summaryrefslogtreecommitdiff
AgeCommit message (Collapse)AuthorFilesLines
2017-10-19Check for end of string in PatternMatch (CVE-2017-13720)Michal Srb1-1/+3
If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Julien Cristau <jcristau@debian.org> (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608)
2016-08-31libXfont 1.5.2libXfont-1.5.2Adam Jackson1-1/+1
Signed-off-by: Adam Jackson <ajax@redhat.com>
2016-05-30fserve: Fix a buffer read overrun in _fs_client_accessJeremy Huddleston Sequoia1-3/+1
https://bugs.freedesktop.org/show_bug.cgi?id=83224 Found by clang's Address Sanitizer crac.num_auths = set_font_authorizations(&authorizations, &authlen, client); /* Work around bug in xfs versions up through modular release 1.0.8 which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ if (crac.num_auths == 0) { authorizations = padding; authlen = 4; } else { authlen = (authlen + 3) & ~0x3; } crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; crac.acid = cur->acid; _fs_add_req_log(conn, FS_CreateAC); _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following block changed authlen to 36 to make it 4byte aligned and the final _fs_write() caused us to read 36 bytes from this 34 byte buffer. This changes the incorrect size increase to instead use _fs_write_pad which takes care of the padding for us. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561)
2016-05-30fserve: Silence a -Wformat warningJeremy Huddleston Sequoia1-2/+2
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat] " from font server\n", rep->length); ^~~~~~~~~~~ 1 warning generated. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit e6009adbc89ec3e1f924bcb57b333c1c02f5e66d)
2016-05-30bitmap: Bail out on invalid input to FontFileMakeDir instead of calling ↵Jeremy Huddleston Sequoia1-0/+4
calloc for 0 bytes Found by clang static analysis: Call to 'calloc' has an allocation size of 0 bytes Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit ac559fad20bbae45332c758abb6a790c3fd341a2)
2016-05-30FreeType: Correct an allocation sizeJeremy Huddleston Sequoia1-1/+1
Found by clang static analysis: Result of 'calloc' is converted to a pointer of type 'int', which is incompatible with sizeof operand type 'int *' This is likely benign because the old size was larger on any platform where sizeof(int) <= sizeof(void *), which is everywhere. Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com> (cherry picked from commit d0fff111992fed9d9bfbf0c19e136bda9ba1db55)
2016-05-30Fix warningsKeith Packard3-9/+8
Mostly signed vs unsigned comparisons Signed-off-by: Keith Packard <keithp@keithp.com> Squashed commit of three cherry-picks from master: (cherry picked from commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97) (cherry picked from commit eefc0b0b908eb8533e704d7156ce983ad7891cc5) (cherry picked from commit d967caa988eaabd9e84c82879e2f21bd33b952a7)
2015-10-21Use NO_WEAK_SYMBOLS instead of -flat_namespaceJeremy Huddleston Sequoia2-13/+1
Lesser of two evil hacks, I suppose... This reverts commit 0386fa77367a305deea3cc27f8a3865cc3c467c0.
2015-10-21stubs: Add missing externs for declarations in the NO_WEAK_SYMBOLS && PIC ↵Jeremy Huddleston Sequoia1-23/+23
stubs resolution Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2015-10-20Fix is*() usage.Thomas Klausner4-11/+11
The argument must be an unsigned char or -1; in these cases we know it's not -1 so cast it to unsigned char. Fixes warning: array subscript is of type 'char' [-Wchar-subscripts] Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
2015-07-28bdfReadCharacters: Allow negative DWIDTH valuesBenjamin Tissoires1-1/+1
The fix for CVE-2015-1804 prevent DWIDTH to be negative. However, the spec states that "DWIDTH [...] is a vector indicating the position of the next glyph’s origin relative to the origin of this glyph." So negative values are correct. Found by trying to compile XTS. Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2015-03-20doc: add a couple olinks to fsproto & xfs-design docsAlan Coopersmith1-1/+4
Don't seem to have ability to link to BDF or Xserver internals docs yet Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2015-03-17libXfont 1.5.1libXfont-1.5.1Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2015-03-17bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]Alan Coopersmith1-2/+24
We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. Found by afl-1.24b. v2: Verify that additions won't overflow 32-bit int range either. v3: As Julien correctly observes, the previous check for bh & bw not being < 0 reduces the number of cases we need to check for overflow. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org>
2015-03-17bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]Alan Coopersmith1-1/+4
Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Found with afl-1.23b. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org>
2015-03-17bdfReadProperties: property count needs range check [CVE-2015-1802]Alan Coopersmith1-1/+3
Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Julien Cristau <jcristau@debian.org>
2015-02-26Set close-on-exec for font file I/O.Christos Zoulas2-6/+11
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
2014-11-05Use 'imdent' to realign cpp indentation levels in fslibos.hAlan Coopersmith1-109/+109
Parts were indented, others weren't, now is more consistent. 'git diff -w' shows no non-whitespace changes in this commit Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-11-05Remove unneeded checks for #ifndef X_NOT_POSIXAlan Coopersmith1-2/+0
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-07-19libXfont 1.5.0libXfont-1.5.0Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-07-07libXfont 1.4.99.901libXfont-1.4.99.901Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-06-27Make shared library work on Cygwin/MinGWYaakov Selkowitz25-28/+182
Weak symbols on PE platforms do not work the same way as on ELF platforms, hence we have been unable to have a fully functional shared libXfont until now. This patch works around these issues so that we can fix that. In summary, only when compiling shared libraries on NO_WEAK_SYMBOLS platforms, when the first stub is called, the invoking program is first checked to determine if it exports the stubbed functions. Then, for every stub call, if the function is exported by the loader, it is called instead of the stub code. serverClient and serverGeneration are data pointers, and therefore are replaced by getter functions. ErrorF is variadic, so the override is routed through VErrorF instead. FatalError has no va_list equivalent, but it is not actually used in libXfont and therefore should be safe to remove. This requires all X servers to export their symbols, which requires forthcoming patches for hw/xwin and xfs; the other xservers (including tigervnc) already do this via LD_EXPORT_SYMBOLS_FLAG. Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net> Reviewed-by: Colin Harrison <colin.harrison@virgin.net> Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com> Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
2014-05-23Use default glyphs when getting 16-bit font with 8-bit textKeith Packard1-1/+5
When accessing a 16-bit font with firstRow > 0 with 8-bit text, check to see if the font has a default character and return that for every incoming character. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Eric Anholt <eric@anholt.net> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-05-23Don't build unused code in bitmapfunc.c if all bitmap formats are disabledAlan Coopersmith1-0/+15
If the only bitmaps we support are builtins, don't need the code to register all the bitmap font file handlers. Fixes gcc warnings: bitmapfunc.c:110:1: warning: 'BitmapOpenBitmap' defined but not used [-Wunused-function] BitmapOpenBitmap (FontPathElementPtr fpe, FontPtr *ppFont, int flags, ^ bitmapfunc.c:155:1: warning: 'BitmapGetInfoBitmap' defined but not used [-Wunused-function] BitmapGetInfoBitmap (FontPathElementPtr fpe, FontInfoPtr pFontInfo, ^ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Rémi Cardona <remi@gentoo.org>
2014-05-23Don't compile bitmap source files for disabled formatsAlan Coopersmith2-7/+20
pcfread.c is a special case - it's needed for either reading pcf files from disk (--enable-pcfformat) or from the builtin fonts in memory (--enable-builtins), so needed a new AM_CONDITIONAL case. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Rémi Cardona <remi@gentoo.org>
2014-05-23Drop imake/monolithic compatibility #define mappingAlan Coopersmith2-32/+0
Require the #defines from configure.ac now that we're not sharing source with the imake builds any longer. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Rémi Cardona <remi@gentoo.org>
2014-05-23Change default to disabling SNF supportAlan Coopersmith2-6/+6
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Rémi Cardona <remi@gentoo.org>
2014-05-23Use AS_HELP_STRING to provide help for AC_ARG_ENABLE & AC_ARG_WITH optionsAlan Coopersmith1-8/+29
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Rémi Cardona <remi@gentoo.org>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_list_info()Alan Coopersmith1-0/+54
fs_read_list_info() parses a reply from the font server. The reply contains a number of additional data items with embedded length or count fields, none of which are validated. This can cause out of bound reads when looping over these items in the reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_list()Alan Coopersmith1-0/+15
fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_glyphs()Alan Coopersmith1-1/+28
fs_read_glyphs() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads when looping over the glyph bitmaps in the reply. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_extent_info()Alan Coopersmith1-0/+10
Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: integer overflow in fs_alloc_glyphs()Alan Coopersmith1-1/+6
fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: integer overflow in fs_read_extent_info()Alan Coopersmith1-1/+11
fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length fields in fs_read_query_info()Alan Coopersmith2-0/+46
fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_readAlan Coopersmith1-0/+18
fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated lengths when reading replies from font serverAlan Coopersmith1-6/+38
Functions to handle replies to font server requests were casting replies from the generic form to reply specific structs without first checking that the reply was at least as long as the struct being cast to. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0210: unvalidated length in _fs_recv_conn_setup()Alan Coopersmith1-2/+18
The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0209: integer overflow of realloc() size in lexAlias()Alan Coopersmith1-0/+4
lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-05-12CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry()Alan Coopersmith1-0/+5
FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
2014-04-24fs_send_open_font needs to allow namelen of 0 when FontReopen is setAlan Coopersmith1-1/+1
When _fs_load_glyphs calls fs_send_open_font with FontReopen set, it passes a NULL name and namelen of 0, since fs_send_open_font is going to reuse the previous name. This overly restrictive check was added in XFree86 4.3.99.12: http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.23&r2=3.24 http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c?rev=3.24&content-type=text/vnd.viewcvs-markup Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-23Clean up warnings when src/fc is built with -DDEBUGAlan Coopersmith1-3/+1
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-23Allow enabling src/fc DEBUG helpers via CPPFLAGSAlan Coopersmith1-1/+2
Instead of editing fsio.h to turn on debugging logs, just add -DDEBUG to CPPFLAGS when building. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-21Bump version to 1.4.99.0 for master branch (to become 1.5)Alan Coopersmith1-1/+1
libXfont 1.5.0 will be synchronized with the fontsproto 2.1.3 API changes needed for xorg-server 1.16 branch. libXfont 1.4.x will be left for stable release branch for older Xserver releases. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-04-21Require fontsproto 2.1.3 for matching function prototypesAlan Coopersmith1-1/+1
Building current libXfont git against fontsproto 2.1.2 causes clang complaints of: patcache.c:130:1: error: conflicting types for 'CacheFontPattern' CacheFontPattern (FontPatternCachePtr cache, ^ patcache.c:176:1: error: conflicting types for 'FindCachedFontPattern' FindCachedFontPattern (FontPatternCachePtr cache, ^ due to the constification of arguments not matching. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
2014-04-21Check if pointer returned by BufFileCreate is NULL before writing to itAlan Coopersmith1-2/+4
Fixes clang analyzer warning: bufio.c:165:13: warning: Access to field 'bufp' results in a dereference of a null pointer (loaded from variable 'f') f->bufp = f->buffer; ~ ^ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
2014-04-11Fix buffer read overrunPeter Harris1-1/+1
"FreeType" is only eight bytes long. The atom "FreeType\x00\x??" is probably not what the author intended. Signed-off-by: Peter Harris <pharris@opentext.com> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
2014-01-29Warning fixes.Keith Packard15-54/+60
Many const char issues. One extra 'i' declared in ScaleFont; we can just use the same 'i' as exists at the top level scope. Also ignore bad-function-cast in ftfuncs.c and bitscale.c because we're casting the return value from floor or ceil from double to int. As floor and ceil are kinda designed to generate integer results, it's pretty clear that we're doing what we want and that the compiler is generating noise. I'm not sure why bad-function-cast is ever a good warning to turn on, but I'll leave that for another day. Signed-off-by: Keith Packard <keithp@keithp.com> Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
2014-01-23Add note to README declaring snf fonts to be deprecatedAlan Coopersmith1-1/+2
pcf was introduced to replace snf in X11R5 in 1991: http://www.x.org/wiki/X11R5/#index56h3 22 years is long enough to move off a font format that was alive for less than a decade before that, and widely considered a bad idea even then: http://www.faqs.org/faqs/fonts-faq/part15/ Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Eric Anholt <eric@anholt.net> Reviewed-by: Julien Cristau <jcristau@debian.org>
2014-01-23Add notes to README about various font formats & configure optionsAlan Coopersmith1-0/+58
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> Reviewed-by: Eric Anholt <eric@anholt.net> Reviewed-by: Julien Cristau <jcristau@debian.org>