[packages/XFree86.git] / XFree86-font-overflows.patch

--- XFree86-4.3/xc/lib/FS/FSFtNames.c.fontsec	2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSFtNames.c	2003-09-04 20:26:49.000000000 -0600
@@ -78,7 +78,8 @@
 	  (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return (char **) 0;
 
-    if (rep.nFonts) {
+    if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
 	flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
 	rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
 	c = (char *) FSmalloc((unsigned) (rlen + 1));
--- XFree86-4.3/xc/lib/FS/FSFontInfo.c.fontsec	2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSFontInfo.c	2003-09-04 20:26:49.000000000 -0600
@@ -65,7 +65,7 @@
     long        nbytes;
     int         i,
                 j;
-    int         size = 0;
+    size_t      size = 0;
     FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
     FSPropInfo **pi = (FSPropInfo **) 0;
     FSPropOffset **po = (FSPropOffset **) 0;
@@ -123,8 +123,14 @@
 	if (reply.nameLength == 0)	/* got last reply in version 1 */
 	    break;
 	if ((i + reply.nReplies) >= size) {
+
+	    if (reply.nReplies > SIZE_T_MAX - i - 1) 
+		goto badmem;
 	    size = i + reply.nReplies + 1;
 
+	    if (size > SIZE_T_MAX / sizeof(char *)) 
+		goto badmem;
+
 	    if (fhdr) {
 		FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
 		FSrealloc((char *) fhdr,
@@ -237,6 +243,9 @@
 	pi[i]->num_offsets = local_pi.num_offsets;
 	pi[i]->data_len = local_pi.data_len;
 
+	if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
+	    goto badmem;
+
 	po[i] = (FSPropOffset *)
 	    FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
 	if (!po[i]) {
@@ -282,6 +291,10 @@
 	    nbytes = pi[i]->data_len + reply.nameLength;
 	    _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
 	}
+	/* avoid integer overflow */
+	if (i > INT_MAX - 1) {
+	    goto badmem;
+	}
     }
     *info = fhdr;
     *count = i;
--- XFree86-4.3/xc/lib/FS/FSlibint.h.fontsec	2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSlibint.h	2003-09-04 20:26:49.000000000 -0600
@@ -77,6 +77,11 @@
 #include	<errno.h>
 #include	<stddef.h>
 
+#include	<limits.h>
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX UINT_MAX
+#endif
+
 typedef int (* FSIOErrorHandler)(FSServer *);
 typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *);
 
--- XFree86-4.3/xc/lib/FS/FSQGlyphs.c.fontsec	2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQGlyphs.c	2003-09-04 20:26:49.000000000 -0600
@@ -85,12 +85,20 @@
      (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return FSBadAlloc;
 
+    if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset)) 
+	return FSBadAlloc;
+
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
 	return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
 	- (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX This thest is incomplete */
+    if (reply.length > (SIZE_T_MAX >> 2)) {
+	FSfree((char *) offs);
+	return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
@@ -141,6 +149,8 @@
 	int i;
 	fsChar2b_version1 *swapped_str;
 
+	if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1)) 
+	    return FSBadAlloc;
 	swapped_str = (fsChar2b_version1 *)
 	    FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
 	if (!swapped_str)
@@ -160,12 +170,19 @@
 		  fsFalse))
 	return FSBadAlloc;
 
+    if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
+       return FSBadAlloc;
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
 	return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
 	- (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX - this test is incomplete */
+    if (reply.length > (SIZE_T_MAX>>2)) {
+	FSfree((char *) offs);
+	return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
--- XFree86-4.3/xc/lib/FS/FSOpenServ.c.fontsec	2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSOpenServ.c	2003-09-04 20:26:49.000000000 -0600
@@ -118,7 +118,7 @@
     AlternateServer *alts;
     int         altlen;
     char       *vendor_string;
-    long        setuplength;
+    unsigned long        setuplength;
 
     if (server == NULL || *server == '\0') {
 	if ((server = getenv("FONTSERVER")) == NULL) {
@@ -153,7 +153,8 @@
     _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
 
     setuplength = prefix.alternate_len << 2;
-    if ((alt_data = (char *)
+    if (setuplength > (SIZE_T_MAX>>2)
+	|| (alt_data = (char *)
 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
 	errno = ENOMEM;
 	FSfree((char *) svr);
@@ -162,6 +163,10 @@
     _FSRead(svr, (char *) alt_data, setuplength);
     ad = alt_data;
 
+    if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
+	errno = ENOMEM;
+	return (FSServer *) 0;
+    }
     alts = (AlternateServer *)
 	FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
     if (!alts) {
@@ -193,7 +198,8 @@
     svr->num_alternates = prefix.num_alternates;
 
     setuplength = prefix.auth_len << 2;
-    if ((auth_data = (char *)
+    if (prefix.auth_len > (SIZE_T_MAX>>2) 
+	|| (auth_data = (char *)
 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
 	errno = ENOMEM;
 	FSfree((char *) svr);
--- XFree86-4.3/xc/lib/FS/FSGetCats.c.fontsec	2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSGetCats.c	2003-09-04 20:26:49.000000000 -0600
@@ -72,9 +72,10 @@
 	SyncHandle();
 	return (char **) NULL;
     }
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
 	list = (char **)
-	    FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+	       FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
 	rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
 	c = (char *) FSmalloc((unsigned) rlen + 1);
 	if ((!list) || (!c)) {
--- XFree86-4.3/xc/lib/FS/FSQXExt.c.fontsec	2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQXExt.c	2003-09-04 20:26:49.000000000 -0600
@@ -92,6 +92,9 @@
 	       (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
 		  fsFalse))
 	return FSBadAlloc;
+    
+    if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo)) 
+	return FSBadAlloc;
 
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
     *extents = ext;
@@ -149,6 +152,9 @@
 		  fsFalse))
 	return FSBadAlloc;
 
+    if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo)) 
+	return FSBadAlloc;
+
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
     *extents = ext;
     if (!ext)
--- XFree86-4.3/xc/lib/FS/FSQXInfo.c.fontsec	2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQXInfo.c	2003-09-04 20:26:49.000000000 -0600
@@ -91,6 +91,9 @@
     props->num_offsets = local_pi.num_offsets;
     props->data_len = local_pi.data_len;
 
+    if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) 
+	return FSBadAlloc;
+
     /* prepare for prop data */
     offset_data = (FSPropOffset *)
 	FSmalloc(props->num_offsets * sizeof(FSPropOffset));
--- XFree86-4.3/xc/lib/FS/FSListExt.c.fontsec	2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSListExt.c	2003-09-04 20:26:49.000000000 -0600
@@ -72,7 +72,8 @@
 	SyncHandle();
 	return (char **) NULL;
     }
-    if (rep.nExtensions) {
+    if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
 	list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
 	rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
 	c = (char *) FSmalloc((unsigned) rlen + 1);
--- XFree86-4.3/xc/lib/FS/FSListCats.c.fontsec	2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSListCats.c	2003-09-04 20:26:49.000000000 -0600
@@ -78,7 +78,8 @@
     (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return (char **) 0;
 
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
 	clist = (char **)
 	    FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
 	rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
--- XFree86-4.3/xc/lib/font/fc/fsconvert.c.fontsec	2002-09-10 10:14:35.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fsconvert.c	2003-09-05 09:26:56.000000000 -0600
@@ -36,6 +36,7 @@
 #include	"fontstruct.h"
 #include	"fservestr.h"
 #include	"fontutil.h"
+#include	"fslibos.h"
 
 extern char _fs_glyph_undefined;
 extern char _fs_glyph_requested;
@@ -102,6 +103,10 @@
 
     nprops = pfi->nprops = pi->num_offsets;
 
+    if (nprops < 0 
+	|| nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char))) 
+	return -1;
+	   
     dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
 				 sizeof (char) * nprops);
     if (!dprop)
--- XFree86-4.3/xc/lib/font/fc/fslibos.h.fontsec	2002-05-31 12:45:49.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fslibos.h	2003-09-04 20:26:49.000000000 -0600
@@ -48,13 +48,16 @@
 #ifndef FONT_OPEN_MAX
 
 #ifndef X_NOT_POSIX
-#ifdef _POSIX_SOURCE
-#include <limits.h>
-#else
-#define _POSIX_SOURCE
-#include <limits.h>
-#undef _POSIX_SOURCE
+# ifdef _POSIX_SOURCE
+#  include <limits.h>
+# else
+#  define _POSIX_SOURCE
+#  include <limits.h>
+#  undef _POSIX_SOURCE
+# endif
 #endif
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX UINT_MAX
 #endif
 #ifndef OPEN_MAX
 #if defined(SVR4) || defined(__UNIXOS2__)
--- XFree86-4.3/xc/lib/font/fc/fserve.c.fontsec	2002-05-31 12:45:49.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fserve.c	2003-09-04 20:26:49.000000000 -0600
@@ -1507,8 +1507,8 @@
 
     if (conn->blockState & FS_GIVE_UP)
 	return BadFontName;
-    
-    if (namelen > sizeof (buf) - 1)
+ 
+    if (namelen <= 0 || namelen > sizeof (buf) - 1)
 	return BadFontName;
     
     /*
Commit	Line	Data
c4a159d7 JB	1	--- XFree86-4.3/xc/lib/FS/FSFtNames.c.fontsec 2001-12-14 12:53:32.000000000 -0700
	2	+++ XFree86-4.3/xc/lib/FS/FSFtNames.c 2003-09-04 20:26:49.000000000 -0600
	3	@@ -78,7 +78,8 @@
	4	(SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
	5	return (char **) 0;
	6
	7	- if (rep.nFonts) {
	8	+ if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
	9	+ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
	10	flist = (char *) FSmalloc((unsigned) rep.nFonts sizeof(char *));
	11	rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
	12	c = (char *) FSmalloc((unsigned) (rlen + 1));
	13	--- XFree86-4.3/xc/lib/FS/FSFontInfo.c.fontsec 2001-12-14 12:53:32.000000000 -0700
	14	+++ XFree86-4.3/xc/lib/FS/FSFontInfo.c 2003-09-04 20:26:49.000000000 -0600
	15	@@ -65,7 +65,7 @@
	16	long nbytes;
	17	int i,
	18	j;
	19	- int size = 0;
	20	+ size_t size = 0;
	21	FSXFontInfoHeader fhdr = (FSXFontInfoHeader ) 0;
	22	FSPropInfo pi = (FSPropInfo ) 0;
	23	FSPropOffset po = (FSPropOffset ) 0;
	24	@@ -123,8 +123,14 @@
	25	if (reply.nameLength == 0) /* got last reply in version 1 */
	26	break;
	27	if ((i + reply.nReplies) >= size) {
	28	+
	29	+ if (reply.nReplies > SIZE_T_MAX - i - 1)
	30	+ goto badmem;
	31	size = i + reply.nReplies + 1;
	32
	33	+ if (size > SIZE_T_MAX / sizeof(char *))
	34	+ goto badmem;
	35	+
	36	if (fhdr) {
	37	FSXFontInfoHeader tmp_fhdr = (FSXFontInfoHeader )
	38	FSrealloc((char *) fhdr,
	39	@@ -237,6 +243,9 @@
	40	pi[i]->num_offsets = local_pi.num_offsets;
	41	pi[i]->data_len = local_pi.data_len;
	42
	43	+ if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
	44	+ goto badmem;
	45	+
	46	po[i] = (FSPropOffset *)
	47	FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
	48	if (!po[i]) {
	49	@@ -282,6 +291,10 @@
	50	nbytes = pi[i]->data_len + reply.nameLength;
	51	_FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
	52	}
	53	+ /* avoid integer overflow */
	54	+ if (i > INT_MAX - 1) {
	55	+ goto badmem;
	56	+ }
	57	}
	58	*info = fhdr;
	59	*count = i;
	60	--- XFree86-4.3/xc/lib/FS/FSlibint.h.fontsec 2001-12-14 12:53:33.000000000 -0700
	61	+++ XFree86-4.3/xc/lib/FS/FSlibint.h 2003-09-04 20:26:49.000000000 -0600
	62	@@ -77,6 +77,11 @@
	63	#include <errno.h>
	64	#include <stddef.h>
65
66	+#include <limits.h>
67	+#ifndef SIZE_T_MAX
68	+#define SIZE_T_MAX UINT_MAX
69	+#endif
70	+
71	typedef int (* FSIOErrorHandler)(FSServer *);
72	typedef int (* FSErrorHandler)(FSServer , FSErrorEvent );
73
74	--- XFree86-4.3/xc/lib/FS/FSQGlyphs.c.fontsec 2001-12-14 12:53:33.000000000 -0700
75	+++ XFree86-4.3/xc/lib/FS/FSQGlyphs.c 2003-09-04 20:26:49.000000000 -0600
76	@@ -85,12 +85,20 @@
77	(SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
78	return FSBadAlloc;
79
80	+ if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset))
81	+ return FSBadAlloc;
82	+
83	offs = (FSOffset ) FSmalloc(sizeof(FSOffset) reply.num_chars);
84	*offsets = offs;
85	if (!offs)
86	return FSBadAlloc;
87	left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
88	- (SIZEOF(fsOffset32) * reply.num_chars);
89	+ /* XXX This thest is incomplete */
90	+ if (reply.length > (SIZE_T_MAX >> 2)) {
91	+ FSfree((char *) offs);
92	+ return FSBadAlloc;
93	+ }
94	gd = (unsigned char *) FSmalloc(left);
95	*glyphdata = gd;
96	if (!gd) {
97	@@ -141,6 +149,8 @@
98	int i;
99	fsChar2b_version1 *swapped_str;
100
101	+ if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1))
102	+ return FSBadAlloc;
103	swapped_str = (fsChar2b_version1 *)
104	FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
105	if (!swapped_str)
106	@@ -160,12 +170,19 @@
107	fsFalse))
108	return FSBadAlloc;
109
110	+ if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
111	+ return FSBadAlloc;
112	offs = (FSOffset ) FSmalloc(sizeof(FSOffset) reply.num_chars);
113	*offsets = offs;
114	if (!offs)
115	return FSBadAlloc;
116	left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
117	- (SIZEOF(fsOffset32) * reply.num_chars);
118	+ /* XXX - this test is incomplete */
119	+ if (reply.length > (SIZE_T_MAX>>2)) {
120	+ FSfree((char *) offs);
121	+ return FSBadAlloc;
122	+ }
123	gd = (unsigned char *) FSmalloc(left);
124	*glyphdata = gd;
125	if (!gd) {
126	--- XFree86-4.3/xc/lib/FS/FSOpenServ.c.fontsec 2001-12-14 12:53:33.000000000 -0700
127	+++ XFree86-4.3/xc/lib/FS/FSOpenServ.c 2003-09-04 20:26:49.000000000 -0600
128	@@ -118,7 +118,7 @@
129	AlternateServer *alts;
130	int altlen;
131	char *vendor_string;
132	- long setuplength;
133	+ unsigned long setuplength;
134
135	if (server == NULL \|\| *server == '\0') {
136	if ((server = getenv("FONTSERVER")) == NULL) {
137	@@ -153,7 +153,8 @@
138	_FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
139
140	setuplength = prefix.alternate_len << 2;
141	- if ((alt_data = (char *)
142	+ if (setuplength > (SIZE_T_MAX>>2)
143	+ \|\| (alt_data = (char *)
144	(setup = FSmalloc((unsigned) setuplength))) == NULL) {
145	errno = ENOMEM;
146	FSfree((char *) svr);
147	@@ -162,6 +163,10 @@
148	_FSRead(svr, (char *) alt_data, setuplength);
149	ad = alt_data;
150
151	+ if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
152	+ errno = ENOMEM;
153	+ return (FSServer *) 0;
154	+ }
155	alts = (AlternateServer *)
156	FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
157	if (!alts) {
158	@@ -193,7 +198,8 @@
159	svr->num_alternates = prefix.num_alternates;
160
161	setuplength = prefix.auth_len << 2;
162	- if ((auth_data = (char *)
163	+ if (prefix.auth_len > (SIZE_T_MAX>>2)
164	+ \|\| (auth_data = (char *)
165	(setup = FSmalloc((unsigned) setuplength))) == NULL) {
166	errno = ENOMEM;
167	FSfree((char *) svr);
168	--- XFree86-4.3/xc/lib/FS/FSGetCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700
169	+++ XFree86-4.3/xc/lib/FS/FSGetCats.c 2003-09-04 20:26:49.000000000 -0600
170	@@ -72,9 +72,10 @@
171	SyncHandle();
172	return (char **) NULL;
173	}
174	- if (rep.num_catalogues) {
175	+ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
176	+ && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
177	list = (char **)
178	- FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
179	+ FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
180	rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
181	c = (char *) FSmalloc((unsigned) rlen + 1);
182	if ((!list) \|\| (!c)) {
183	--- XFree86-4.3/xc/lib/FS/FSQXExt.c.fontsec 2001-12-14 12:53:33.000000000 -0700
184	+++ XFree86-4.3/xc/lib/FS/FSQXExt.c 2003-09-04 20:26:49.000000000 -0600
185	@@ -92,6 +92,9 @@
186	(SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
187	fsFalse))
188	return FSBadAlloc;
189	+
190	+ if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo))
191	+ return FSBadAlloc;
192
193	ext = (FSXCharInfo ) FSmalloc(sizeof(FSXCharInfo) reply.num_extents);
194	*extents = ext;
195	@@ -149,6 +152,9 @@
196	fsFalse))
197	return FSBadAlloc;
198
199	+ if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo))
200	+ return FSBadAlloc;
201	+
202	ext = (FSXCharInfo ) FSmalloc(sizeof(FSXCharInfo) reply.num_extents);
203	*extents = ext;
204	if (!ext)
205	--- XFree86-4.3/xc/lib/FS/FSQXInfo.c.fontsec 2001-12-14 12:53:33.000000000 -0700
206	+++ XFree86-4.3/xc/lib/FS/FSQXInfo.c 2003-09-04 20:26:49.000000000 -0600
207	@@ -91,6 +91,9 @@
208	props->num_offsets = local_pi.num_offsets;
209	props->data_len = local_pi.data_len;
210
211	+ if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
212	+ return FSBadAlloc;
213	+
214	/* prepare for prop data */
215	offset_data = (FSPropOffset *)
216	FSmalloc(props->num_offsets * sizeof(FSPropOffset));
217	--- XFree86-4.3/xc/lib/FS/FSListExt.c.fontsec 2001-12-14 12:53:32.000000000 -0700
218	+++ XFree86-4.3/xc/lib/FS/FSListExt.c 2003-09-04 20:26:49.000000000 -0600
219	@@ -72,7 +72,8 @@
220	SyncHandle();
221	return (char **) NULL;
222	}
223	- if (rep.nExtensions) {
224	+ if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
225	+ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
226	list = (char *) FSmalloc((unsigned)(rep.nExtensions sizeof(char *)));
227	rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
228	c = (char *) FSmalloc((unsigned) rlen + 1);
229	--- XFree86-4.3/xc/lib/FS/FSListCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700
230	+++ XFree86-4.3/xc/lib/FS/FSListCats.c 2003-09-04 20:26:49.000000000 -0600
231	@@ -78,7 +78,8 @@
232	(SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
233	return (char **) 0;
234
235	- if (rep.num_catalogues) {
236	+ if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
237	+ && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
238	clist = (char **)
239	FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
240	rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
241	--- XFree86-4.3/xc/lib/font/fc/fsconvert.c.fontsec 2002-09-10 10:14:35.000000000 -0600
242	+++ XFree86-4.3/xc/lib/font/fc/fsconvert.c 2003-09-05 09:26:56.000000000 -0600
243	@@ -36,6 +36,7 @@
244	#include "fontstruct.h"
245	#include "fservestr.h"
246	#include "fontutil.h"
247	+#include "fslibos.h"
248
249	extern char _fs_glyph_undefined;
250	extern char _fs_glyph_requested;
251	@@ -102,6 +103,10 @@
252
253	nprops = pfi->nprops = pi->num_offsets;
254
255	+ if (nprops < 0
256	+ \|\| nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char)))
257	+ return -1;
258	+
259	dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
260	sizeof (char) * nprops);
261	if (!dprop)
262	--- XFree86-4.3/xc/lib/font/fc/fslibos.h.fontsec 2002-05-31 12:45:49.000000000 -0600
263	+++ XFree86-4.3/xc/lib/font/fc/fslibos.h 2003-09-04 20:26:49.000000000 -0600
264	@@ -48,13 +48,16 @@
265	#ifndef FONT_OPEN_MAX
266
267	#ifndef X_NOT_POSIX
268	-#ifdef _POSIX_SOURCE
269	-#include <limits.h>
270	-#else
271	-#define _POSIX_SOURCE
272	-#include <limits.h>
273	-#undef _POSIX_SOURCE
274	+# ifdef _POSIX_SOURCE
275	+# include <limits.h>
276	+# else
277	+# define _POSIX_SOURCE
278	+# include <limits.h>
279	+# undef _POSIX_SOURCE
280	+# endif
281	#endif
282	+#ifndef SIZE_T_MAX
283	+# define SIZE_T_MAX UINT_MAX
284	#endif
285	#ifndef OPEN_MAX
286	#if defined(SVR4) \|\| defined(__UNIXOS2__)
287	--- XFree86-4.3/xc/lib/font/fc/fserve.c.fontsec 2002-05-31 12:45:49.000000000 -0600
288	+++ XFree86-4.3/xc/lib/font/fc/fserve.c 2003-09-04 20:26:49.000000000 -0600
289	@@ -1507,8 +1507,8 @@
290
291	if (conn->blockState & FS_GIVE_UP)
292	return BadFontName;
293	-
294	- if (namelen > sizeof (buf) - 1)
295	+
296	+ if (namelen <= 0 \|\| namelen > sizeof (buf) - 1)
297	return BadFontName;
298
299	/*