[packages/X11.git] / x11r6.9.0-cidfonts.diff

Index: lib/font/Type1/afm.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
retrieving revision 1.5
diff -u -u -r1.5 afm.c
--- lib/font/Type1/afm.c	9 Jul 2005 23:30:06 -0000	1.5
+++ lib/font/Type1/afm.c	12 Sep 2006 07:49:46 -0000
@@ -29,6 +29,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <stdlib.h>
+#include <limits.h>
 #else
 #include "Xmd.h"        /* For INT32 declaration */
 #include "Xdefs.h"      /* For Bool */
@@ -118,6 +119,11 @@
             
             fi->nChars = atoi(p);
 
+	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
+		xfree(afmbuf);
+		xfree(fi);
+		return(1);
+	    }
             fi->metrics = (Metrics *)xalloc(fi->nChars * 
                 sizeof(Metrics));
             if (fi->metrics == NULL) {
Index: lib/font/Type1/scanfont.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
retrieving revision 1.5
diff -u -u -r1.5 scanfont.c
--- lib/font/Type1/scanfont.c	9 Jul 2005 23:30:06 -0000	1.5
+++ lib/font/Type1/scanfont.c	12 Sep 2006 07:49:46 -0000
@@ -57,6 +57,7 @@
 
 #ifndef FONTMODULE
 #include <string.h>
+#include <limits.h>
 #else
 #include "Xdefs.h"	/* Bool declaration */
 #include "Xmd.h"	/* INT32 declaration */
@@ -654,6 +655,7 @@
   arrayP->data.valueP = tokenStartP;
 
   /* allocate FDArray */
+  /* No integer overflow since arrayP->len is unsigned short */
   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
 
@@ -850,7 +852,8 @@
      }
      return(SCAN_OK);
    }
- 
+   if (N > INT_MAX / sizeof(psobj)) 
+       return (SCAN_ERROR);
    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
    FontP->Subrs.len = N;
@@ -911,7 +914,7 @@
      }
      else return(rc);  /* if next token was not an Int */
    }
-   if (N<=0) return(SCAN_ERROR);
+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
    /* save number of entries in the dictionary */
  
    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@ -1719,6 +1722,10 @@
     if (tokenType == TOKEN_INTEGER)
       rangecnt = tokenValue.integer;
 
+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+	rc = SCAN_ERROR;
+	break;
+    }
     /* ==> tokenLength, tokenTooLong, tokenType, and */
     /* tokenValue are now set                        */
 
Index: lib/font/Type1/util.c
===================================================================
RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
retrieving revision 1.5
diff -u -u -r1.5 util.c
--- lib/font/Type1/util.c	9 Jul 2005 23:30:07 -0000	1.5
+++ lib/font/Type1/util.c	12 Sep 2006 07:49:46 -0000
@@ -104,7 +104,7 @@
   bytes = (bytes + 7) & ~7;
  
   /* Allocate the space, if it is available */
-  if (bytes <= vm_free) {
+  if (bytes > 0 && bytes <= vm_free) {
     answer = vm_next;
     vm_free -= bytes;
     vm_next += bytes;
Commit	Line	Data
e6b64ba2 JB	1	Index: lib/font/Type1/afm.c
	2	===================================================================
	3	RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
	4	retrieving revision 1.5
	5	diff -u -u -r1.5 afm.c
	6	--- lib/font/Type1/afm.c 9 Jul 2005 23:30:06 -0000 1.5
	7	+++ lib/font/Type1/afm.c 12 Sep 2006 07:49:46 -0000
	8	@@ -29,6 +29,7 @@
	9	#include <stdio.h>
	10	#include <string.h>
	11	#include <stdlib.h>
	12	+#include <limits.h>
	13	#else
	14	#include "Xmd.h" /* For INT32 declaration */
	15	#include "Xdefs.h" /* For Bool */
	16	@@ -118,6 +119,11 @@
	17
	18	fi->nChars = atoi(p);
	19
	20	+ if (fi->nChars < 0 \|\| fi->nChars > INT_MAX / sizeof(Metrics)) {
	21	+ xfree(afmbuf);
	22	+ xfree(fi);
	23	+ return(1);
	24	+ }
	25	fi->metrics = (Metrics )xalloc(fi->nChars
	26	sizeof(Metrics));
	27	if (fi->metrics == NULL) {
	28	Index: lib/font/Type1/scanfont.c
	29	===================================================================
	30	RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
	31	retrieving revision 1.5
	32	diff -u -u -r1.5 scanfont.c
	33	--- lib/font/Type1/scanfont.c 9 Jul 2005 23:30:06 -0000 1.5
	34	+++ lib/font/Type1/scanfont.c 12 Sep 2006 07:49:46 -0000
	35	@@ -57,6 +57,7 @@
	36
	37	#ifndef FONTMODULE
	38	#include <string.h>
	39	+#include <limits.h>
	40	#else
	41	#include "Xdefs.h" /* Bool declaration */
	42	#include "Xmd.h" /* INT32 declaration */
	43	@@ -654,6 +655,7 @@
	44	arrayP->data.valueP = tokenStartP;
	45
	46	/* allocate FDArray */
	47	+ /* No integer overflow since arrayP->len is unsigned short */
	48	FDArrayP = (psfont )vm_alloc(arrayP->len(sizeof(psfont)));
	49	if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
	50
	51	@@ -850,7 +852,8 @@
	52	}
	53	return(SCAN_OK);
	54	}
	55	-
	56	+ if (N > INT_MAX / sizeof(psobj))
	57	+ return (SCAN_ERROR);
	58	arrayP = (psobj )vm_alloc(Nsizeof(psobj));
	59	if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
	60	FontP->Subrs.len = N;
	61	@@ -911,7 +914,7 @@
	62	}
	63	else return(rc); /* if next token was not an Int */
	64	}
65	- if (N<=0) return(SCAN_ERROR);
66	+ if (N<=0 \|\| N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
67	/* save number of entries in the dictionary */
68
69	dictP = (psdict )vm_alloc((N+1)sizeof(psdict));
70	@@ -1719,6 +1722,10 @@
71	if (tokenType == TOKEN_INTEGER)
72	rangecnt = tokenValue.integer;
73
74	+ if (rangecnt < 0 \|\| rangecnt > INT_MAX / sizeof(spacerangecode)) {
75	+ rc = SCAN_ERROR;
76	+ break;
77	+ }
78	/* ==> tokenLength, tokenTooLong, tokenType, and */
79	/* tokenValue are now set */
80
81	Index: lib/font/Type1/util.c
82	===================================================================
83	RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
84	retrieving revision 1.5
85	diff -u -u -r1.5 util.c
86	--- lib/font/Type1/util.c 9 Jul 2005 23:30:07 -0000 1.5
87	+++ lib/font/Type1/util.c 12 Sep 2006 07:49:46 -0000
88	@@ -104,7 +104,7 @@
89	bytes = (bytes + 7) & ~7;
90
91	/* Allocate the space, if it is available */
92	- if (bytes <= vm_free) {
93	+ if (bytes > 0 && bytes <= vm_free) {
94	answer = vm_next;
95	vm_free -= bytes;
96	vm_next += bytes;