
#define O_CLOEXEC 0
#endif
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
FontFilePtr
FontFileOpen (const char *name)
@@ -47,7 +50,7 @@ FontFileOpen (const char *name)
int len;
BufFilePtr raw, cooked;
- fd = open (name, O_BINARY|O_CLOEXEC);
+ fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW);
if (fd < 0)
return 0;
raw = BufFileOpenRead (fd);
Index: xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c
diff -u xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c:1.1.1.6 xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c:1.1.1.6.4.1
--- xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c:1.1.1.6 Fri Jul 11 18:44:47 2014
+++ xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c Sat Dec 2 10:52:31 2017
@@ -399,8 +399,10 @@ PatternMatch(char *pat, int patdashes, c
}
}
case '?':
- if (*string++ == XK_minus)
+ if ((t = *string++) == XK_minus)
stringdashes--;
+ if (!t)
+ return 0;
break;
case '\0':
return (*string == '\0');
Index: xsrc/xfree/xc/lib/Xcursor/file.c
diff -u xsrc/xfree/xc/lib/Xcursor/file.c:1.1.1.1 xsrc/xfree/xc/lib/Xcursor/file.c:1.1.1.1.40.1
--- xsrc/xfree/xc/lib/Xcursor/file.c:1.1.1.1 Fri Feb 28 13:18:51 2003
+++ xsrc/xfree/xc/lib/Xcursor/file.c Sat Dec 2 10:52:31 2017
@@ -31,6 +31,11 @@ XcursorImageCreate (int width, int heigh
{
XcursorImage *image;
+ if (width < 0 || height < 0)
+ return NULL;
+ if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE)
+ return NULL;
+
image = malloc (sizeof (XcursorImage) +
width * height * sizeof (XcursorPixel));
if (!image)
@@ -79,7 +84,7 @@ XcursorCommentCreate (XcursorUInt commen
{
XcursorComment *comment;
- if (length > XCURSOR_COMMENT_MAX_LEN)
+ if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN)
return 0;
comment = malloc (sizeof (XcursorComment) + length + 1);
@@ -103,6 +108,9 @@ XcursorCommentsCreate (int size)
{
XcursorComments *comments;
+ if (size < 0 || size > XCURSOR_COMMENT_MAX_LEN)
+ return NULL;
+
comments = malloc (sizeof (XcursorComments) +
size * sizeof (XcursorComment *));
if (!comments)
@@ -397,7 +405,8 @@ _XcursorReadImage (XcursorFile *file,
if (!_XcursorReadUInt (file, &head.delay))
return 0;
/* sanity check data */
- if (head.width >= 0x10000 || head.height > 0x10000)
+ if (head.width > XCURSOR_IMAGE_MAX_SIZE ||
+ head.height > XCURSOR_IMAGE_MAX_SIZE)
return 0;
if (head.width == 0 || head.height == 0)
return 0;
@@ -406,6 +415,8 @@ _XcursorReadImage (XcursorFile *file,
/* Create the image and initialize it */
image = XcursorImageCreate (head.width, head.height);
+ if (image == NULL)
+ return NULL;
if (chunkHeader.version < image->version)
image->version = chunkHeader.version;
image->size = chunkHeader.subtype;
Index: xsrc/xfree/xc/lib/Xcursor/library.c
diff -u xsrc/xfree/xc/lib/Xcursor/library.c:1.1.1.2 xsrc/xfree/xc/lib/Xcursor/library.c:1.1.1.2.38.1
--- xsrc/xfree/xc/lib/Xcursor/library.c:1.1.1.2 Fri Mar 5 14:24:23 2004
+++ xsrc/xfree/xc/lib/Xcursor/library.c Sat Dec 2 10:52:31 2017
@@ -174,7 +174,7 @@ _XcursorThemeInherits (const char *full)
if (*l != '=') continue;
l++;
while (*l == ' ') l++;
- result = malloc (strlen (l));
+ result = malloc (strlen (l) + 1);
if (result)
{
r = result;
Index: xsrc/xfree/xc/lib/font/bitmap/pcfread.c
diff -u xsrc/xfree/xc/lib/font/bitmap/pcfread.c:1.3 xsrc/xfree/xc/lib/font/bitmap/pcfread.c:1.3.20.1
--- xsrc/xfree/xc/lib/font/bitmap/pcfread.c:1.3 Sun Jan 20 22:17:15 2008
+++ xsrc/xfree/xc/lib/font/bitmap/pcfread.c Sat Dec 2 10:52:31 2017
@@ -42,6 +42,7 @@ from The Open Group.
#include <stdarg.h>
#include <stdint.h>
+#include <string.h>
void
pcfError(const char* message, ...)
@@ -305,11 +306,19 @@ pcfGetProperties(FontInfoPtr pFontInfo,
if (IS_EOF(file)) goto Bail;
position += string_size;
for (i = 0; i < nprops; i++) {
+ if (props[i].name >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size);
+ goto Bail;
+ }
props[i].name = MakeAtom(strings + props[i].name,
- strlen(strings + props[i].name), TRUE);
+ strnlen(strings + props[i].name, string_size - props[i].name), TRUE);
if (isStringProp[i]) {
+ if (props[i].value >= string_size) {
+ pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size);
+ goto Bail;
+ }
props[i].value = MakeAtom(strings + props[i].value,
- strlen(strings + props[i].value), TRUE);
+ strnlen(strings + props[i].value, string_size - props[i].value), TRUE);
}
}
xfree(strings);
Index: xsrc/xfree/xc/lib/font/fontfile/dirfile.c
diff -u xsrc/xfree/xc/lib/font/fontfile/dirfile.c:1.5 xsrc/xfree/xc/lib/font/fontfile/dirfile.c:1.5.4.1
--- xsrc/xfree/xc/lib/font/fontfile/dirfile.c:1.5 Tue May 13 15:17:33 2014
+++ xsrc/xfree/xc/lib/font/fontfile/dirfile.c Sat Dec 2 10:52:31 2017
@@ -41,6 +41,7 @@ in this Software without prior written a
#include <stdio.h>
#include <sys/types.h>
#include <sys/stat.h>
+#include <fcntl.h>
#include <errno.h>
#include <limits.h>
@@ -60,8 +61,9 @@ FontFileReadDirectory (char *directory,
char dir_path[MAXFONTFILENAMELEN];
char *ptr;
#endif
- FILE *file;
- int count,
+ FILE *file = 0;
+ int file_fd,
+ count,
i,
status;
struct stat statb;
@@ -92,7 +94,14 @@ FontFileReadDirectory (char *directory,
if (dir_file[strlen(dir_file) - 1] != '/')
strcat(dir_file, "/");
strcat(dir_file, FontDirFile);
+#ifndef WIN32
+ file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW);
+ if (file_fd >= 0) {
+ file = fdopen(file_fd, "r");
+ }
+#else
file = fopen(dir_file, "r");
+#endif
if (file) {
Bool found_font = FALSE;
@@ -258,7 +267,8 @@ ReadFontAlias(char *directory, Bool isFi
char alias[MAXFONTNAMELEN];
char font_name[MAXFONTNAMELEN];
char alias_file[MAXFONTFILENAMELEN];
- FILE *file;
+ int file_fd;
+ FILE *file = 0;
FontDirectoryPtr dir;
int token;
char *lexToken;
@@ -276,7 +286,15 @@ ReadFontAlias(char *directory, Bool isFi
strcat(alias_file, "/");
strcat(alias_file, FontAliasFile);
}
+#ifndef WIN32
+ file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW);
+ if (file_fd >= 0) {
+ file = fdopen(file_fd, "r");
+ }
+#else
file = fopen(alias_file, "r");
+#endif
+
if (!file)
return ((errno == ENOENT) ? Successful : BadFontPath);
if (!dir)
Index: xsrc/xfree/xc/lib/font/fontfile/fileio.c
diff -u xsrc/xfree/xc/lib/font/fontfile/fileio.c:1.1.1.5 xsrc/xfree/xc/lib/font/fontfile/fileio.c:1.1.1.5.40.1
--- xsrc/xfree/xc/lib/font/fontfile/fileio.c:1.1.1.5 Fri Feb 28 13:18:56 2003
+++ xsrc/xfree/xc/lib/font/fontfile/fileio.c Sat Dec 2 10:52:31 2017
@@ -36,6 +36,9 @@ in this Software without prior written a
#ifndef O_BINARY
#define O_BINARY O_RDONLY
#endif
+#ifndef O_NOFOLLOW
+#define O_NOFOLLOW 0
+#endif
FontFilePtr
FontFileOpen (const char *name)
@@ -44,7 +47,7 @@ FontFileOpen (const char *name)
int len;
BufFilePtr raw, cooked;
- fd = open (name, O_BINARY);
+ fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW);
if (fd < 0)
return 0;
raw = BufFileOpenRead (fd);
Index: xsrc/xfree/xc/lib/font/fontfile/fontdir.c
diff -u xsrc/xfree/xc/lib/font/fontfile/fontdir.c:1.2 xsrc/xfree/xc/lib/font/fontfile/fontdir.c:1.2.20.1
--- xsrc/xfree/xc/lib/font/fontfile/fontdir.c:1.2 Tue Apr 3 20:12:22 2007
+++ xsrc/xfree/xc/lib/font/fontfile/fontdir.c Sat Dec 2 10:52:31 2017
@@ -413,8 +413,10 @@ PatternMatch(char *pat, int patdashes, c
}
}
case '?':
- if (*string++ == XK_minus)
+ if ((t = *string++) == XK_minus)
stringdashes--;
+ if (!t)
+ return 0;
break;
case '\0':
return (*string == '\0');
