summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_glyphs()Alan Coopersmith1-1/+28
fs_read_glyphs() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads when looping over the glyph bitmaps in the reply. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_extent_info()Alan Coopersmith1-0/+10
Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: integer overflow in fs_alloc_glyphs()Alan Coopersmith1-1/+6
fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: integer overflow in fs_read_extent_info()Alan Coopersmith1-1/+11
fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_query_info()Alan Coopersmith2-0/+46
fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_readAlan Coopersmith1-0/+18
fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated lengths when reading replies from font serverAlan Coopersmith1-6/+38
Functions to handle replies to font server requests were casting replies from the generic form to reply specific structs without first checking that the reply was at least as long as the struct being cast to. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length in _fs_recv_conn_setup()Alan Coopersmith1-2/+18
The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0209: integer overflow of realloc() size in lexAlias()Alan Coopersmith1-0/+4
lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry()Alan Coopersmith1-0/+5
FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-04-24fs_send_open_font needs to allow namelen of 0 when FontReopen is setAlan Coopersmith1-1/+1
When _fs_load_glyphs calls fs_send_open_font with FontReopen set, it passes a NULL name and namelen of 0, since fs_send_open_font is going to reuse the previous name. This overly restrictive check was added in XFree86 4.3.99.12: http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.23&r2=3.24 http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c?rev=3.24&content-type=text/vnd.viewcvs-markup Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-23Clean up warnings when src/fc is built with -DDEBUGAlan Coopersmith1-3/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-23Allow enabling src/fc DEBUG helpers via CPPFLAGSAlan Coopersmith1-1/+2
Instead of editing fsio.h to turn on debugging logs, just add -DDEBUG to CPPFLAGS when building. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-21Bump version to 1.4.99.0 for master branch (to become 1.5)Alan Coopersmith1-1/+1
libXfont 1.5.0 will be synchronized with the fontsproto 2.1.3 API changes needed for xorg-server 1.16 branch. libXfont 1.4.x will be left for stable release branch for older Xserver releases. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-21Require fontsproto 2.1.3 for matching function prototypesAlan Coopersmith1-1/+1
Building current libXfont git against fontsproto 2.1.2 causes clang complaints of: patcache.c:130:1: error: conflicting types for 'CacheFontPattern' CacheFontPattern (FontPatternCachePtr cache, ^ patcache.c:176:1: error: conflicting types for 'FindCachedFontPattern' FindCachedFontPattern (FontPatternCachePtr cache, ^ due to the constification of arguments not matching. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
2014-04-21Check if pointer returned by BufFileCreate is NULL before writing to itAlan Coopersmith1-2/+4
Fixes clang analyzer warning: bufio.c:165:13: warning: Access to field 'bufp' results in a dereference of a null pointer (loaded from variable 'f') f->bufp = f->buffer; ~ ^ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
2014-04-11Fix buffer read overrunPeter Harris1-1/+1
"FreeType" is only eight bytes long. The atom "FreeType\x00\x??" is probably not what the author intended. Signed-off-by: Peter Harris <pharris@opentext.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-01-29Warning fixes.Keith Packard15-54/+60
Many const char issues. One extra 'i' declared in ScaleFont; we can just use the same 'i' as exists at the top level scope. Also ignore bad-function-cast in ftfuncs.c and bitscale.c because we're casting the return value from floor or ceil from double to int. As floor and ceil are kinda designed to generate integer results, it's pretty clear that we're doing what we want and that the compiler is generating noise. I'm not sure why bad-function-cast is ever a good warning to turn on, but I'll leave that for another day. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
2014-01-23Add note to README declaring snf fonts to be deprecatedAlan Coopersmith1-1/+2
pcf was introduced to replace snf in X11R5 in 1991: http://www.x.org/wiki/X11R5/#index56h3 22 years is long enough to move off a font format that was alive for less than a decade before that, and widely considered a bad idea even then: http://www.faqs.org/faqs/fonts-faq/part15/ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Eric Anholt <eric@anholt.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2014-01-23Add notes to README about various font formats & configure optionsAlan Coopersmith1-0/+58
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Eric Anholt <eric@anholt.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2014-01-23Correct comment in configure.ac about scalable font supportAlan Coopersmith1-3/+2
Bitstream Speedo support was removed in commit d50de26430c1a114a. All scalable font support now goes through FreeType, which can also handle some bitmap font formats as well. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Eric Anholt <eric@anholt.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2014-01-08Remove redundant setting of 'len' in SPropRecValList_add_by_font_capAlan Coopersmith1-1/+0
Found by cppcheck 1.63: [FreeType/xttcap.c:621] -> [FreeType/xttcap.c:624]: (performance) Variable 'len' is reassigned a value before the old one has been used. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2014-01-08Initialize (unused) data field in fsListCataloguesReq before sending it.Alan Coopersmith1-0/+1
Quiets cppcheck 1.63 warning: [fc/fserve.c:2972]: (error) Uninitialized variable: lcreq Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2014-01-08Remove redundant declaration of FontFileStartListFonts()Alan Coopersmith1-5/+0
Fixes gcc warning: catalogue.c:336:1: warning: redundant redeclaration of 'FontFileStartListFonts' [-Wredundant-decls] In file included from ../../include/X11/fonts/fntfilst.h:40:0, from catalogue.c:32: ../../include/X11/fonts/fntfil.h:92:12: note: previous declaration of 'FontFileStartListFonts' was here Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2014-01-08Fix unused variable 'dir' warningsAlan Coopersmith2-7/+0
catalogue.c: In function 'CatalogueOpenFont': catalogue.c:290:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable] catalogue.c: In function 'CatalogueListFonts': catalogue.c:324:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable] fpe.c: In function 'BuiltinResetFPE': fpe.c:57:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable] Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2014-01-07libXfont 1.4.7libXfont-1.4.7Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-12-30Limit additional sscanf strings to fit buffer sizesAlan Coopersmith1-3/+11
None of these could currently result in buffer overflow, as the input and output buffers were the same size, but adding limits helps ensure we keep it that way, if we ever resize any of these in the future. Fixes cppcheck warnings: [lib/libXfont/src/bitmap/bdfread.c:547]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:553]: (warning) scanf without field width limits can crash with huge input data. [lib/libXfont/src/bitmap/bdfread.c:636]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2013-12-30CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters()Alan Coopersmith1-1/+1
Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2013-12-30Add AC_USE_SYSTEM_EXTENSIONS to expose non-standard extensionsAlan Coopersmith1-0/+5
Required on Solaris to expose definitions in system headers that are not defined in the XPG standards now that xtrans 1.3 defines _XOPEN_SOURCE to 600 on Solaris. Fixes build failures: fserve.c: In function 'fs_block_handler': fserve.c:1210:5: error: 'fd_mask' undeclared (first use in this function) fserve.c:1210:5: note: each undeclared identifier is reported only once for each function it appears in In file included from transport.c:67:0, from fstrans.c:28: Xtranssock.c: In function '_FontTransSocketINETConnect': Xtranssock.c:1421:19: error: 'INET6_ADDRSTRLEN' undeclared (first use in this function) Xtranssock.c:1421:19: note: each undeclared identifier is reported only once for each function it appears in Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Daniel Stone <daniel@fooishbar.org>
2013-12-13Don't leak old allocation if realloc fails to enlarge itAlan Coopersmith2-11/+18
In ftfuncs.c, since the buffer being reallocated is a function local buffer, used to accumulate data for a single run of the function and then freed at the end of the function, we just free the old buffer if realloc fails. In atom.c however, the ReverseMap is a static buffer, so we operate in temporary variables until we know we're successful, then update the static variables. If we fail, we leave the old static variables in place, since they contain data about previous atoms we should maintain, not lose. Reported by cppcheck: [lib/libXfont/src/FreeType/ftfuncs.c:2122]: (error) Common realloc mistake: 'ranges' nulled but not freed upon failure [lib/libXfont/src/util/atom.c:126]: (error) Common realloc mistake: 'reverseMap' nulled but not freed upon failure Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-11-22Make serverGeneration unsignedJulien Cristau1-1/+1
Makes the definition match other declarations, and xserver's definition. Debian bug#689439 Reported-by: Michael Tautschnig <mt@debian.org> Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-11-01Replace malloc(strlen)+strcpy/strcat calls with strdupAlan Coopersmith3-12/+5
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-11-01xstrdup -> strdupAlan Coopersmith3-31/+2
Missed in xalloc -> malloc etal conversion in 0cdc9b8f850342 Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
2013-07-21libXfont 1.4.6libXfont-1.4.6Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-06-24Require ANSI C89 pre-processor, drop pre-C89 token pasting supportAlan Coopersmith1-5/+0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-06-02Protect config.h inclusion with ifdef HAVE_CONFIG_H, like usual.Thomas Klausner1-0/+2
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2013-01-16Replace deprecated Automake INCLUDES variable with AM_CPPFLAGSAlan Coopersmith7-9/+9
Excerpt https://lists.gnu.org/archive/html/automake/2012-12/msg00038.html - Support for the long-deprecated INCLUDES variable will be removed altogether in Automake 1.14. The AM_CPPFLAGS variable should be used instead. This variable was deprecated in Automake releases prior to 1.10, which is the current minimum level required to build X. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
2013-01-15autogen.sh: Implement GNOME Build APIColin Walters1-1/+3
http://people.gnome.org/~walters/docs/build-api.txt Signed-off-by: Adam Jackson <ajax@redhat.com>
2013-01-15configure: Remove AM_MAINTAINER_MODEAdam Jackson1-1/+0
Signed-off-by: Adam Jackson <ajax@redhat.com>
2012-12-07catalogue: Fix obvious thinkoAdam Jackson1-1/+1
Signed-off-by: Adam Jackson <ajax@redhat.com>
2012-10-29Omit catalogue support on systems without symlinksYaakov Selkowitz3-1/+7
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net> Reviewed-by: Colin Harrison <colin.harrison@virgin.net> Reviewed-by: Jon TURNEY <jon.turney@dronecode.org.uk>
2012-08-24If socket is interrupted with signal EINTR, re-attempt read.Arvind Umrao1-2/+5
If socket is getting interrupted with signal EINTR, we should keep socket in progress state. I have borrowed following code from socket write _fs_flush():line274 . I have done exactly same at _fs_fill(). Socket write will not close the connection and re attempt to read buffer. Signed-off-by: Arvind Umrao <arvind.umrao@oracle.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2012-03-02libXfont 1.4.5libXfont-1.4.5Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2011-11-11Use * precision notation instead of computing sprintf format stringsAlan Coopersmith1-11/+5
Allows gcc to check format strings instead of just warning about them Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-11-11Fix printf warnings about incorrect argument typesAlan Coopersmith5-27/+41
Mostly due to difference between sizeof & int on 64-bit platforms Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-11-11Add _X_ATTRIBUTE_PRINTF to *Error/*Warning functions taking printf formatsAlan Coopersmith3-4/+4
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-11-11Add const attributes to fix gcc -Wwrite-strings warningsAlan Coopersmith14-28/+28
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-10-10Support compress files with maxbits < 12Tomas Hoger1-12/+2
The compress decompression code used by libXfont rejects valid archives with maxbits less than 12 (compress allows values 9 - 16, 16 is the default). This is because maxbits-12 is used as index to hsize_table[]. That looks like an incorrect port of the original compress code, where: - hsize depended on BITS, the maximum maxbits value supported by particular build, rather than on maxbits value from the particular input file - the same hsize was used for all BITS <= 12 The quick way to verify the problem is: compress -b 11 fontfile.bdf bdftopcf -o /dev/null fontfile.bdf.Z which fails, while 12-16 works correctly. This fix removes hsize_table and uses 1 << maxbits (aka maxmaxcode) as tab_prefix size. As decompression code does not use hashing as compression code, there does not seem to be a reason to allocate any extra space. Note: In this fix, maxbits == 9 is still rejected early. AFAICS compress is able to generate such files (unknown how correct such output is), but is unable to uncompress them correctly. Reviewed-by: Jeremy Huddleston <jeremyhu@apple.com>
2011-10-03 1 - fix the capitalization of the ID attriutes to match either theMatt Dew1-69/+27
<title> or <funcdef> string it goes with. 2 - fix any <linkend>'s that were affected by 1. 3 - any <function> in the docs that has an actual funcdef, will become an olink. Signed-off-by: Matt Dew <marcoz@osource.org>
2011-09-22doc: fix typo in copyright statementGaetan Nadon1-1/+1
Signed-off-by: Gaetan Nadon <memsize@videotron.ca>