| Age | Commit message (Collapse) | Author | Files | Lines |
|---|
|
The argument must be an unsigned char or -1; in these cases
we know it's not -1 so cast it to unsigned char.
Fixes
warning: array subscript is of type 'char' [-Wchar-subscripts]
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
The fix for CVE-2015-1804 prevent DWIDTH to be negative.
However, the spec states that "DWIDTH [...] is a vector indicating the
position of the next glyph’s origin relative to the origin of this glyph."
So negative values are correct.
Found by trying to compile XTS.
Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Don't seem to have ability to link to BDF or Xserver internals docs yet
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Found with afl-1.23b.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Thomas Klausner <wiz@NetBSD.org>
|
|
Parts were indented, others weren't, now is more consistent.
'git diff -w' shows no non-whitespace changes in this commit
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Weak symbols on PE platforms do not work the same way as on ELF
platforms, hence we have been unable to have a fully functional shared
libXfont until now. This patch works around these issues so that we
can fix that.
In summary, only when compiling shared libraries on NO_WEAK_SYMBOLS
platforms, when the first stub is called, the invoking program is first
checked to determine if it exports the stubbed functions. Then, for
every stub call, if the function is exported by the loader, it is called
instead of the stub code.
serverClient and serverGeneration are data pointers, and therefore are
replaced by getter functions. ErrorF is variadic, so the override is
routed through VErrorF instead. FatalError has no va_list equivalent,
but it is not actually used in libXfont and therefore should be safe to
remove.
This requires all X servers to export their symbols, which requires
forthcoming patches for hw/xwin and xfs; the other xservers (including
tigervnc) already do this via LD_EXPORT_SYMBOLS_FLAG.
Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
When accessing a 16-bit font with firstRow > 0 with 8-bit text, check
to see if the font has a default character and return that for every
incoming character.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Eric Anholt <eric@anholt.net>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
If the only bitmaps we support are builtins, don't need the code to
register all the bitmap font file handlers.
Fixes gcc warnings:
bitmapfunc.c:110:1: warning: 'BitmapOpenBitmap' defined but not used [-Wunused-function]
BitmapOpenBitmap (FontPathElementPtr fpe, FontPtr *ppFont, int flags,
^
bitmapfunc.c:155:1: warning: 'BitmapGetInfoBitmap' defined but not used [-Wunused-function]
BitmapGetInfoBitmap (FontPathElementPtr fpe, FontInfoPtr pFontInfo,
^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
pcfread.c is a special case - it's needed for either reading pcf files
from disk (--enable-pcfformat) or from the builtin fonts in memory
(--enable-builtins), so needed a new AM_CONDITIONAL case.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Require the #defines from configure.ac now that we're not sharing source
with the imake builds any longer.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Rémi Cardona <remi@gentoo.org>
|
|
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
|
|
When _fs_load_glyphs calls fs_send_open_font with FontReopen set, it
passes a NULL name and namelen of 0, since fs_send_open_font is going
to reuse the previous name.
This overly restrictive check was added in XFree86 4.3.99.12:
http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c.diff?r1=3.23&r2=3.24
http://cvsweb.xfree86.org/cvsweb/xc/lib/font/fc/fserve.c?rev=3.24&content-type=text/vnd.viewcvs-markup
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Instead of editing fsio.h to turn on debugging logs, just add
-DDEBUG to CPPFLAGS when building.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
libXfont 1.5.0 will be synchronized with the fontsproto 2.1.3 API
changes needed for xorg-server 1.16 branch.
libXfont 1.4.x will be left for stable release branch for older
Xserver releases.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Building current libXfont git against fontsproto 2.1.2 causes clang
complaints of:
patcache.c:130:1: error: conflicting types for 'CacheFontPattern'
CacheFontPattern (FontPatternCachePtr cache,
^
patcache.c:176:1: error: conflicting types for 'FindCachedFontPattern'
FindCachedFontPattern (FontPatternCachePtr cache,
^
due to the constification of arguments not matching.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
|
|
Fixes clang analyzer warning:
bufio.c:165:13: warning: Access to field 'bufp' results in a dereference
of a null pointer (loaded from variable 'f')
f->bufp = f->buffer;
~ ^
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Thomas Klausner <wiz@NetBSD.org>
|
|
"FreeType" is only eight bytes long. The atom "FreeType\x00\x??" is
probably not what the author intended.
Signed-off-by: Peter Harris <pharris@opentext.com>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
Many const char issues.
One extra 'i' declared in ScaleFont; we can just use the same 'i' as
exists at the top level scope.
Also ignore bad-function-cast in ftfuncs.c and bitscale.c because
we're casting the return value from floor or ceil from double to
int. As floor and ceil are kinda designed to generate integer results,
it's pretty clear that we're doing what we want and that the compiler
is generating noise. I'm not sure why bad-function-cast is ever a good
warning to turn on, but I'll leave that for another day.
Signed-off-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Gaetan Nadon <memsize@videotron.ca>
|
|
pcf was introduced to replace snf in X11R5 in 1991:
http://www.x.org/wiki/X11R5/#index56h3
22 years is long enough to move off a font format that was alive for
less than a decade before that, and widely considered a bad idea even
then:
http://www.faqs.org/faqs/fonts-faq/part15/
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Bitstream Speedo support was removed in commit d50de26430c1a114a.
All scalable font support now goes through FreeType, which can
also handle some bitmap font formats as well.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Eric Anholt <eric@anholt.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
|
Found by cppcheck 1.63:
[FreeType/xttcap.c:621] -> [FreeType/xttcap.c:624]: (performance)
Variable 'len' is reassigned a value before the old one has been used.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Quiets cppcheck 1.63 warning:
[fc/fserve.c:2972]: (error) Uninitialized variable: lcreq
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Fixes gcc warning:
catalogue.c:336:1: warning: redundant redeclaration of
'FontFileStartListFonts' [-Wredundant-decls]
In file included from ../../include/X11/fonts/fntfilst.h:40:0,
from catalogue.c:32:
../../include/X11/fonts/fntfil.h:92:12: note: previous declaration
of 'FontFileStartListFonts' was here
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
catalogue.c: In function 'CatalogueOpenFont':
catalogue.c:290:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
catalogue.c: In function 'CatalogueListFonts':
catalogue.c:324:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
fpe.c: In function 'BuiltinResetFPE':
fpe.c:57:22: warning: variable 'dir' set but not used [-Wunused-but-set-variable]
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
|
None of these could currently result in buffer overflow, as the input
and output buffers were the same size, but adding limits helps ensure
we keep it that way, if we ever resize any of these in the future.
Fixes cppcheck warnings:
[lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
scanf without field width limits can crash with huge input data.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
|
|
Required on Solaris to expose definitions in system headers that
are not defined in the XPG standards now that xtrans 1.3 defines
_XOPEN_SOURCE to 600 on Solaris.
Fixes build failures:
fserve.c: In function 'fs_block_handler':
fserve.c:1210:5: error: 'fd_mask' undeclared (first use in this function)
fserve.c:1210:5: note: each undeclared identifier is reported only once for each function it appears in
In file included from transport.c:67:0,
from fstrans.c:28:
Xtranssock.c: In function '_FontTransSocketINETConnect':
Xtranssock.c:1421:19: error: 'INET6_ADDRSTRLEN' undeclared (first use in this function)
Xtranssock.c:1421:19: note: each undeclared identifier is reported only once for each function it appears in
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Daniel Stone <daniel@fooishbar.org>
|
