rpms/libXfont/devel fdo-7535.patch, NONE, 1.1 libXfont.spec, 1.21, 1.22

fedora-cvs-commits at redhat.com fedora-cvs-commits at redhat.com
Mon Aug 14 22:22:48 UTC 2006


Author: sandmann

Update of /cvs/dist/rpms/libXfont/devel
In directory cvs.devel.redhat.com:/tmp/cvs-serv22742

Modified Files:
	libXfont.spec 
Added Files:
	fdo-7535.patch 
Log Message:
* Mon Aug 14 2006 Soren Sandmann <sandmann at redhat.com> - 1.2.0-2.fc6
- fdo-7535.patch
  Fix for FDO bug 7535, CVE-2006-3467, RH bug 202472




fdo-7535.patch:
 pcfread.c |   29 ++++++++++++++++++++++++++++-
 1 files changed, 28 insertions(+), 1 deletion(-)

--- NEW FILE fdo-7535.patch ---
diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
index dd76868..6210f18 100644
--- a/src/bitmap/pcfread.c
+++ b/src/bitmap/pcfread.c
@@ -45,6 +45,7 @@ #define   MAX(a,b)    (((a)>(b)) ? a : b
 #endif
 
 #include <stdarg.h>
+#include <stdint.h>
 
 void
 pcfError(const char* message, ...)
@@ -133,6 +134,10 @@ pcfReadTOC(FontFilePtr file, int *countp
 	return (PCFTablePtr) NULL;
     count = pcfGetLSB32(file);
     if (IS_EOF(file)) return (PCFTablePtr) NULL;
+    if (count < 0 || count > INT32_MAX / sizeof(PCFTableRec)) {
+	pcfError("pcfReadTOC(): invalid file format\n");
+	return NULL;
+    }
     tables = (PCFTablePtr) xalloc(count * sizeof(PCFTableRec));
     if (!tables) {
       pcfError("pcfReadTOC(): Couldn't allocate tables (%d*%d)\n", count, sizeof(PCFTableRec));
@@ -252,6 +257,10 @@ pcfGetProperties(FontInfoPtr pFontInfo, 
     if (!PCF_FORMAT_MATCH(format, PCF_DEFAULT_FORMAT))
 	goto Bail;
     nprops = pcfGetINT32(file, format);
+    if (nprops <= 0 || nprops > INT32_MAX / sizeof(FontPropRec)) {
+	pcfError("pcfGetProperties(): invalid nprops value (%d)\n", nprops);
+	goto Bail;
+    }
     if (IS_EOF(file)) goto Bail;
     props = (FontPropPtr) xalloc(nprops * sizeof(FontPropRec));
     if (!props) {
@@ -267,6 +276,13 @@ pcfGetProperties(FontInfoPtr pFontInfo, 
 	props[i].name = pcfGetINT32(file, format);
 	isStringProp[i] = pcfGetINT8(file, format);
 	props[i].value = pcfGetINT32(file, format);
+	if (props[i].name < 0 
+	    || (isStringProp[i] != 0 && isStringProp[i] != 1)
+	    || (isStringProp[i] && props[i].value < 0)) {
+	    pcfError("pcfGetProperties(): invalid file format %d %d %d\n",
+		     props[i].name, isStringProp[i], props[i].value);
+	    goto Bail;
+	}
 	if (IS_EOF(file)) goto Bail;
     }
     /* pad the property array */
@@ -282,6 +298,7 @@ pcfGetProperties(FontInfoPtr pFontInfo, 
     }
     if (IS_EOF(file)) goto Bail;
     string_size = pcfGetINT32(file, format);
+    if (string_size < 0) goto Bail;
     if (IS_EOF(file)) goto Bail;
     strings = (char *) xalloc(string_size);
     if (!strings) {
@@ -422,6 +439,10 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
     else
 	nmetrics = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
+	pcfError("pcfReadFont(): invalid file format\n");
+	goto Bail;
+    }
     metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
     if (!metrics) {
       pcfError("pcfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));
@@ -447,7 +468,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
     nbitmaps = pcfGetINT32(file, format);
     if (nbitmaps != nmetrics || IS_EOF(file))
 	goto Bail;
-
+    /* nmetrics is alreadt ok, so nbitmap also is */
     offsets = (CARD32 *) xalloc(nbitmaps * sizeof(CARD32));
     if (!offsets) {
       pcfError("pcfReadFont(): Couldn't allocate offsets (%d*%d)\n", nbitmaps, sizeof(CARD32));
@@ -461,6 +482,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
     for (i = 0; i < GLYPHPADOPTIONS; i++) {
 	bitmapSizes[i] = pcfGetINT32(file, format);
 	if (IS_EOF(file)) goto Bail;
+	if (bitmapSizes[i] < 0) goto Bail;
     }
     
     sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
@@ -536,6 +558,7 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
 	if (IS_EOF(file)) goto Bail;
 	if (nink_metrics != nmetrics)
 	    goto Bail;
+	/* nmetrics already checked */
 	ink_metrics = (xCharInfo *) xalloc(nink_metrics * sizeof(xCharInfo));
       if (!ink_metrics) {
           pcfError("pcfReadFont(): Couldn't allocate ink_metrics (%d*%d)\n", nink_metrics, sizeof(xCharInfo));       
@@ -809,6 +832,10 @@ pmfReadFont(FontPtr pFont, FontFilePtr f
     else
 	nmetrics = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (nmetrics < 0 || nmetrics > INT32_MAX / sizeof(CharInfoRec)) {
+	pcfError("pmfReadFont(): invalid file format\n");
+	goto Bail;
+    }
     metrics = (CharInfoPtr) xalloc(nmetrics * sizeof(CharInfoRec));
     if (!metrics) {
       pcfError("pmfReadFont(): Couldn't allocate metrics (%d*%d)\n", nmetrics, sizeof(CharInfoRec));


Index: libXfont.spec
===================================================================
RCS file: /cvs/dist/rpms/libXfont/devel/libXfont.spec,v
retrieving revision 1.21
retrieving revision 1.22
diff -u -r1.21 -r1.22
--- libXfont.spec	12 Jul 2006 07:05:15 -0000	1.21
+++ libXfont.spec	14 Aug 2006 22:22:45 -0000	1.22
@@ -1,7 +1,7 @@
 Summary: X.Org X11 libXfont runtime library
 Name: libXfont
 Version: 1.2.0
-Release: 1.1%{?dist}
+Release: 2%{?dist}
 License: MIT/X11
 Group: System Environment/Libraries
 URL: http://www.x.org
@@ -33,12 +33,16 @@
 
 Obsoletes: XFree86-devel, xorg-x11-devel
 
+Patch0: fdo-7535.patch
+
 %description devel
 X.Org X11 libXfont development package
 
 %prep
 %setup -q
 
+%patch0 -p1 -b .fdo-7535
+
 # Disable static library creation by default.
 %define with_static 0
 
@@ -98,6 +102,10 @@
 %{_libdir}/pkgconfig/xfont.pc
 
 %changelog
+* Mon Aug 14 2006 Soren Sandmann <sandmann at redhat.com> - 1.2.0-2.fc6
+- fdo-7535.patch
+  Fix for FDO bug 7535, CVE-2006-3467, RH bug 202472
+
 * Wed Jul 12 2006 Jesse Keating <jkeating at redhat.com> - sh: line 0: fg: no job control
 - rebuild
 




More information about the fedora-cvs-commits mailing list