--- XFree86-4.3/xc/lib/FS/FSFtNames.c.fontsec 2001-12-14 12:53:32.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSFtNames.c 2003-09-04 20:26:49.000000000 -0600 @@ -78,7 +78,8 @@ (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return (char **) 0; - if (rep.nFonts) { + if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *) + && rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) { flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListFontsReply); c = (char *) FSmalloc((unsigned) (rlen + 1)); --- XFree86-4.3/xc/lib/FS/FSFontInfo.c.fontsec 2001-12-14 12:53:32.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSFontInfo.c 2003-09-04 20:26:49.000000000 -0600 @@ -65,7 +65,7 @@ long nbytes; int i, j; - int size = 0; + size_t size = 0; FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0; FSPropInfo **pi = (FSPropInfo **) 0; FSPropOffset **po = (FSPropOffset **) 0; @@ -123,8 +123,14 @@ if (reply.nameLength == 0) /* got last reply in version 1 */ break; if ((i + reply.nReplies) >= size) { + + if (reply.nReplies > SIZE_T_MAX - i - 1) + goto badmem; size = i + reply.nReplies + 1; + if (size > SIZE_T_MAX / sizeof(char *)) + goto badmem; + if (fhdr) { FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **) FSrealloc((char *) fhdr, @@ -237,6 +243,9 @@ pi[i]->num_offsets = local_pi.num_offsets; pi[i]->data_len = local_pi.data_len; + if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) + goto badmem; + po[i] = (FSPropOffset *) FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset)); if (!po[i]) { @@ -282,6 +291,10 @@ nbytes = pi[i]->data_len + reply.nameLength; _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes)); } + /* avoid integer overflow */ + if (i > INT_MAX - 1) { + goto badmem; + } } *info = fhdr; *count = i; --- XFree86-4.3/xc/lib/FS/FSlibint.h.fontsec 2001-12-14 12:53:33.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSlibint.h 2003-09-04 20:26:49.000000000 -0600 @@ -77,6 +77,11 @@ #include #include +#include +#ifndef SIZE_T_MAX +#define SIZE_T_MAX UINT_MAX +#endif + typedef int (* FSIOErrorHandler)(FSServer *); typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *); --- XFree86-4.3/xc/lib/FS/FSQGlyphs.c.fontsec 2001-12-14 12:53:33.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSQGlyphs.c 2003-09-04 20:26:49.000000000 -0600 @@ -85,12 +85,20 @@ (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return FSBadAlloc; + if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset)) + return FSBadAlloc; + offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); *offsets = offs; if (!offs) return FSBadAlloc; left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply) - (SIZEOF(fsOffset32) * reply.num_chars); + /* XXX This thest is incomplete */ + if (reply.length > (SIZE_T_MAX >> 2)) { + FSfree((char *) offs); + return FSBadAlloc; + } gd = (unsigned char *) FSmalloc(left); *glyphdata = gd; if (!gd) { @@ -141,6 +149,8 @@ int i; fsChar2b_version1 *swapped_str; + if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1)) + return FSBadAlloc; swapped_str = (fsChar2b_version1 *) FSmalloc(SIZEOF(fsChar2b_version1) * str_len); if (!swapped_str) @@ -160,12 +170,19 @@ fsFalse)) return FSBadAlloc; + if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset)) + return FSBadAlloc; offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars); *offsets = offs; if (!offs) return FSBadAlloc; left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply) - (SIZEOF(fsOffset32) * reply.num_chars); + /* XXX - this test is incomplete */ + if (reply.length > (SIZE_T_MAX>>2)) { + FSfree((char *) offs); + return FSBadAlloc; + } gd = (unsigned char *) FSmalloc(left); *glyphdata = gd; if (!gd) { --- XFree86-4.3/xc/lib/FS/FSOpenServ.c.fontsec 2001-12-14 12:53:33.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSOpenServ.c 2003-09-04 20:26:49.000000000 -0600 @@ -118,7 +118,7 @@ AlternateServer *alts; int altlen; char *vendor_string; - long setuplength; + unsigned long setuplength; if (server == NULL || *server == '\0') { if ((server = getenv("FONTSERVER")) == NULL) { @@ -153,7 +153,8 @@ _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup)); setuplength = prefix.alternate_len << 2; - if ((alt_data = (char *) + if (setuplength > (SIZE_T_MAX>>2) + || (alt_data = (char *) (setup = FSmalloc((unsigned) setuplength))) == NULL) { errno = ENOMEM; FSfree((char *) svr); @@ -162,6 +163,10 @@ _FSRead(svr, (char *) alt_data, setuplength); ad = alt_data; + if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) { + errno = ENOMEM; + return (FSServer *) 0; + } alts = (AlternateServer *) FSmalloc(sizeof(AlternateServer) * prefix.num_alternates); if (!alts) { @@ -193,7 +198,8 @@ svr->num_alternates = prefix.num_alternates; setuplength = prefix.auth_len << 2; - if ((auth_data = (char *) + if (prefix.auth_len > (SIZE_T_MAX>>2) + || (auth_data = (char *) (setup = FSmalloc((unsigned) setuplength))) == NULL) { errno = ENOMEM; FSfree((char *) svr); --- XFree86-4.3/xc/lib/FS/FSGetCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSGetCats.c 2003-09-04 20:26:49.000000000 -0600 @@ -72,9 +72,10 @@ SyncHandle(); return (char **) NULL; } - if (rep.num_catalogues) { + if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *) + && rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) { list = (char **) - FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); + FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *))); rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply); c = (char *) FSmalloc((unsigned) rlen + 1); if ((!list) || (!c)) { --- XFree86-4.3/xc/lib/FS/FSQXExt.c.fontsec 2001-12-14 12:53:33.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSQXExt.c 2003-09-04 20:26:49.000000000 -0600 @@ -92,6 +92,9 @@ (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return FSBadAlloc; + + if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo)) + return FSBadAlloc; ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); *extents = ext; @@ -149,6 +152,9 @@ fsFalse)) return FSBadAlloc; + if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo)) + return FSBadAlloc; + ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents); *extents = ext; if (!ext) --- XFree86-4.3/xc/lib/FS/FSQXInfo.c.fontsec 2001-12-14 12:53:33.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSQXInfo.c 2003-09-04 20:26:49.000000000 -0600 @@ -91,6 +91,9 @@ props->num_offsets = local_pi.num_offsets; props->data_len = local_pi.data_len; + if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) + return FSBadAlloc; + /* prepare for prop data */ offset_data = (FSPropOffset *) FSmalloc(props->num_offsets * sizeof(FSPropOffset)); --- XFree86-4.3/xc/lib/FS/FSListExt.c.fontsec 2001-12-14 12:53:32.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSListExt.c 2003-09-04 20:26:49.000000000 -0600 @@ -72,7 +72,8 @@ SyncHandle(); return (char **) NULL; } - if (rep.nExtensions) { + if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *) + && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) { list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *))); rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply); c = (char *) FSmalloc((unsigned) rlen + 1); --- XFree86-4.3/xc/lib/FS/FSListCats.c.fontsec 2001-12-14 12:53:32.000000000 -0700 +++ XFree86-4.3/xc/lib/FS/FSListCats.c 2003-09-04 20:26:49.000000000 -0600 @@ -78,7 +78,8 @@ (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse)) return (char **) 0; - if (rep.num_catalogues) { + if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *) + && rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) { clist = (char **) FSmalloc((unsigned) rep.num_catalogues * sizeof(char *)); rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply); --- XFree86-4.3/xc/lib/font/fc/fsconvert.c.fontsec 2002-09-10 10:14:35.000000000 -0600 +++ XFree86-4.3/xc/lib/font/fc/fsconvert.c 2003-09-05 09:26:56.000000000 -0600 @@ -36,6 +36,7 @@ #include "fontstruct.h" #include "fservestr.h" #include "fontutil.h" +#include "fslibos.h" extern char _fs_glyph_undefined; extern char _fs_glyph_requested; @@ -102,6 +103,10 @@ nprops = pfi->nprops = pi->num_offsets; + if (nprops < 0 + || nprops > SIZE_T_MAX/(sizeof(FontPropRec) + sizeof(char))) + return -1; + dprop = (FontPropPtr) xalloc(sizeof(FontPropRec) * nprops + sizeof (char) * nprops); if (!dprop) --- XFree86-4.3/xc/lib/font/fc/fslibos.h.fontsec 2002-05-31 12:45:49.000000000 -0600 +++ XFree86-4.3/xc/lib/font/fc/fslibos.h 2003-09-04 20:26:49.000000000 -0600 @@ -48,13 +48,16 @@ #ifndef FONT_OPEN_MAX #ifndef X_NOT_POSIX -#ifdef _POSIX_SOURCE -#include -#else -#define _POSIX_SOURCE -#include -#undef _POSIX_SOURCE +# ifdef _POSIX_SOURCE +# include +# else +# define _POSIX_SOURCE +# include +# undef _POSIX_SOURCE +# endif #endif +#ifndef SIZE_T_MAX +# define SIZE_T_MAX UINT_MAX #endif #ifndef OPEN_MAX #if defined(SVR4) || defined(__UNIXOS2__) --- XFree86-4.3/xc/lib/font/fc/fserve.c.fontsec 2002-05-31 12:45:49.000000000 -0600 +++ XFree86-4.3/xc/lib/font/fc/fserve.c 2003-09-04 20:26:49.000000000 -0600 @@ -1507,8 +1507,8 @@ if (conn->blockState & FS_GIVE_UP) return BadFontName; - - if (namelen > sizeof (buf) - 1) + + if (namelen <= 0 || namelen > sizeof (buf) - 1) return BadFontName; /*