Fix from X.Org for CVE-2008-0006 - PCF Font parser buffer overflow.

author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:44:50 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2008-01-17 15:44:50 +0000
commit: 63044a8336fea3ae7debede4e1888aaa68ea8b43 (patch)
tree: 03077a93d70c78f0795c7d843f48edfeb1b1578c
parent: b26d7d4251e204dce314ef01b386545e58565618 (diff)
2 files changed, 28 insertions, 69 deletions
diff --git a/lib/libXfont/src/bitmap/pcfread.c b/lib/libXfont/src/bitmap/pcfread.c
index fd418496e..c5db2555b 100644
--- a/lib/libXfont/src/bitmap/pcfread.c
+++ b/lib/libXfont/src/bitmap/pcfread.c
@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
     pFont->info.lastRow = pcfGetINT16(file, format);
     pFont->info.defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFont->info.firstCol > pFont->info.lastCol ||
+       pFont->info.firstRow > pFont->info.lastRow ||
+       pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail;
 
     nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
 	(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, FontFilePtr file)
     pFontInfo->lastRow = pcfGetINT16(file, format);
     pFontInfo->defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFontInfo->firstCol > pFontInfo->lastCol ||
+       pFontInfo->firstRow > pFontInfo->lastRow ||
+       pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail;
 
     nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
 	(pFontInfo->lastRow - pFontInfo->firstRow + 1);
diff --git a/xserver/dix/dixfonts.c b/xserver/dix/dixfonts.c
index f10011e4b..7bb2404c2 100644
--- a/xserver/dix/dixfonts.c
+++ b/xserver/dix/dixfonts.c
@@ -64,6 +64,7 @@ Equipment Corporation.
 #include "opaque.h"
 #include "dixfontstr.h"
 #include "closestr.h"
+#include "dixfont.h"
 
 #ifdef DEBUG
 #include	<stdio.h>
@@ -155,11 +156,6 @@ QueueFontWakeup(FontPathElementPtr fpe)
 
     for (i = 0; i < num_slept_fpes; i++) {
 	if (slept_fpes[i] == fpe) {
-
-#ifdef DEBUG
-	    fprintf(stderr, "re-queueing fpe wakeup\n");
-#endif
-
 	    return;
 	}
     }
@@ -329,6 +325,13 @@ doOpenFont(ClientPtr client, OFclosurePtr c)
 	err = BadFontName;
 	goto bail;
     }
+    /* check values for firstCol, lastCol, firstRow, and lastRow */
+    if (pfont->info.firstCol > pfont->info.lastCol ||
+       pfont->info.firstRow > pfont->info.lastRow ||
+       pfont->info.lastCol - pfont->info.firstCol > 255) {
+       err = AllocError;
+       goto bail;
+    }
     if (!pfont->fpe)
 	pfont->fpe = fpe;
     pfont->refcnt++;
@@ -1149,9 +1152,9 @@ static XID clearGC[] = { CT_NONE };
 #define clearGCmask (GCClipMask)
 
 int
-doPolyText(ClientPtr client, register PTclosurePtr c)
+doPolyText(ClientPtr client, PTclosurePtr c)
 {
-    register FontPtr pFont = c->pGC->font, oldpFont;
+    FontPtr pFont = c->pGC->font, oldpFont;
     Font	fid, oldfid;
     int err = Success, lgerr;	/* err is in X error, not font error, space */
     enum { NEVER_SLEPT, START_SLEEP, SLEEPING } client_state = NEVER_SLEPT;
@@ -1183,7 +1186,7 @@ doPolyText(ClientPtr client, register PTclosurePtr c)
     if (c->slept &&
 	c->pDraw &&
 	c->pDraw != (DrawablePtr)SecurityLookupIDByClass(client, c->did,
-					RC_DRAWABLE, SecurityWriteAccess))
+					RC_DRAWABLE, DixWriteAccess))
     {
 	/* Our drawable has disappeared.  Treat like client died... ask
 	   the FPE code to clean up after client and avoid further
@@ -1213,7 +1216,7 @@ doPolyText(ClientPtr client, register PTclosurePtr c)
 		 | ((Font)*(c->pElt+2)) << 16
 		 | ((Font)*(c->pElt+1)) << 24;
 	    pFont = (FontPtr)SecurityLookupIDByType(client, fid, RT_FONT,
-						    SecurityReadAccess);
+						    DixReadAccess);
 	    if (!pFont)
 	    {
 		client->errorValue = fid;
@@ -1451,7 +1454,7 @@ PolyText(ClientPtr client, DrawablePtr pDraw, GC *pGC, unsigned char *pElt,
 #undef FontShiftSize
 
 int
-doImageText(ClientPtr client, register ITclosurePtr c)
+doImageText(ClientPtr client, ITclosurePtr c)
 {
     int err = Success, lgerr;	/* err is in X error, not font error, space */
     FontPathElementPtr fpe;
@@ -1468,7 +1471,7 @@ doImageText(ClientPtr client, register ITclosurePtr c)
     if (c->slept &&
 	c->pDraw &&
 	c->pDraw != (DrawablePtr)SecurityLookupIDByClass(client, c->did,
-					RC_DRAWABLE, SecurityWriteAccess))
+					RC_DRAWABLE, DixWriteAccess))
     {
 	/* Our drawable has disappeared.  Treat like client died... ask
 	   the FPE code to clean up after client. */
@@ -1882,11 +1885,11 @@ DeleteClientFontStuff(ClientPtr client)
 }
 
 void
-InitFonts ()
+InitFonts (void)
 {
     patternCache = MakeFontPatternCache();
 
-#ifndef KDRIVESERVER
+#ifndef BUILTIN_FONTS
     if (screenInfo.numScreens > screenInfo.numVideoScreens) {
 	PrinterFontRegisterFpeFunctions();
 	FontFileCheckRegisterFpeFunctions();
@@ -1894,10 +1897,11 @@ InitFonts ()
     } else 
 #endif
     {
-#ifdef KDRIVESERVER
-	BuiltinRegisterFpeFunctions();
-#endif
+#ifdef BUILTIN_FONTS
+        BuiltinRegisterFpeFunctions();
+#else
 	FontFileRegisterFpeFunctions();
+#endif
 #ifndef NOFONTSERVERACCESS
 	fs_register_fpe_functions();
 #endif
@@ -2000,7 +2004,7 @@ RegisterFPEFunctions(NameCheckFunc name_func,
 }
 
 void
-FreeFonts()
+FreeFonts(void)
 {
     if (patternCache) {
 	FreeFontPatternCache(patternCache);
@@ -2020,7 +2024,7 @@ FontPtr
 find_old_font(XID id)
 {
     return (FontPtr) SecurityLookupIDByType(NullClient, id, RT_NONE,
-					    SecurityUnknownAccess);
+					    DixUnknownAccess);
 }
 
 Font
@@ -2059,11 +2063,6 @@ init_fs_handlers(FontPathElementPtr fpe, BlockHandlerProcPtr block_handler)
 	fs_handlers_installed = 0;
     }
     if (fs_handlers_installed == 0) {
-
-#ifdef DEBUG
-	fprintf(stderr, "adding FS b & w handlers\n");
-#endif
-
 	if (!RegisterBlockAndWakeupHandlers(block_handler,
 					    FontWakeup, (pointer) 0))
 	    return AllocError;
@@ -2079,55 +2078,9 @@ remove_fs_handlers(FontPathElementPtr fpe, BlockHandlerProcPtr block_handler, Bo
     if (all) {
 	/* remove the handlers if no one else is using them */
 	if (--fs_handlers_installed == 0) {
-
-#ifdef DEBUG
-	    fprintf(stderr, "removing FS b & w handlers\n");
-#endif
-
 	    RemoveBlockAndWakeupHandlers(block_handler, FontWakeup,
 					 (pointer) 0);
 	}
     }
     RemoveFontWakeup(fpe);
 }
-
-#ifdef DEBUG
-#define GLWIDTHBYTESPADDED(bits,nbytes) \
-	((nbytes) == 1 ? (((bits)+7)>>3)        /* pad to 1 byte */ \
-	:(nbytes) == 2 ? ((((bits)+15)>>3)&~1)  /* pad to 2 bytes */ \
-	:(nbytes) == 4 ? ((((bits)+31)>>3)&~3)  /* pad to 4 bytes */ \
-	:(nbytes) == 8 ? ((((bits)+63)>>3)&~7)  /* pad to 8 bytes */ \
-	: 0)
-
-#define GLYPH_SIZE(ch, nbytes)          \
-	GLWIDTHBYTESPADDED((ch)->metrics.rightSideBearing - \
-			(ch)->metrics.leftSideBearing, (nbytes))
-void
-dump_char_ascii(CharInfoPtr cip)
-{
-    int         r,
-                l;
-    int         bpr;
-    int         byte;
-    static unsigned maskTab[] = {
-	(1 << 7), (1 << 6), (1 << 5), (1 << 4),
-	(1 << 3), (1 << 2), (1 << 1), (1 << 0),
-    };
-
-    bpr = GLYPH_SIZE(cip, 4);
-    for (r = 0; r < (cip->metrics.ascent + cip->metrics.descent); r++) {
-	pointer     row = (pointer) cip->bits + r * bpr;
-
-	byte = 0;
-	for (l = 0; l <= (cip->metrics.rightSideBearing -
-			  cip->metrics.leftSideBearing); l++) {
-	    if (maskTab[l & 7] & row[l >> 3])
-		putchar('X');
-	    else
-		putchar('.');
-	}
-	putchar('\n');
-    }
-}
-
-#endif
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:44:50 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2008-01-17 15:44:50 +0000
commit	63044a8336fea3ae7debede4e1888aaa68ea8b43 (patch)
tree	03077a93d70c78f0795c7d843f48edfeb1b1578c
parent	b26d7d4251e204dce314ef01b386545e58565618 (diff)