- added font-overflows patch from mdk (for integer overflows in libFS)

[packages/XFree86.git] / XFree86-font-overflows.patch

--- XFree86-4.3/xc/lib/FS/FSFtNames.c.fontsec   2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSFtNames.c   2003-09-04 20:26:49.000000000 -0600
@@ -78,7 +78,8 @@
          (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
        return (char **) 0;
 
-    if (rep.nFonts) {
+    if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
+       && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
        flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
        rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
        c = (char *) FSmalloc((unsigned) (rlen + 1));
--- XFree86-4.3/xc/lib/FS/FSFontInfo.c.fontsec  2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSFontInfo.c  2003-09-04 20:26:49.000000000 -0600
@@ -65,7 +65,7 @@
     long        nbytes;
     int         i,
                 j;
-    int         size = 0;
+    size_t      size = 0;
     FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
     FSPropInfo **pi = (FSPropInfo **) 0;
     FSPropOffset **po = (FSPropOffset **) 0;
@@ -123,8 +123,14 @@
        if (reply.nameLength == 0)      /* got last reply in version 1 */
            break;
        if ((i + reply.nReplies) >= size) {
+
+           if (reply.nReplies > SIZE_T_MAX - i - 1) 
+               goto badmem;
            size = i + reply.nReplies + 1;
 
+           if (size > SIZE_T_MAX / sizeof(char *)) 
+               goto badmem;
+
            if (fhdr) {
                FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
                FSrealloc((char *) fhdr,
@@ -237,6 +243,9 @@
        pi[i]->num_offsets = local_pi.num_offsets;
        pi[i]->data_len = local_pi.data_len;
 
+       if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
+           goto badmem;
+
        po[i] = (FSPropOffset *)
            FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
        if (!po[i]) {
@@ -282,6 +291,10 @@
            nbytes = pi[i]->data_len + reply.nameLength;
            _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
        }
+       /* avoid integer overflow */
+       if (i > INT_MAX - 1) {
+           goto badmem;
+       }
     }
     *info = fhdr;
     *count = i;
--- XFree86-4.3/xc/lib/FS/FSlibint.h.fontsec    2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSlibint.h    2003-09-04 20:26:49.000000000 -0600
@@ -77,6 +77,11 @@
 #include       <errno.h>
 #include       <stddef.h>
 
+#include       <limits.h>
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX UINT_MAX
+#endif
+
 typedef int (* FSIOErrorHandler)(FSServer *);
 typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *);
 
--- XFree86-4.3/xc/lib/FS/FSQGlyphs.c.fontsec   2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQGlyphs.c   2003-09-04 20:26:49.000000000 -0600
@@ -85,12 +85,20 @@
      (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
        return FSBadAlloc;
 
+    if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset)) 
+       return FSBadAlloc;
+
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
        return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
        - (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX This thest is incomplete */
+    if (reply.length > (SIZE_T_MAX >> 2)) {
+       FSfree((char *) offs);
+       return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
@@ -141,6 +149,8 @@
        int i;
        fsChar2b_version1 *swapped_str;
 
+       if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1)) 
+           return FSBadAlloc;
        swapped_str = (fsChar2b_version1 *)
            FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
        if (!swapped_str)
@@ -160,12 +170,19 @@
                  fsFalse))
        return FSBadAlloc;
 
+    if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
+       return FSBadAlloc;
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
        return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
        - (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX - this test is incomplete */
+    if (reply.length > (SIZE_T_MAX>>2)) {
+       FSfree((char *) offs);
+       return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
--- XFree86-4.3/xc/lib/FS/FSOpenServ.c.fontsec  2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSOpenServ.c  2003-09-04 20:26:49.000000000 -0600
@@ -118,7 +118,7 @@
     AlternateServer *alts;
     int         altlen;
     char       *vendor_string;
-    long        setuplength;
+    unsigned long        setuplength;
 
     if (server == NULL || *server == '\0') {
        if ((server = getenv("FONTSERVER")) == NULL) {
@@ -153,7 +153,8 @@
     _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
 
     setuplength = prefix.alternate_len << 2;
-    if ((alt_data = (char *)
+    if (setuplength > (SIZE_T_MAX>>2)
+       || (alt_data = (char *)
         (setup = FSmalloc((unsigned) setuplength))) == NULL) {
        errno = ENOMEM;
        FSfree((char *) svr);
@@ -162,6 +163,10 @@
     _FSRead(svr, (char *) alt_data, setuplength);
     ad = alt_data;
 
+    if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
+       errno = ENOMEM;
+       return (FSServer *) 0;
+    }
     alts = (AlternateServer *)
        FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
     if (!alts) {
@@ -193,7 +198,8 @@
     svr->num_alternates = prefix.num_alternates;
 
     setuplength = prefix.auth_len << 2;
-    if ((auth_data = (char *)
+    if (prefix.auth_len > (SIZE_T_MAX>>2) 
+       || (auth_data = (char *)
         (setup = FSmalloc((unsigned) setuplength))) == NULL) {
        errno = ENOMEM;
        FSfree((char *) svr);
--- XFree86-4.3/xc/lib/FS/FSGetCats.c.fontsec   2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSGetCats.c   2003-09-04 20:26:49.000000000 -0600
@@ -72,9 +72,10 @@
        SyncHandle();
        return (char **) NULL;
     }
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+       && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
        list = (char **)
-           FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+              FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
        rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
        c = (char *) FSmalloc((unsigned) rlen + 1);
        if ((!list) || (!c)) {
--- XFree86-4.3/xc/lib/FS/FSQXExt.c.fontsec     2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQXExt.c     2003-09-04 20:26:49.000000000 -0600
@@ -92,6 +92,9 @@
               (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
                  fsFalse))
        return FSBadAlloc;
+    
+    if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo)) 
+       return FSBadAlloc;
 
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
     *extents = ext;
@@ -149,6 +152,9 @@
                  fsFalse))
        return FSBadAlloc;
 
+    if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo)) 
+       return FSBadAlloc;
+
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
     *extents = ext;
     if (!ext)
--- XFree86-4.3/xc/lib/FS/FSQXInfo.c.fontsec    2001-12-14 12:53:33.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSQXInfo.c    2003-09-04 20:26:49.000000000 -0600
@@ -91,6 +91,9 @@
     props->num_offsets = local_pi.num_offsets;
     props->data_len = local_pi.data_len;
 
+    if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) 
+       return FSBadAlloc;
+
     /* prepare for prop data */
     offset_data = (FSPropOffset *)
        FSmalloc(props->num_offsets * sizeof(FSPropOffset));
--- XFree86-4.3/xc/lib/FS/FSListExt.c.fontsec   2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSListExt.c   2003-09-04 20:26:49.000000000 -0600
@@ -72,7 +72,8 @@
        SyncHandle();
        return (char **) NULL;
     }
-    if (rep.nExtensions) {
+    if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
+       && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
        list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
        rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
        c = (char *) FSmalloc((unsigned) rlen + 1);
--- XFree86-4.3/xc/lib/FS/FSListCats.c.fontsec  2001-12-14 12:53:32.000000000 -0700
+++ XFree86-4.3/xc/lib/FS/FSListCats.c  2003-09-04 20:26:49.000000000 -0600
@@ -78,7 +78,8 @@
     (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
        return (char **) 0;
 
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+       && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
        clist = (char **)
            FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
        rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
--- XFree86-4.3/xc/lib/font/fc/fsconvert.c.fontsec      2002-09-10 10:14:35.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fsconvert.c      2003-09-05 09:26:56.000000000 -0600
@@ -36,6 +36,7 @@
 #include       "fontstruct.h"
 #include       "fservestr.h"
 #include       "fontutil.h"
+#include       "fslibos.h"
 
 extern char _fs_glyph_undefined;
 extern char _fs_glyph_requested;
@@ -102,6 +103,10 @@
 
     nprops = pfi->nprops = pi->num_offsets;
 
+    if (nprops < 0 
+       || nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char))) 
+       return -1;
+          
     dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
                                 sizeof (char) * nprops);
     if (!dprop)
--- XFree86-4.3/xc/lib/font/fc/fslibos.h.fontsec        2002-05-31 12:45:49.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fslibos.h        2003-09-04 20:26:49.000000000 -0600
@@ -48,13 +48,16 @@
 #ifndef FONT_OPEN_MAX
 
 #ifndef X_NOT_POSIX
-#ifdef _POSIX_SOURCE
-#include <limits.h>
-#else
-#define _POSIX_SOURCE
-#include <limits.h>
-#undef _POSIX_SOURCE
+# ifdef _POSIX_SOURCE
+#  include <limits.h>
+# else
+#  define _POSIX_SOURCE
+#  include <limits.h>
+#  undef _POSIX_SOURCE
+# endif
 #endif
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX UINT_MAX
 #endif
 #ifndef OPEN_MAX
 #if defined(SVR4) || defined(__UNIXOS2__)
--- XFree86-4.3/xc/lib/font/fc/fserve.c.fontsec 2002-05-31 12:45:49.000000000 -0600
+++ XFree86-4.3/xc/lib/font/fc/fserve.c 2003-09-04 20:26:49.000000000 -0600
@@ -1507,8 +1507,8 @@
 
     if (conn->blockState & FS_GIVE_UP)
        return BadFontName;
-    
-    if (namelen > sizeof (buf) - 1)
+ 
+    if (namelen <= 0 || namelen > sizeof (buf) - 1)
        return BadFontName;
     
     /*