1 --- XFree86-4.3/xc/lib/FS/FSFtNames.c.fontsec 2001-12-14 12:53:32.000000000 -0700
2 +++ XFree86-4.3/xc/lib/FS/FSFtNames.c 2003-09-04 20:26:49.000000000 -0600
4 (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
8 + if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
9 + && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
10 flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
11 rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
12 c = (char *) FSmalloc((unsigned) (rlen + 1));
13 --- XFree86-4.3/xc/lib/FS/FSFontInfo.c.fontsec 2001-12-14 12:53:32.000000000 -0700
14 +++ XFree86-4.3/xc/lib/FS/FSFontInfo.c 2003-09-04 20:26:49.000000000 -0600
21 FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
22 FSPropInfo **pi = (FSPropInfo **) 0;
23 FSPropOffset **po = (FSPropOffset **) 0;
25 if (reply.nameLength == 0) /* got last reply in version 1 */
27 if ((i + reply.nReplies) >= size) {
29 + if (reply.nReplies > SIZE_T_MAX - i - 1)
31 size = i + reply.nReplies + 1;
33 + if (size > SIZE_T_MAX / sizeof(char *))
37 FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
38 FSrealloc((char *) fhdr,
40 pi[i]->num_offsets = local_pi.num_offsets;
41 pi[i]->data_len = local_pi.data_len;
43 + if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
46 po[i] = (FSPropOffset *)
47 FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
50 nbytes = pi[i]->data_len + reply.nameLength;
51 _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
53 + /* avoid integer overflow */
54 + if (i > INT_MAX - 1) {
60 --- XFree86-4.3/xc/lib/FS/FSlibint.h.fontsec 2001-12-14 12:53:33.000000000 -0700
61 +++ XFree86-4.3/xc/lib/FS/FSlibint.h 2003-09-04 20:26:49.000000000 -0600
68 +#define SIZE_T_MAX UINT_MAX
71 typedef int (* FSIOErrorHandler)(FSServer *);
72 typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *);
74 --- XFree86-4.3/xc/lib/FS/FSQGlyphs.c.fontsec 2001-12-14 12:53:33.000000000 -0700
75 +++ XFree86-4.3/xc/lib/FS/FSQGlyphs.c 2003-09-04 20:26:49.000000000 -0600
77 (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
80 + if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset))
83 offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
87 left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
88 - (SIZEOF(fsOffset32) * reply.num_chars);
89 + /* XXX This thest is incomplete */
90 + if (reply.length > (SIZE_T_MAX >> 2)) {
91 + FSfree((char *) offs);
94 gd = (unsigned char *) FSmalloc(left);
99 fsChar2b_version1 *swapped_str;
101 + if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1))
103 swapped_str = (fsChar2b_version1 *)
104 FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
106 @@ -160,12 +170,19 @@
110 + if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
112 offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
116 left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
117 - (SIZEOF(fsOffset32) * reply.num_chars);
118 + /* XXX - this test is incomplete */
119 + if (reply.length > (SIZE_T_MAX>>2)) {
120 + FSfree((char *) offs);
123 gd = (unsigned char *) FSmalloc(left);
126 --- XFree86-4.3/xc/lib/FS/FSOpenServ.c.fontsec 2001-12-14 12:53:33.000000000 -0700
127 +++ XFree86-4.3/xc/lib/FS/FSOpenServ.c 2003-09-04 20:26:49.000000000 -0600
129 AlternateServer *alts;
133 + unsigned long setuplength;
135 if (server == NULL || *server == '\0') {
136 if ((server = getenv("FONTSERVER")) == NULL) {
138 _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
140 setuplength = prefix.alternate_len << 2;
141 - if ((alt_data = (char *)
142 + if (setuplength > (SIZE_T_MAX>>2)
143 + || (alt_data = (char *)
144 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
146 FSfree((char *) svr);
148 _FSRead(svr, (char *) alt_data, setuplength);
151 + if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
153 + return (FSServer *) 0;
155 alts = (AlternateServer *)
156 FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
159 svr->num_alternates = prefix.num_alternates;
161 setuplength = prefix.auth_len << 2;
162 - if ((auth_data = (char *)
163 + if (prefix.auth_len > (SIZE_T_MAX>>2)
164 + || (auth_data = (char *)
165 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
167 FSfree((char *) svr);
168 --- XFree86-4.3/xc/lib/FS/FSGetCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700
169 +++ XFree86-4.3/xc/lib/FS/FSGetCats.c 2003-09-04 20:26:49.000000000 -0600
172 return (char **) NULL;
174 - if (rep.num_catalogues) {
175 + if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
176 + && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
178 - FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
179 + FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
180 rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
181 c = (char *) FSmalloc((unsigned) rlen + 1);
182 if ((!list) || (!c)) {
183 --- XFree86-4.3/xc/lib/FS/FSQXExt.c.fontsec 2001-12-14 12:53:33.000000000 -0700
184 +++ XFree86-4.3/xc/lib/FS/FSQXExt.c 2003-09-04 20:26:49.000000000 -0600
186 (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
190 + if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo))
193 ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
199 + if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo))
202 ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
205 --- XFree86-4.3/xc/lib/FS/FSQXInfo.c.fontsec 2001-12-14 12:53:33.000000000 -0700
206 +++ XFree86-4.3/xc/lib/FS/FSQXInfo.c 2003-09-04 20:26:49.000000000 -0600
208 props->num_offsets = local_pi.num_offsets;
209 props->data_len = local_pi.data_len;
211 + if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
214 /* prepare for prop data */
215 offset_data = (FSPropOffset *)
216 FSmalloc(props->num_offsets * sizeof(FSPropOffset));
217 --- XFree86-4.3/xc/lib/FS/FSListExt.c.fontsec 2001-12-14 12:53:32.000000000 -0700
218 +++ XFree86-4.3/xc/lib/FS/FSListExt.c 2003-09-04 20:26:49.000000000 -0600
221 return (char **) NULL;
223 - if (rep.nExtensions) {
224 + if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
225 + && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
226 list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
227 rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
228 c = (char *) FSmalloc((unsigned) rlen + 1);
229 --- XFree86-4.3/xc/lib/FS/FSListCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700
230 +++ XFree86-4.3/xc/lib/FS/FSListCats.c 2003-09-04 20:26:49.000000000 -0600
232 (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
235 - if (rep.num_catalogues) {
236 + if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
237 + && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
239 FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
240 rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
241 --- XFree86-4.3/xc/lib/font/fc/fsconvert.c.fontsec 2002-09-10 10:14:35.000000000 -0600
242 +++ XFree86-4.3/xc/lib/font/fc/fsconvert.c 2003-09-05 09:26:56.000000000 -0600
244 #include "fontstruct.h"
245 #include "fservestr.h"
246 #include "fontutil.h"
247 +#include "fslibos.h"
249 extern char _fs_glyph_undefined;
250 extern char _fs_glyph_requested;
253 nprops = pfi->nprops = pi->num_offsets;
256 + || nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char)))
259 dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops +
260 sizeof (char) * nprops);
262 --- XFree86-4.3/xc/lib/font/fc/fslibos.h.fontsec 2002-05-31 12:45:49.000000000 -0600
263 +++ XFree86-4.3/xc/lib/font/fc/fslibos.h 2003-09-04 20:26:49.000000000 -0600
265 #ifndef FONT_OPEN_MAX
268 -#ifdef _POSIX_SOURCE
271 -#define _POSIX_SOURCE
273 -#undef _POSIX_SOURCE
274 +# ifdef _POSIX_SOURCE
275 +# include <limits.h>
277 +# define _POSIX_SOURCE
278 +# include <limits.h>
279 +# undef _POSIX_SOURCE
283 +# define SIZE_T_MAX UINT_MAX
286 #if defined(SVR4) || defined(__UNIXOS2__)
287 --- XFree86-4.3/xc/lib/font/fc/fserve.c.fontsec 2002-05-31 12:45:49.000000000 -0600
288 +++ XFree86-4.3/xc/lib/font/fc/fserve.c 2003-09-04 20:26:49.000000000 -0600
289 @@ -1507,8 +1507,8 @@
291 if (conn->blockState & FS_GIVE_UP)
294 - if (namelen > sizeof (buf) - 1)
296 + if (namelen <= 0 || namelen > sizeof (buf) - 1)