| Age | Commit message (Collapse) | Author |
|---|
|
When dirName is "" (eg. when called by BuiltinReadDirectory),
FontFileMakeDir would read after the string when WIN32 is defined.
Fix the overrun issue by checking the location of the found :
before adding two.
Signed-off-by: Peter Harris <pharris@opentext.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Commit 6c29007756301 removed OS/2 support from the code,
but missed updating the comments to match.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Found by using:
codespell --builtin clear,rare,usage,informal,code,names
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and
this causes the `dirName[dirlen - 1]` access to read before the start of
the string. I found this while porting Xvnc to CHERI-RISC-V (which has
bounds and permissions on all pointers).
|
|
None of the callers of CatalogueRescan check for failure before accessing
the cat pointer so don't free it (especially without clearing the pointer
to it in fpe->private), just unref the contents.
Can only be triggered if somehow stat() succeeds on the directory, but
opendir fails anyway (removed between the calls? permission problem?).
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Introduces mallocarray as a macro calling reallocarray with a NULL
pointer for the old allocation.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Replace strcpy, strcat, sprintf with strlcpy, strlcat, snprintf
everywhere, even where there were already bounds checks in place,
to reduce time spent checking static analysis results.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
A non-privileged X client can instruct X server running under root to open any
file by creating own directory with "fonts.dir", "fonts.alias" or any font file
being a symbolic link to any other file in the system. X server will then open
it. This can be issue with special files such as /dev/watchdog.
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
This eliminates the weak symbol adventures and makes all of the calls
back to the X server or Font server go through a table of functions
instead, clarifying the required API.
As this is a rather major change to the API for the library, it now
installs itself as libXfont2 instead of libXfont, and the package
config file is now xfont2.pc.
All of the installed headers remain the same as the original library;
there's now a new include file, libxfont2.h, which defines the X
server and Font server interfaces.
This moves util/atom.c to stubs/atom.c and reformats that file, hence
the diff being larger than it would otherwise be.
v2: Rename to libXfont2 instead of libXfont_2 as suggested by Emil Velikov
Fix whitespace in stubs/atom.c, which was moved from util/
v3: Remove select masks from API. Expose single 'font_init' function
for all library initialization.
v4: Change name of distributed tarballs to libXfont2 as well
Signed-off-by: Keith Packard <keithp@keithp.com>
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
Weak symbols on PE platforms do not work the same way as on ELF
platforms, hence we have been unable to have a fully functional shared
libXfont until now. This patch works around these issues so that we
can fix that.
In summary, only when compiling shared libraries on NO_WEAK_SYMBOLS
platforms, when the first stub is called, the invoking program is first
checked to determine if it exports the stubbed functions. Then, for
every stub call, if the function is exported by the loader, it is called
instead of the stub code.
serverClient and serverGeneration are data pointers, and therefore are
replaced by getter functions. ErrorF is variadic, so the override is
routed through VErrorF instead. FatalError has no va_list equivalent,
but it is not actually used in libXfont and therefore should be safe to
remove.
This requires all X servers to export their symbols, which requires
forthcoming patches for hw/xwin and xfs; the other xservers (including
tigervnc) already do this via LD_EXPORT_SYMBOLS_FLAG.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Fixes clang analyzer warning:
bufio.c:165:13: warning: Access to field 'bufp' results in a dereference
of a null pointer (loaded from variable 'f')
f->bufp = f->buffer;
~ ^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
|
|
Many const char issues.
One extra 'i' declared in ScaleFont; we can just use the same 'i' as
exists at the top level scope.
Also ignore bad-function-cast in ftfuncs.c and bitscale.c because
we're casting the return value from floor or ceil from double to
int. As floor and ceil are kinda designed to generate integer results,
it's pretty clear that we're doing what we want and that the compiler
is generating noise. I'm not sure why bad-function-cast is ever a good
warning to turn on, but I'll leave that for another day.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
|
|
Fixes gcc warning:
catalogue.c:336:1: warning: redundant redeclaration of
'FontFileStartListFonts' [-Wredundant-decls]
In file included from ../../include/X11/fonts/fntfilst.h:40:0,
from catalogue.c:32:
../../include/X11/fonts/fntfil.h:92:12: note: previous declaration
of 'FontFileStartListFonts' was here
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
catalogue.c: In function 'CatalogueOpenFont':
catalogue.c:290:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
catalogue.c: In function 'CatalogueListFonts':
catalogue.c:324:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
fpe.c: In function 'BuiltinResetFPE':
fpe.c:57:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html
- Support for the long-deprecated INCLUDES variable will be removed
altogether in Automake 1.14. The AM_CPPFLAGS variable should be
used instead.
This variable was deprecated in Automake releases prior to 1.10, which is
the current minimum level required to build X.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Signed-off-by: Adam Jackson <ajax@redhat.com>
|
|
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
The compress decompression code used by libXfont rejects valid archives
with maxbits less than 12 (compress allows values 9 - 16, 16 is the
default). This is because maxbits-12 is used as index to hsize_table[].
That looks like an incorrect port of the original compress code, where:
- hsize depended on BITS, the maximum maxbits value supported by particular
build, rather than on maxbits value from the particular input file
- the same hsize was used for all BITS <= 12
The quick way to verify the problem is:
compress -b 11 fontfile.bdf
bdftopcf -o /dev/null fontfile.bdf.Z
which fails, while 12-16 works correctly.
This fix removes hsize_table and uses 1 << maxbits (aka maxmaxcode) as
tab_prefix size. As decompression code does not use hashing as compression
code, there does not seem to be a reason to allocate any extra space.
Note: In this fix, maxbits == 9 is still rejected early. AFAICS compress
is able to generate such files (unknown how correct such output is), but is
unable to uncompress them correctly.
Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
|
|
It ensures that all valid input can be decompressed, checks that the
overflow conditions doesn't happen and generally tightens the
validation of the LZW stream and doesn't pessimize the inner loop for
no good reason. It's derived from a change in libarchive from 2004.
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Tomas Hoger <thoger@redhat.com>
|
|
Performed with: find * -type f | xargs perl -i -p -e 's{[ \t]+$}{}'
git diff -w & git diff -b show no diffs from this change
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Specially crafted LZW stream can crash an application using libXfont
that is used to open untrusted font files. With X server, this may
allow privilege escalation when exploited
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Jesse Adkins <jesserayadkins@gmail.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
Seems to have been a leftover from before the encoding code was split
out into libfontenc by XFree86
Signed-off-by: Alan Coopersmith <alan.coopersmith@sun.com>
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Distribute ChangeLog but not autogen.sh.
Use a single toplevel .gitignore file, instead of one per subdirectory.
|
|
Simplify the freetype renderer list to match.
|
|
|
|
|
|
|
|
|
|
Xprint is just insidious, isn't it.
|
|
|
|
|
|
Yes, these are still real fonts, but freetype can handle them just fine.
|
|
OUT OUT OUT
|
|
Basically the code is now compiled as if FONTMODULE was never defined,
but also removed some "magic" defining _XOPEN_SOURCE before including
math.h.
Also removed some #if 0'ed code instead of fixing prototypes inside
the "dead code".
Changes to spdo_prv.h were due to defines like:
<hash>define foo() sp_foo()
that would not compile with the ansification in the format:
type foo(void)
due to the macro receiving "void" as an argument.
|
|
Works around bug in VMWare that caused the Solaris kernel to fail to read
the time-of-day chip on boot, and start with a time < 0 (i.e. back to the
1960's) - when the system was then installed from this mode, Xorg wouldn't
start after reboot, since the mtime would be < 0 and the catalogue dir was
then skipped as not changed since reading at the 0 initially set in the
cat->mtime.
Fixes OpenSolaris bug #4780
<http://defect.opensolaris.org/bz/show_bug.cgi?id=4780>
|
|
This lets the user set CFLAGS when running make.
|
|
<http://bugs.freedesktop.org/show_bug.cgi?id=17945>
Avoid two gcc warnings
src/fontfile/ffcheck.c:150: warning: initialization discards qualifiers from pointer target type
src/fontfile/register.c:98: warning: initialization discards qualifiers from pointer target type
|
