From 8c8203ca2760105aca4e0b6ec5909355a061f0b3 Mon Sep 17 00:00:00 2001 From: Matthieu Herrb Date: Tue, 12 Sep 2006 13:50:31 +0200 Subject: Fixes for integer overflows in CID encoded fonts parsing reported by iDefense CVE-ID 2006-3739, 2006-3740, bugzilla #8000, #8001. --- src/Type1/afm.c | 7 +++++++ src/Type1/scanfont.c | 12 ++++++++++-- src/Type1/util.c | 2 +- 3 files changed, 18 insertions(+), 3 deletions(-) diff --git a/src/Type1/afm.c b/src/Type1/afm.c index b8ce2d3..006ff3c 100644 --- a/src/Type1/afm.c +++ b/src/Type1/afm.c @@ -37,6 +37,8 @@ #include /* for xalloc/xfree */ #include "AFM.h" +#include + #define PBUF 256 #define KBUF 20 @@ -118,6 +120,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) { fi->nChars = atoi(p); + if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { + xfree(afmbuf); + xfree(fi); + return(1); + } fi->metrics = (Metrics *)xalloc(fi->nChars * sizeof(Metrics)); if (fi->metrics == NULL) { diff --git a/src/Type1/scanfont.c b/src/Type1/scanfont.c index 04e3fe2..bc3c244 100644 --- a/src/Type1/scanfont.c +++ b/src/Type1/scanfont.c @@ -72,6 +72,8 @@ #include "spaces.h" #include "fontfcn.h" #include "blues.h" + +#include #if XFONT_CID #define CID_BUFSIZE 80 @@ -654,6 +656,7 @@ getFDArray(psobj *arrayP) arrayP->data.valueP = tokenStartP; /* allocate FDArray */ + /* No integer overflow since arrayP->len is unsigned short */ FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); @@ -850,7 +853,8 @@ BuildSubrs(psfont *FontP) } return(SCAN_OK); } - + if (N > INT_MAX / sizeof(psobj)) + return (SCAN_ERROR); arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); FontP->Subrs.len = N; @@ -911,7 +915,7 @@ BuildCharStrings(psfont *FontP) } else return(rc); /* if next token was not an Int */ } - if (N<=0) return(SCAN_ERROR); + if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); /* save number of entries in the dictionary */ dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); @@ -1719,6 +1723,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres *CMapP) if (tokenType == TOKEN_INTEGER) rangecnt = tokenValue.integer; + if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { + rc = SCAN_ERROR; + break; + } /* ==> tokenLength, tokenTooLong, tokenType, and */ /* tokenValue are now set */ diff --git a/src/Type1/util.c b/src/Type1/util.c index 5b6d5a8..7c5a81d 100644 --- a/src/Type1/util.c +++ b/src/Type1/util.c @@ -104,7 +104,7 @@ vm_alloc(int bytes) bytes = (bytes + 7) & ~7; /* Allocate the space, if it is available */ - if (bytes <= vm_free) { + if (bytes > 0 && bytes <= vm_free) { answer = vm_next; vm_free -= bytes; vm_next += bytes; -- cgit v1.2.3 From 1bb49c77c321fab1f5c268404ea0ec622fa083ed Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Tue, 12 Sep 2006 11:01:13 -0400 Subject: Bump to 1.2.2. --- configure.ac | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/configure.ac b/configure.ac index d165efa..f68f7e1 100644 --- a/configure.ac +++ b/configure.ac @@ -26,7 +26,7 @@ dnl Process this file with autoconf to create configure. AC_PREREQ([2.57]) AC_INIT([libXfont], - 1.2.0, + 1.2.2, [https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], libXfont) dnl -- cgit v1.2.3 From d896c3eaeafdb8831ed0833af46250c36f82502f Mon Sep 17 00:00:00 2001 From: Adam Jackson Date: Tue, 12 Sep 2006 11:11:12 -0400 Subject: Fix distcheck. --- Makefile.am | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Makefile.am b/Makefile.am index 544f0db..687e1d7 100644 --- a/Makefile.am +++ b/Makefile.am @@ -49,8 +49,9 @@ EXTRA_DIST = xfont.pc.in autogen.sh include/X11/fonts/fontconf.h.in ChangeLog .PHONY: ChangeLog +CLEANFILES = ChangeLog ChangeLog: - GIT_DIR=${srcdir}/.git git-log > ChangeLog + git-log > ChangeLog dist-hook: ChangeLog -- cgit v1.2.3