- from http://xorg.freedesktop.org/releases/X11R6.9.0/patches/, CVE-2006-3739 CVE...

Changed files:
    x11r6.9.0-cidfonts.diff -> 1.1

diff --git a/x11r6.9.0-cidfonts.diff b/x11r6.9.0-cidfonts.diff
new file mode 100644 (file)
index 0000000..035328e
--- /dev/null
+++ b/x11r6.9.0-cidfonts.diff
@@ -0,0 +1,96 @@
+Index: lib/font/Type1/afm.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 afm.c
+--- lib/font/Type1/afm.c       9 Jul 2005 23:30:06 -0000       1.5
++++ lib/font/Type1/afm.c       12 Sep 2006 07:49:46 -0000
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h"        /* For INT32 declaration */
+ #include "Xdefs.h"      /* For Bool */
+@@ -118,6 +119,11 @@
+             
+             fi->nChars = atoi(p);
+ 
++          if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++              xfree(afmbuf);
++              xfree(fi);
++              return(1);
++          }
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
+Index: lib/font/Type1/scanfont.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 scanfont.c
+--- lib/font/Type1/scanfont.c  9 Jul 2005 23:30:06 -0000       1.5
++++ lib/font/Type1/scanfont.c  12 Sep 2006 07:49:46 -0000
+@@ -57,6 +57,7 @@
+ 
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h"    /* Bool declaration */
+ #include "Xmd.h"      /* INT32 declaration */
+@@ -654,6 +655,7 @@
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -850,7 +852,8 @@
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj)) 
++       return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++      rc = SCAN_ERROR;
++      break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
+Index: lib/font/Type1/util.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 util.c
+--- lib/font/Type1/util.c      9 Jul 2005 23:30:07 -0000       1.5
++++ lib/font/Type1/util.c      12 Sep 2006 07:49:46 -0000
+@@ -104,7 +104,7 @@
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;