Update to libXfont 1.4.7. Include fix for CVE-2013-6462.

unlimited sscanf overflows stack buffer in bdfReadCharacters
author: Matthieu Herrb <matthieu@cvs.openbsd.org> 2014-01-07 20:42:21 +0000
committer: Matthieu Herrb <matthieu@cvs.openbsd.org> 2014-01-07 20:42:21 +0000
commit: e1c8dc96be656c819f4bafa357642c20c80d67ac (patch)
tree: 7e266a1f7a022f61c3e95fd39e18d6f1c4a3d34d /lib/libXfont/src
parent: fbf7bfc3107f14a9677c700f09f70084c0b608b2 (diff)
7 files changed, 38 insertions, 59 deletions
diff --git a/lib/libXfont/src/FreeType/ftfuncs.c b/lib/libXfont/src/FreeType/ftfuncs.c
index 918e3f37e..44e5e0288 100644
--- a/lib/libXfont/src/FreeType/ftfuncs.c
+++ b/lib/libXfont/src/FreeType/ftfuncs.c
@@ -2050,7 +2050,7 @@ restrict_code_range_by_str(int count,unsigned short *refFirstCol,
 {
     int nRanges = 0;
     int result = 0;
-    fsRange *ranges = NULL;
+    fsRange *ranges = NULL, *oldRanges;
     char const *p, *q;
 
     p = q = str;
@@ -2119,10 +2119,13 @@ restrict_code_range_by_str(int count,unsigned short *refFirstCol,
         fflush(stderr);
 #endif
         nRanges++;
+        oldRanges = ranges;
         ranges = realloc(ranges, nRanges*sizeof(*ranges));
-        if (NULL == ranges)
+        if (NULL == ranges) {
+            free(oldRanges);
             break;
-        {
+        }
+        else {
             fsRange *r = ranges+nRanges-1;
 
             r->min_char_low = minpoint & 0xff;
@@ -2204,7 +2207,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
 		strcpy(*dynStrRealFileName+dirLen, p2+1);
 		capHead = p1;
 	    } else {
-		*dynStrRealFileName = xstrdup(fileName);
+		*dynStrRealFileName = strdup(fileName);
 		if( *dynStrRealFileName == NULL ) {
 		    result = AllocError;
 		    goto quit;
@@ -2289,13 +2292,11 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
 	    }
 	}
 	else{
-	    *dynStrFTFileName = malloc(strlen(*dynStrRealFileName)+1);
+	    *dynStrFTFileName = strdup(*dynStrRealFileName);
 	    if( *dynStrFTFileName == NULL ){
 		result = AllocError;
 		goto quit;
 	    }
-	    **dynStrFTFileName = '\0';
-	    strcat(*dynStrFTFileName,*dynStrRealFileName);
 	}
     }
     /*
@@ -2549,7 +2550,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
     if (SPropRecValList_search_record(&listPropRecVal,
 				      &contRecValue,
 				      "CodeRange")) {
-	*dynStrTTCapCodeRange = xstrdup(SPropContainer_value_str(contRecValue));
+	*dynStrTTCapCodeRange = strdup(SPropContainer_value_str(contRecValue));
 	if( *dynStrTTCapCodeRange == NULL ) {
 	    result = AllocError;
 	    goto quit;
diff --git a/lib/libXfont/src/FreeType/xttcap.c b/lib/libXfont/src/FreeType/xttcap.c
index bf25cc5ed..104dc89e4 100644
--- a/lib/libXfont/src/FreeType/xttcap.c
+++ b/lib/libXfont/src/FreeType/xttcap.c
@@ -234,14 +234,13 @@ SPropRecValList_add_record(SDynPropRecValList *pThisList,
             {
                 char *p;
 
-                if (NULL == (p = malloc(strlen(strValue)+1))) {
+                if (NULL == (p = strdup(strValue))) {
                     fprintf(stderr,
                             "truetype font property : "
                             "cannot allocate memory.\n");
                     result = True;
                     goto quit;
                 }
-                strcpy(p, strValue);
                 SPropContainer_value_str(&tmpContainerE) = p;
             }
             break;
@@ -682,24 +681,4 @@ SPropRecValList_add_by_font_cap(SDynPropRecValList *pThisList,
     return result;
 }
 
-
-/**************************************************************************
-  Functions (xttmisc)
- */
-
-/* strdup clone with using the allocator of X server */
-char *
-XttXstrdup(char const *str)
-{
-    char *result;
-
-    result = malloc(strlen(str)+1);
-
-    if (result)
-        strcpy(result, str);
-
-    return result;
-}
-
-
 /* end of file */
diff --git a/lib/libXfont/src/FreeType/xttcap.h b/lib/libXfont/src/FreeType/xttcap.h
index 293109813..2822540bb 100644
--- a/lib/libXfont/src/FreeType/xttcap.h
+++ b/lib/libXfont/src/FreeType/xttcap.h
@@ -116,15 +116,6 @@ SPropRecValList_dump(SRefPropRecValList *refList);
 #define SPropContainer_value_str(contRecVal)\
   ((contRecVal)->uValue.dynStringValue)
 
-/******************************************************
-  Prototypes (xttmisc)
- */
-
-/* strdup clone */
-char * XttXstrdup(char const *str);
-#undef xstrdup
-#define xstrdup(s) XttXstrdup((char const*)s)
-
 #endif /* !def _XTTCAP_H_ */
 
 /* end of file */
diff --git a/lib/libXfont/src/bitmap/bdfread.c b/lib/libXfont/src/bitmap/bdfread.c
index e2770dc1c..914a0244e 100644
--- a/lib/libXfont/src/bitmap/bdfread.c
+++ b/lib/libXfont/src/bitmap/bdfread.c
@@ -69,6 +69,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -338,7 +339,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -544,13 +545,18 @@ bdfReadHeader(FontFilePtr file, bdfFileState *pState)
     unsigned char        lineBuf[BDFLINELEN];
 
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+    if (!line ||
+        sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	    !bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
     }
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+    if (!line ||
+        sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
     }
@@ -633,7 +639,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
 	while (*line && isspace(*line))
 	    line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line,
+                       BDFLINESTR BDFLINESTR BDFLINESTR,
+                       namebuf, secondbuf, thirdbuf)) {
 	default:
 	    bdfError("missing '%s' parameter value\n", namebuf);
 	    goto BAILOUT;
diff --git a/lib/libXfont/src/fontfile/fontdir.c b/lib/libXfont/src/fontfile/fontdir.c
index 97b2ba3b1..ef7ffa561 100644
--- a/lib/libXfont/src/fontfile/fontdir.c
+++ b/lib/libXfont/src/fontfile/fontdir.c
@@ -425,17 +425,13 @@ FontFileCountDashes (char *name, int namelen)
     return ndashes;
 }
 
+/* exported in public API in <X11/fonts/fntfil.h> */
 char *
 FontFileSaveString (char *s)
 {
-    char    *n;
-
-    n = malloc (strlen (s) + 1);
-    if (!n)
-	return 0;
-    strcpy (n, s);
-    return n;
+    return strdup(s);
 }
+#define FontFileSaveString(s) strdup(s)
 
 FontEntryPtr
 FontFileFindNameInScalableDir(FontTablePtr table, FontNamePtr pat,
diff --git a/lib/libXfont/src/util/atom.c b/lib/libXfont/src/util/atom.c
index c47cb5c80..37811f91e 100644
--- a/lib/libXfont/src/util/atom.c
+++ b/lib/libXfont/src/util/atom.c
@@ -118,19 +118,23 @@ ResizeHashTable (void)
 static int
 ResizeReverseMap (void)
 {
-    int ret = TRUE;
+    AtomListPtr *newMap;
+    int newMapSize;
+
     if (reverseMapSize == 0)
-	reverseMapSize = 1000;
+	newMapSize = 1000;
     else
-	reverseMapSize *= 2;
-    reverseMap = realloc (reverseMap, reverseMapSize * sizeof (AtomListPtr));
-    if (!reverseMap) {
+	newMapSize = reverseMapSize * 2;
+    newMap = realloc (reverseMap, newMapSize * sizeof (AtomListPtr));
+    if (newMap == NULL) {
 	fprintf(stderr, "ResizeReverseMap(): Error: Couldn't reallocate"
 		" reverseMap (%ld)\n",
-		reverseMapSize * (unsigned long)sizeof(AtomListPtr));
-	ret = FALSE;
+		newMapSize * (unsigned long)sizeof(AtomListPtr));
+	return FALSE;
     }
-    return ret;
+    reverseMap = newMap;
+    reverseMapSize = newMapSize;
+    return TRUE;
 }
 
 static int
diff --git a/lib/libXfont/src/util/miscutil.c b/lib/libXfont/src/util/miscutil.c
index 7173d3640..3d802d2f5 100644
--- a/lib/libXfont/src/util/miscutil.c
+++ b/lib/libXfont/src/util/miscutil.c
@@ -47,7 +47,7 @@ extern void BuiltinRegisterFpeFunctions(void);
 
 #ifndef NO_WEAK_SYMBOLS
 /* make sure everything initializes themselves at least once */
-weak long serverGeneration = 1;
+weak unsigned long serverGeneration = 1;
 #endif
 
 weak void
author	Matthieu Herrb <matthieu@cvs.openbsd.org>	2014-01-07 20:42:21 +0000
committer	Matthieu Herrb <matthieu@cvs.openbsd.org>	2014-01-07 20:42:21 +0000
commit	e1c8dc96be656c819f4bafa357642c20c80d67ac (patch)
tree	7e266a1f7a022f61c3e95fd39e18d6f1c4a3d34d /lib/libXfont/src
parent	fbf7bfc3107f14a9677c700f09f70084c0b608b2 (diff)