summaryrefslogtreecommitdiff
path: root/src
AgeCommit message (Collapse)Author
2024-02-17unifdef NCDAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-17unifdef LynxAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-17unifdef ISCAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-17unifdef __OSF1__Alan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-17unifdef sonyAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-03bitscale.c: remove unused MAX() macroAlan Coopersmith
Code that used it was removed in commit 632a2e90a4b209facc Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-03bitscale.c: ensure SCORE macro expands properlyAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-02-03bitscale.c: ensure SCORE2 macro expands properlyAlan Coopersmith
Handles warning from Oracle Parfait 11.2 static analyzer: Error: Misleading macro Misleading macro [misleading-macro]: misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses at line 299 of src/bitmap/bitscale.c. '/' operator has lower precedence than '/' operator inside macro body at line 438 low precedence '/' operator is hidden by expansion of macro argument m at line 299 Misleading macro [misleading-macro]: misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses at line 299 of src/bitmap/bitscale.c. binary '*' operator has lower precedence than '/' operator inside macro body at line 440 low precedence binary '*' operator is hidden by expansion of macro argument m at line 299 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2024-01-24Modernize lseek() callsAlan Coopersmith
Position should be stored in an off_t, not an int, and the "whence" arg should use symbolic constants instead of raw numbers. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2023-03-25Set close-on-exec when opening fonts.dir & fonts.alias filesAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2023-02-25Remove "All rights reserved" from Oracle copyright noticesAlan Coopersmith
Oracle no longer includes this term in our copyright & license notices. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2022-11-26atom: Update Hash() to be unsignedJeremy Huddleston Sequoia
This avoids undefined behavior (left shift overflow in signed integer type) Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2022-11-10Fix font server reconnection timeoutPeter Harris
The great libxfont2 rewrite 135fb032e940ce226c9feb13e6e903f3ecbc5eb0 split fs_wakeup into fs_wakeup and fs_fd_handler. The fs_fd_handler side is called when there is new data on the socket. The fs_wakeup side is called on a timeout. If there's a connection timeout, the block handler will set the timeout to zero, expecting fs_wakeup to handle the timeout. Therefore, we need to call _fs_check_reconnect in fs_wakeup to handle the connection timeout. If we don't, the X server will go to 100% CPU (and the font server connection will not be retried). Signed-off-by: Peter Harris <pharris@opentext.com>
2022-10-06Switch from libbsd to libbsd-overlayGuillem Jover
This is the preferred usage form for libbsd, as it makes the code more portable and requires no special includes for libbsd, by transparently injects the needed standard headers that would be used on a BSD. Signed-off-by: Guillem Jover <guillem@hadrons.org>
2022-08-11Fix buffer overrun in FontFileMakeDir on WIN32Peter Harris
When dirName is "" (eg. when called by BuiltinReadDirectory), FontFileMakeDir would read after the string when WIN32 is defined. Fix the overrun issue by checking the location of the found : before adding two. Signed-off-by: Peter Harris <pharris@opentext.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2022-06-21Fix comments to reflect removal of OS/2 supportAlan Coopersmith
Commit 6c29007756301 removed OS/2 support from the code, but missed updating the comments to match. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2022-06-21Correct fsCreateACReq lengthJeremy Huddleston Sequoia
Regressed-in: 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561 Fixes: https://gitlab.freedesktop.org/xorg/lib/libxfont/-/issues/13 Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2022-04-06Fix spelling/wording issuesAlan Coopersmith
Found by using: codespell --builtin clear,rare,usage,informal,code,names Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2021-07-14Fix out-of-bounds read in FontFileMakeDir()Alex Richardson
BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and this causes the `dirName[dirlen - 1]` access to read before the start of the string. I found this while porting Xvnc to CHERI-RISC-V (which has bounds and permissions on all pointers).
2021-03-02Fix use after free when font server connection lostPeter Harris
If there are multiple blocks waiting for the same font, only one of them will have ->freeFont set. The rest will be in a state of FS_DEPENDING. If the font server dies before the font finishes opening, the block with ->freeFont set will call ->unload_font, invalidating the pfont pointers in the remaining FS_DEPENDING blocks. Avoid a use after free (and potential crash) by passing conn to fs_cleanup_font instead of dereferencing pfont to find the conn. Signed-off-by: Peter Harris <pharris@opentext.com>
2020-03-06Fix crash when font server connection lostPeter Harris
Always initialize the return value of fs_new_block_rec. Even if the conn->blockState is FS_BROKEN_CONNECTION | FS_RECONNECTING, we must not return with an uninitialized blockrec on the block list. When the blockrec times out, _fs_clean_aborted_blockrec calls fs_cleanup_bfont, which will try to follow pointers in the blockrec (which has not been initialized). Signed-off-by: Peter Harris <pharris@opentext.com>
2019-10-25Fix Win32 build since c4ed2e06 "Add some unit testing utilities"Jon Turney
Provide Win32 replacements for realpath() and err.h
2019-08-17fs_read_glyphs: check if rep is null before dereferencingAlan Coopersmith
Resolves coverity warning def16 from the list in https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-17CatalogueRescan: if opendir() fails, unref fpes, but don't free the catAlan Coopersmith
None of the callers of CatalogueRescan check for failure before accessing the cat pointer so don't free it (especially without clearing the pointer to it in fpe->private), just unref the contents. Can only be triggered if somehow stat() succeeds on the directory, but opendir fails anyway (removed between the calls? permission problem?). Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-17ComputeScaledProperties: check for valid pointers before making atomsAlan Coopersmith
Resolves coverity warning def23 from the list in https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-17stubs/atom.c: check for ResizeHashTable failureAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-17Fix whitespaceMaya Rashish
2019-08-04fontxlfd.c: tell gcc that switch fallthrough is intentionalAlan Coopersmith
Quiets: src/util/fontxlfd.c: In function ‘FontParseXLFDName’: src/util/fontxlfd.c:450:14: warning: this statement may fall through [-Wimplicit-fallthrough=] replaceChar = '*'; ~~~~~~~~~~~~^~~~~ src/util/fontxlfd.c:451:5: note: here case FONT_XLFD_REPLACE_ZERO: ^~~~ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-04Convert multiplying malloc calls to use mallocarray insteadAlan Coopersmith
Introduces mallocarray as a macro calling reallocarray with a NULL pointer for the old allocation. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-03Convert multiplying realloc calls to use reallocarray insteadAlan Coopersmith
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-03Add reallocarray fallback if not provided by libc nor libbsdAlan Coopersmith
Implementation copied from the Xserver Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-03Use bounds checking string functions everywhereAlan Coopersmith
Replace strcpy, strcat, sprintf with strlcpy, strlcat, snprintf everywhere, even where there were already bounds checks in place, to reduce time spent checking static analysis results. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2019-08-03Add strlcat & strlcpy fallbacks if not provided by libc nor libbsdAlan Coopersmith
Implementations copied from the Xserver Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2018-03-24avoid -Wformat errors from clang when building with -DDEBUGRin Okuyama
https://bugs.freedesktop.org/show_bug.cgi?id=99882 Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2017-11-25Open files with O_NOFOLLOW. (CVE-2017-16611)Michal Srb
A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2017-10-04pcfGetProperties: Check string boundaries (CVE-2017-13722)Michal Srb
Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information. Signed-off-by: Julien Cristau <jcristau@debian.org>
2017-10-04Check for end of string in PatternMatch (CVE-2017-13720)Michal Srb
If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Julien Cristau <jcristau@debian.org>
2016-06-10freetype: Fix a logic error in computing face nameAdam Jackson
gcc6 chirps an indentation warning here, but really this is bad code. Effectively this would ignore en_US or en_UK names for the font, despite that those are the English names the font is most likely to have. Signed-off-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2016-05-30fserve: Fix a buffer read overrun in _fs_client_accessJeremy Huddleston Sequoia
https://bugs.freedesktop.org/show_bug.cgi?id=83224 Found by clang's Address Sanitizer crac.num_auths = set_font_authorizations(&authorizations, &authlen, client); /* Work around bug in xfs versions up through modular release 1.0.8 which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ if (crac.num_auths == 0) { authorizations = padding; authlen = 4; } else { authlen = (authlen + 3) & ~0x3; } crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; crac.acid = cur->acid; _fs_add_req_log(conn, FS_CreateAC); _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following block changed authlen to 36 to make it 4byte aligned and the final _fs_write() caused us to read 36 bytes from this 34 byte buffer. This changes the incorrect size increase to instead use _fs_write_pad which takes care of the padding for us. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2016-05-30fstrans: Remove unused foo() functionJeremy Huddleston Sequoia
The point of it seems to have been to silence an unused function warning, but there's no point if we're just transitioning that to another unused function warning. src/fc/fstrans.c:32:20: warning: unused function 'foo' [-Wunused-function] static inline void foo(void) { (void) is_numeric("a"); } ^ 1 warning generated. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> Reviewed-by: Keith Packard <keithp@keithp.com>
2016-05-29fserve: Silence a -Wformat warningJeremy Huddleston Sequoia
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat] " from font server\n", rep->length); ^~~~~~~~~~~ 1 warning generated. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2016-05-29bitmap: Bail out on invalid input to FontFileMakeDir instead of calling ↵Jeremy Huddleston Sequoia
calloc for 0 bytes Found by clang static analysis: Call to 'calloc' has an allocation size of 0 bytes Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2016-05-29FreeType: Correct an allocation sizeJeremy Huddleston Sequoia
Found by clang static analysis: Result of 'calloc' is converted to a pointer of type 'int', which is incompatible with sizeof operand type 'int *' This is likely benign because the old size was larger on any platform where sizeof(int) <= sizeof(void *), which is everywhere. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2015-12-09Convert to non-recursive build.Matt Turner
2015-12-08Eliminate calls back to X server or font server functions by name (v4)libXfont2-2.0.0Keith Packard
This eliminates the weak symbol adventures and makes all of the calls back to the X server or Font server go through a table of functions instead, clarifying the required API. As this is a rather major change to the API for the library, it now installs itself as libXfont2 instead of libXfont, and the package config file is now xfont2.pc. All of the installed headers remain the same as the original library; there's now a new include file, libxfont2.h, which defines the X server and Font server interfaces. This moves util/atom.c to stubs/atom.c and reformats that file, hence the diff being larger than it would otherwise be. v2: Rename to libXfont2 instead of libXfont_2 as suggested by Emil Velikov Fix whitespace in stubs/atom.c, which was moved from util/ v3: Remove select masks from API. Expose single 'font_init' function for all library initialization. v4: Change name of distributed tarballs to libXfont2 as well Signed-off-by: Keith Packard <keithp@keithp.com>
2015-12-08Add compiler warning flags and fix warningsKeith Packard
Mostly signed vs unsigned comparisons Signed-off-by: Keith Packard <keithp@keithp.com>
2015-10-21Use NO_WEAK_SYMBOLS instead of -flat_namespaceJeremy Huddleston Sequoia
Lesser of two evil hacks, I suppose... This reverts commit 0386fa77367a305deea3cc27f8a3865cc3c467c0.
2015-10-21stubs: Add missing externs for declarations in the NO_WEAK_SYMBOLS && PIC ↵Jeremy Huddleston Sequoia
stubs resolution Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2015-10-20Fix is*() usage.Thomas Klausner
The argument must be an unsigned char or -1; in these cases we know it's not -1 so cast it to unsigned char. Fixes warning: array subscript is of type 'char' [-Wchar-subscripts] Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
2015-07-28bdfReadCharacters: Allow negative DWIDTH valuesBenjamin Tissoires
The fix for CVE-2015-1804 prevent DWIDTH to be negative. However, the spec states that "DWIDTH [...] is a vector indicating the position of the next glyph’s origin relative to the origin of this glyph." So negative values are correct. Found by trying to compile XTS. Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>