[packages/XFree86.git] / XFree86-fix-01.patch

Fix integer overflow vulnerabilities in the handling of Type1 fonts.

*** xc/lib/font/Type1/AFM.h	Sun May  2 23:58:44 1999
--- xc/lib/font/Type1/AFM.h	Wed Sep  6 17:37:56 2006
*************** typedef struct
*** 47,52 ****
--- 47,54 ----
      BBox charBBox;	/* key: B */
  } Metrics;
  
+ #define MAX_CID_METRICS ((int)((unsigned int)(-1) / (2 * sizeof(Metrics))))
+ 
  typedef struct
  { 
      int nChars;		        /* number of entries in char metrics array */
*** xc/lib/font/Type1/afm.c	Fri Oct 14 09:16:02 2005
--- xc/lib/font/Type1/afm.c	Wed Sep  6 17:37:56 2006
*************** int CIDAFM(FILE *fd, FontInfo **pfi) {
*** 111,116 ****
--- 111,122 ----
              
              fi->nChars = atoi(p);
  
+ 	    if ((fi->nChars <= 0) || (fi->nChars > MAX_CID_METRICS)) {
+ 		xfree(afmbuf);
+ 		xfree(fi);
+ 		return(1);
+ 	    }
+ 
              fi->metrics = (Metrics *)xalloc(fi->nChars * 
                  sizeof(Metrics));
              if (fi->metrics == NULL) {
*** xc/lib/font/Type1/range.h	Tue May  4 03:35:22 1999
--- xc/lib/font/Type1/range.h	Wed Sep  6 17:37:56 2006
*************** typedef struct spacerange_code {
*** 24,29 ****
--- 24,32 ----
      unsigned int srcCodeHi;
  } spacerangecode;
  
+ #define MAX_CID_SPACERANGECODES \
+     ((int)((unsigned int)(-1) / (2 * sizeof(spacerangecode))))
+ 
  typedef struct space_range {
      struct space_range *next;
      int rangecnt;
*************** typedef struct cidrange_code {
*** 36,41 ****
--- 39,47 ----
      unsigned int dstCIDLo;
  } cidrangecode;
  
+ #define MAX_CID_CIDRANGECODES \
+     ((int)((unsigned int)(-1) / (2 * sizeof(cidrangecode))))
+ 
  typedef struct cid_range {
      struct cid_range *next;
      int rangecnt;
*** xc/lib/font/Type1/scanfont.c	Fri Oct 14 09:16:02 2005
--- xc/lib/font/Type1/scanfont.c	Wed Sep  6 17:37:56 2006
*************** scan_cidfont(cidfont *CIDFontP, cmapres 
*** 1732,1737 ****
--- 1732,1741 ----
          break;
        case TOKEN_NAME:
          if (0 == strncmp(tokenStartP,"begincodespacerange",19)) {
+ 	  if ((rangecnt <= 0) || (rangecnt > MAX_CID_SPACERANGECODES)) {
+ 	    rc = SCAN_OUT_OF_MEMORY;
+ 	    break;
+ 	  }
            CIDFontP->spacerangecnt++;
            spacerangeP = (spacerange *)vm_alloc(sizeof(spacerange));
            if (!spacerangeP) {
*************** scan_cidfont(cidfont *CIDFontP, cmapres 
*** 1787,1792 ****
--- 1791,1800 ----
            }
          }
          if (0 == strncmp(tokenStartP,"begincidrange",13)) {
+ 	  if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) {
+ 	    rc = SCAN_OUT_OF_MEMORY;
+ 	    break;
+ 	  }
            CIDFontP->cidrangecnt++;
            cidrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
            if (!cidrangeP) {
*************** scan_cidfont(cidfont *CIDFontP, cmapres 
*** 1868,1873 ****
--- 1876,1885 ----
          }
  
          if (0 == strncmp(tokenStartP,"beginnotdefrange",16)) {
+ 	  if ((rangecnt <= 0) || (rangecnt > MAX_CID_CIDRANGECODES)) {
+ 	    rc = SCAN_OUT_OF_MEMORY;
+ 	    break;
+ 	  }
            CIDFontP->notdefrangecnt++;
            notdefrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
            if (!notdefrangeP) {
*** xc/lib/font/Type1/util.c	Fri Oct 14 09:16:03 2005
--- xc/lib/font/Type1/util.c	Wed Sep  6 17:42:08 2006
*************** vm_alloc(int bytes)
*** 96,102 ****
    bytes = (bytes + 7) & ~7;
   
    /* Allocate the space, if it is available */
!   if (bytes <= vm_free) {
      answer = vm_next;
      vm_free -= bytes;
      vm_next += bytes;
--- 96,102 ----
    bytes = (bytes + 7) & ~7;
   
    /* Allocate the space, if it is available */
!   if ((bytes > 0) && (bytes <= vm_free)) {
      answer = vm_next;
      vm_free -= bytes;
      vm_next += bytes;
Commit	Line	Data
17c23728 JB	1	Fix integer overflow vulnerabilities in the handling of Type1 fonts.
	2
	3	*** xc/lib/font/Type1/AFM.h Sun May 2 23:58:44 1999
	4	--- xc/lib/font/Type1/AFM.h Wed Sep 6 17:37:56 2006
	5	*************** typedef struct
	6	* 47,52 **
	7	--- 47,54 ----
	8	BBox charBBox; /* key: B */
	9	} Metrics;
	10
	11	+ #define MAX_CID_METRICS ((int)((unsigned int)(-1) / (2 * sizeof(Metrics))))
	12	+
	13	typedef struct
	14	{
	15	int nChars; /* number of entries in char metrics array */
	16	*** xc/lib/font/Type1/afm.c Fri Oct 14 09:16:02 2005
	17	--- xc/lib/font/Type1/afm.c Wed Sep 6 17:37:56 2006
	18	*************** int CIDAFM(FILE fd, FontInfo *pfi) {
	19	* 111,116 **
	20	--- 111,122 ----
	21
	22	fi->nChars = atoi(p);
	23
	24	+ if ((fi->nChars <= 0) \|\| (fi->nChars > MAX_CID_METRICS)) {
	25	+ xfree(afmbuf);
	26	+ xfree(fi);
	27	+ return(1);
	28	+ }
	29	+
	30	fi->metrics = (Metrics )xalloc(fi->nChars
	31	sizeof(Metrics));
	32	if (fi->metrics == NULL) {
	33	*** xc/lib/font/Type1/range.h Tue May 4 03:35:22 1999
	34	--- xc/lib/font/Type1/range.h Wed Sep 6 17:37:56 2006
	35	*************** typedef struct spacerange_code {
	36	* 24,29 **
	37	--- 24,32 ----
	38	unsigned int srcCodeHi;
	39	} spacerangecode;
	40
	41	+ #define MAX_CID_SPACERANGECODES \
	42	+ ((int)((unsigned int)(-1) / (2 * sizeof(spacerangecode))))
	43	+
	44	typedef struct space_range {
	45	struct space_range *next;
	46	int rangecnt;
	47	*************** typedef struct cidrange_code {
	48	* 36,41 **
	49	--- 39,47 ----
	50	unsigned int dstCIDLo;
	51	} cidrangecode;
	52
	53	+ #define MAX_CID_CIDRANGECODES \
	54	+ ((int)((unsigned int)(-1) / (2 * sizeof(cidrangecode))))
	55	+
	56	typedef struct cid_range {
	57	struct cid_range *next;
	58	int rangecnt;
	59	*** xc/lib/font/Type1/scanfont.c Fri Oct 14 09:16:02 2005
	60	--- xc/lib/font/Type1/scanfont.c Wed Sep 6 17:37:56 2006
	61	*************** scan_cidfont(cidfont *CIDFontP, cmapres
	62	* 1732,1737 **
	63	--- 1732,1741 ----
	64	break;
65	case TOKEN_NAME:
66	if (0 == strncmp(tokenStartP,"begincodespacerange",19)) {
67	+ if ((rangecnt <= 0) \|\| (rangecnt > MAX_CID_SPACERANGECODES)) {
68	+ rc = SCAN_OUT_OF_MEMORY;
69	+ break;
70	+ }
71	CIDFontP->spacerangecnt++;
72	spacerangeP = (spacerange *)vm_alloc(sizeof(spacerange));
73	if (!spacerangeP) {
74	*************** scan_cidfont(cidfont *CIDFontP, cmapres
75	* 1787,1792 **
76	--- 1791,1800 ----
77	}
78	}
79	if (0 == strncmp(tokenStartP,"begincidrange",13)) {
80	+ if ((rangecnt <= 0) \|\| (rangecnt > MAX_CID_CIDRANGECODES)) {
81	+ rc = SCAN_OUT_OF_MEMORY;
82	+ break;
83	+ }
84	CIDFontP->cidrangecnt++;
85	cidrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
86	if (!cidrangeP) {
87	*************** scan_cidfont(cidfont *CIDFontP, cmapres
88	* 1868,1873 **
89	--- 1876,1885 ----
90	}
91
92	if (0 == strncmp(tokenStartP,"beginnotdefrange",16)) {
93	+ if ((rangecnt <= 0) \|\| (rangecnt > MAX_CID_CIDRANGECODES)) {
94	+ rc = SCAN_OUT_OF_MEMORY;
95	+ break;
96	+ }
97	CIDFontP->notdefrangecnt++;
98	notdefrangeP = (cidrange *)vm_alloc(sizeof(cidrange));
99	if (!notdefrangeP) {
100	*** xc/lib/font/Type1/util.c Fri Oct 14 09:16:03 2005
101	--- xc/lib/font/Type1/util.c Wed Sep 6 17:42:08 2006
102	*************** vm_alloc(int bytes)
103	* 96,102 **
104	bytes = (bytes + 7) & ~7;
105
106	/* Allocate the space, if it is available */
107	! if (bytes <= vm_free) {
108	answer = vm_next;
109	vm_free -= bytes;
110	vm_next += bytes;
111	--- 96,102 ----
112	bytes = (bytes + 7) & ~7;
113
114	/* Allocate the space, if it is available */
115	! if ((bytes > 0) && (bytes <= vm_free)) {
116	answer = vm_next;
117	vm_free -= bytes;
118	vm_next += bytes;