XFree86-fontfile.patch

   1 diff -uNrp xc/lib/font/fontfile.orig/dirfile.c xc/lib/font/fontfile/dirfile.c
   2 --- xc/lib/font/fontfile.orig/dirfile.c 2003-04-10 13:03:53.000000000 +0200
   3 +++ xc/lib/font/fontfile/dirfile.c      2004-02-12 11:22:14.000000000 +0100
   4 @@ -68,6 +68,9 @@ FontFileReadDirectory (char *directory,
   5
   6      FontDirectoryPtr   dir = NullFontDirectory;
   7
   8 +    if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file))
   9 +       return BadFontPath;
  10 +
  11  #ifdef FONTDIRATTRIB
  12      /* Check for font directory attributes */
  13  #ifndef __UNIXOS2__
  14 @@ -159,6 +162,9 @@ FontFileDirectoryChanged(FontDirectoryPt
  15      char       dir_file[MAXFONTFILENAMELEN];
  16      struct stat        statb;
  17
  18 +    if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file))
  19 +       return FALSE;
  20 +
  21      strcpy (dir_file, dir->directory);
  22      strcat (dir_file, FontDirFile);
  23      if (stat (dir_file, &statb) == -1)
  24 @@ -207,6 +213,8 @@ AddFileNameAliases(FontDirectoryPtr dir)
  25             continue;
  26
  27         len = strlen (fileName) - renderer->fileSuffixLen;
  28 +       if (len >= sizeof(copy))
  29 +           continue;
  30         CopyISOLatin1Lowered (copy, fileName, len);
  31         copy[len] = '\0';
  32         name.name = copy;
  33 @@ -256,9 +264,13 @@ ReadFontAlias(char *directory, Bool isFi
  34      int                        status = Successful;
  35      struct stat                statb;
  36
  37 +    if (strlen(directory) >= sizeof(alias_file))
  38 +       return BadFontPath;
  39      dir = *pdir;
  40      strcpy(alias_file, directory);
  41      if (!isFile) {
  42 +       if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file))
  43 +           return BadFontPath;
  44         if (directory[strlen(directory) - 1] != '/')
  45             strcat(alias_file, "/");
  46         strcat(alias_file, FontAliasFile);
  47 @@ -291,6 +303,10 @@ ReadFontAlias(char *directory, Bool isFi
  48             status = AllocError;
  49             break;
  50         case NAME:
  51 +           if (strlen(lexToken) >= sizeof(alias)) {
  52 +               status = BadFontPath;
  53 +               break;
  54 +           }
  55             strcpy(alias, lexToken);
  56             token = lexAlias(file, &lexToken);
  57             switch (token) {
  58 @@ -307,6 +323,10 @@ ReadFontAlias(char *directory, Bool isFi
  59                 status = AllocError;
  60                 break;
  61             case NAME:
  62 +               if (strlen(lexToken) >= sizeof(font_name)) {
  63 +                   status = BadFontPath;
  64 +                   break;
  65 +               }
  66                 CopyISOLatin1Lowered(alias, alias, strlen(alias));
  67                 CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
  68                 if (!FontFileAddFontAlias (dir, alias, font_name))
  69 diff -uNrp xc/lib/font/fontfile.orig/encparse.c xc/lib/font/fontfile/encparse.c
  70 --- xc/lib/font/fontfile.orig/encparse.c        2003-12-19 05:45:49.000000000 +0100
  71 +++ xc/lib/font/fontfile/encparse.c     2004-02-12 11:22:14.000000000 +0100
  72 @@ -837,6 +837,7 @@ FontEncReallyReallyLoad(const char *char
  73      char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN],
  74          buf[MAXFONTFILENAMELEN];
  75      int count, n;
  76 +    static char format[24] = "";
  77
  78      /* As we don't really expect to open encodings that often, we don't
  79         take the trouble of caching encodings directories. */
  80 @@ -852,8 +853,12 @@ FontEncReallyReallyLoad(const char *char
  81      }
  82
  83      encoding = NULL;
  84 +    if (!format[0]) {
  85 +       sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1,
  86 +               sizeof(file_name) - 1);
  87 +    }
  88      for(;;) {
  89 -        count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name);
  90 +        count = fscanf(file, format, encoding_name, file_name);
  91          if(count == EOF)
  92              break;
  93          if(count != 2)
  94 diff -uNrp xc/lib/font/fontfile.orig/fontfile.c xc/lib/font/fontfile/fontfile.c
  95 --- xc/lib/font/fontfile.orig/fontfile.c        2003-12-03 05:58:58.000000000 +0100
  96 +++ xc/lib/font/fontfile/fontfile.c     2004-02-12 12:01:07.727501240 +0100
  97 @@ -423,11 +423,16 @@ FontFileOpenFont (pointer client, FontPa
  98                     vals.ranges = ranges;
  99                     vals.nranges = nranges;
 100
 101 -                   strcpy (fileName, dir->directory);
 102 -                   strcat (fileName, scalable->fileName);
 103 -                   ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
 104 +                   if (strlen(dir->directory) + strlen(scalable->fileName) >= sizeof(fileName))
 105 +                       ret = BadFontName;
 106 +                   else
 107 +                   {
 108 +                       strcpy(fileName, dir->directory);
 109 +                       strcat(fileName, scalable->fileName);
 110 +                       ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
 111                            flags, entry, fileName, &vals, format, fmask,
 112                            non_cachable_font);
 113 +                   }
 114
 115                     /* In case rasterizer does something bad because of
 116                        charset subsetting... */
 117 @@ -498,6 +503,8 @@ FontFileOpenBitmapNCF (FontPathElementPt
 118      bitmap = &entry->u.bitmap;
 119      if(!bitmap || !bitmap->renderer->OpenBitmap)
 120          return BadFontName;
 121 +    if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
 122 +       return BadFontName;
 123      strcpy (fileName, dir->directory);
 124      strcat (fileName, bitmap->fileName);
 125      ret = (*bitmap->renderer->OpenBitmap)
 126 @@ -533,6 +540,8 @@ FontFileGetInfoBitmap (FontPathElementPt
 127      bitmap = &entry->u.bitmap;
 128      if (!bitmap || !bitmap->renderer->GetInfoBitmap)
 129         return BadFontName;
 130 +    if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
 131 +       return BadFontName;
 132      strcpy (fileName, dir->directory);
 133      strcat (fileName, bitmap->fileName);
 134      ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName);
 135 @@ -872,10 +881,15 @@ FontFileListOneFontWithInfo (pointer cli
 136             bc = &entry->u.bc;
 137             entry = bc->entry;
 138             /* Make a new scaled instance */
 139 -           strcpy (fileName, dir->directory);
 140 -           strcat (fileName, scalable->fileName);
 141 -           ret = (*scalable->renderer->GetInfoScalable)
 142 +           if (strlen(dir->directory) + strlen(scalable->fileName) >= sizeof(fileName))
 143 +               ret = BadFontName;
 144 +           else
 145 +           {
 146 +               strcpy(fileName, dir->directory);
 147 +               strcat(fileName, scalable->fileName);
 148 +               ret = (*scalable->renderer->GetInfoScalable)
 149                     (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals);
 150 +           }
 151             break;
 152  #endif
 153         default:
 154 @@ -980,10 +994,15 @@ FontFileListOneFontWithInfo (pointer cli
 155                     vals.nranges = nranges;
 156
 157                     /* Make a new scaled instance */
 158 -                   strcpy (fileName, dir->directory);
 159 -                   strcat (fileName, scalable->fileName);
 160 -                   ret = (*scalable->renderer->GetInfoScalable)
 161 -                       (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
 162 +                   if (strlen(dir->directory) + strlen(scalable->fileName) >= sizeof(fileName))
 163 +                       ret = BadFontName;
 164 +                   else
 165 +                   {
 166 +                       strcpy (fileName, dir->directory);
 167 +                       strcat (fileName, scalable->fileName);
 168 +                       ret = (*scalable->renderer->GetInfoScalable)
 169 +                           (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
 170 +                   }
 171                     if (ranges) xfree(ranges);
 172                 }
 173             }