| Age | Commit message (Collapse) | Author |
|---|
|
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
Without the checks a malformed PCF file can cause the library to make
atom from random heap memory that was behind the `strings` buffer.
This may crash the process or leak information.
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
While xfs can be more or less trivially ported to 2.0, bcftopcf cannot
because the font file I/O API is no longer externally visible. This is
intentional, because bdftopcf is literally the only consumer of that
API, and is itself only used in the build process for the classic core
fonts themselves. The plan for bdftopcf is to import a copy of libXfont
1.5 and link against that statically instead.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Acked-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
fall-outs, when they contain space.
Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Syncs the invocation of configure with the one from the server.
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Emil Velikov <emil.velikov@collabora.com>
|
|
gcc6 chirps an indentation warning here, but really this is bad code.
Effectively this would ignore en_US or en_UK names for the font, despite
that those are the English names the font is most likely to have.
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
text data bss dec hex filename
233732 8168 1616 243516 3b73c .libs/libXfont2.so.2.before
217113 6816 1616 225545 37109 .libs/libXfont2.so.2.after
Signed-off-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>
|
|
https://bugs.freedesktop.org/show_bug.cgi?id=83224
Found by clang's Address Sanitizer
crac.num_auths = set_font_authorizations(&authorizations, &authlen,
client);
/* Work around bug in xfs versions up through modular release 1.0.8
which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
if (crac.num_auths == 0) {
authorizations = padding;
authlen = 4;
} else {
authlen = (authlen + 3) & ~0x3;
}
crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
crac.acid = cur->acid;
_fs_add_req_log(conn, FS_CreateAC);
_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
_fs_write(conn, authorizations, authlen);
In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
block changed authlen to 36 to make it 4byte aligned and the final _fs_write()
caused us to read 36 bytes from this 34 byte buffer.
This changes the incorrect size increase to instead use _fs_write_pad which
takes care of the padding for us.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
The point of it seems to have been to silence an unused function warning, but
there's no point if we're just transitioning that to another unused function
warning.
src/fc/fstrans.c:32:20: warning: unused function 'foo' [-Wunused-function]
static inline void foo(void) { (void) is_numeric("a"); }
^
1 warning generated.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Reviewed-by: Keith Packard <keithp@keithp.com>
|
|
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat]
" from font server\n", rep->length);
^~~~~~~~~~~
1 warning generated.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
calloc for 0 bytes
Found by clang static analysis:
Call to 'calloc' has an allocation size of 0 bytes
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Found by clang static analysis:
Result of 'calloc' is converted to a pointer of type 'int', which is
incompatible with sizeof operand type 'int *'
This is likely benign because the old size was larger on any platform where
sizeof(int) <= sizeof(void *), which is everywhere.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
This reverts commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97, but
leaves the warning fixes in place; it looks like either I was
confused, or something has changed so that XORG_DEFAULT_OPTIONS now
pulls in the appropriate compiler warnings.
|
|
This release just fixes some build issues with 2.0.0
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
This file used to advertise which font formats the library
supports. The X server doesn't care, so let's just remove it so that
it doesn't conflict with the older version of libXfont
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
|
|
Matt Turner noted that this file was missing; 'make distcheck' doesn't
appear to catch this kind of problem.
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
This eliminates the weak symbol adventures and makes all of the calls
back to the X server or Font server go through a table of functions
instead, clarifying the required API.
As this is a rather major change to the API for the library, it now
installs itself as libXfont2 instead of libXfont, and the package
config file is now xfont2.pc.
All of the installed headers remain the same as the original library;
there's now a new include file, libxfont2.h, which defines the X
server and Font server interfaces.
This moves util/atom.c to stubs/atom.c and reformats that file, hence
the diff being larger than it would otherwise be.
v2: Rename to libXfont2 instead of libXfont_2 as suggested by Emil Velikov
Fix whitespace in stubs/atom.c, which was moved from util/
v3: Remove select masks from API. Expose single 'font_init' function
for all library initialization.
v4: Change name of distributed tarballs to libXfont2 as well
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Mostly signed vs unsigned comparisons
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Lesser of two evil hacks, I suppose...
This reverts commit 0386fa77367a305deea3cc27f8a3865cc3c467c0.
|
|
stubs resolution
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
The argument must be an unsigned char or -1; in these cases
we know it's not -1 so cast it to unsigned char.
Fixes
warning: array subscript is of type 'char' [-Wchar-subscripts]
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
The fix for CVE-2015-1804 prevent DWIDTH to be negative.
However, the spec states that "DWIDTH [...] is a vector indicating the
position of the next glyph’s origin relative to the origin of this glyph."
So negative values are correct.
Found by trying to compile XTS.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Don't seem to have ability to link to BDF or Xserver internals docs yet
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Found with afl-1.23b.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
Parts were indented, others weren't, now is more consistent.
'git diff -w' shows no non-whitespace changes in this commit
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Weak symbols on PE platforms do not work the same way as on ELF
platforms, hence we have been unable to have a fully functional shared
libXfont until now. This patch works around these issues so that we
can fix that.
In summary, only when compiling shared libraries on NO_WEAK_SYMBOLS
platforms, when the first stub is called, the invoking program is first
checked to determine if it exports the stubbed functions. Then, for
every stub call, if the function is exported by the loader, it is called
instead of the stub code.
serverClient and serverGeneration are data pointers, and therefore are
replaced by getter functions. ErrorF is variadic, so the override is
routed through VErrorF instead. FatalError has no va_list equivalent,
but it is not actually used in libXfont and therefore should be safe to
remove.
This requires all X servers to export their symbols, which requires
forthcoming patches for hw/xwin and xfs; the other xservers (including
tigervnc) already do this via LD_EXPORT_SYMBOLS_FLAG.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
When accessing a 16-bit font with firstRow > 0 with 8-bit text, check
to see if the font has a default character and return that for every
incoming character.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
If the only bitmaps we support are builtins, don't need the code to
register all the bitmap font file handlers.
Fixes gcc warnings:
bitmapfunc.c:110:1: warning: 'BitmapOpenBitmap' defined but not used [-Wunused-function]
BitmapOpenBitmap (FontPathElementPtr fpe, FontPtr *ppFont, int flags,
^
bitmapfunc.c:155:1: warning: 'BitmapGetInfoBitmap' defined but not used [-Wunused-function]
BitmapGetInfoBitmap (FontPathElementPtr fpe, FontInfoPtr pFontInfo,
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
pcfread.c is a special case - it's needed for either reading pcf files
from disk (--enable-pcfformat) or from the builtin fonts in memory
(--enable-builtins), so needed a new AM_CONDITIONAL case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Require the #defines from configure.ac now that we're not sharing source
with the imake builds any longer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
