AgeCommit message (Collapse)AuthorFilesLines
2019-10-25Fix Win32 build since c4ed2e06 "Add some unit testing utilities"HEADmasterJon Turney5-1/+55
Provide Win32 replacements for realpath() and err.h
2019-09-16README: Remove mention of libXfont 1.5Adam Jackson1-9/+4
xfs was ported to libXfont2 in release 1.2, and bdftopcf 1.1 includes a copy of enough of the old libXfont1 code to not need an external libXfont at all.
2019-09-14libXfont2 2.0.4libXfont2-2.0.4Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <>
2019-09-14Add src/util/replace.h to noinst_HEADERS so it gets included in tarballsAlan Coopersmith1-1/+2
Found when "make distcheck" failed. Signed-off-by: Alan Coopersmith <>
2019-08-17fs_read_glyphs: check if rep is null before dereferencingAlan Coopersmith1-1/+2
Resolves coverity warning def16 from the list in Signed-off-by: Alan Coopersmith <>
2019-08-17CatalogueRescan: if opendir() fails, unref fpes, but don't free the catAlan Coopersmith1-4/+2
None of the callers of CatalogueRescan check for failure before accessing the cat pointer so don't free it (especially without clearing the pointer to it in fpe->private), just unref the contents. Can only be triggered if somehow stat() succeeds on the directory, but opendir fails anyway (removed between the calls? permission problem?). Signed-off-by: Alan Coopersmith <>
2019-08-17ComputeScaledProperties: check for valid pointers before making atomsAlan Coopersmith1-2/+4
Resolves coverity warning def23 from the list in Signed-off-by: Alan Coopersmith <>
2019-08-17stubs/atom.c: check for ResizeHashTable failureAlan Coopersmith1-1/+3
Signed-off-by: Alan Coopersmith <>
2019-08-17Fix whitespaceMaya Rashish1-1/+1
2019-08-04fontxlfd.c: tell gcc that switch fallthrough is intentionalAlan Coopersmith1-0/+1
Quiets: src/util/fontxlfd.c: In function ‘FontParseXLFDName’: src/util/fontxlfd.c:450:14: warning: this statement may fall through [-Wimplicit-fallthrough=] replaceChar = '*'; ~~~~~~~~~~~~^~~~~ src/util/fontxlfd.c:451:5: note: here case FONT_XLFD_REPLACE_ZERO: ^~~~ Signed-off-by: Alan Coopersmith <>
2019-08-04Convert multiplying malloc calls to use mallocarray insteadAlan Coopersmith14-28/+39
Introduces mallocarray as a macro calling reallocarray with a NULL pointer for the old allocation. Signed-off-by: Alan Coopersmith <>
2019-08-03Convert multiplying realloc calls to use reallocarray insteadAlan Coopersmith12-14/+25
Signed-off-by: Alan Coopersmith <>
2019-08-03Add reallocarray fallback if not provided by libc nor libbsdAlan Coopersmith3-1/+54
Implementation copied from the Xserver Signed-off-by: Alan Coopersmith <>
2019-08-03Use bounds checking string functions everywhereAlan Coopersmith8-102/+131
Replace strcpy, strcat, sprintf with strlcpy, strlcat, snprintf everywhere, even where there were already bounds checks in place, to reduce time spent checking static analysis results. Signed-off-by: Alan Coopersmith <>
2019-08-03Add strlcat & strlcpy fallbacks if not provided by libc nor libbsdAlan Coopersmith5-1/+162
Implementations copied from the Xserver Signed-off-by: Alan Coopersmith <>
2019-08-03Add some unit testing utilitiesAlan Coopersmith5-0/+487
The test/utils directory contains some standalone test programs for testing libXfont funtionality without needing a full X server session. They could be used to generate automated unit testing in the future, but that work has not yet been done. [v2: updated original work from libXfont 1.5 to 2.0 API & makefiles] Signed-off-by: Alan Coopersmith <>
2019-05-14fontfile: Remove unused 'bc' slot from _FontEntryAdam Jackson2-9/+0
Whatever this is, we're not using it. On my machine we allocate about 1100 of these structs, and this change reduces the struct from 152 to 48 bytes, so this saves about 100k of memory. Signed-off-by: Adam Jackson <>
2019-03-16Update bug URL for gitlab migrationAlan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <>
2018-11-19Update README for gitlab migrationAlan Coopersmith3-90/+91
Signed-off-by: Alan Coopersmith <>
2018-03-24avoid -Wformat errors from clang when building with -DDEBUGRin Okuyama1-16/+16 Reviewed-by: Alan Coopersmith <> Signed-off-by: Alan Coopersmith <>
2017-11-25libXfont2 2.0.3libXfont2-2.0.3Matthieu Herrb1-1/+1
Signed-off-by: Matthieu Herrb <>
2017-11-25Open files with O_NOFOLLOW. (CVE-2017-16611)Michal Srb2-4/+26
A non-privileged X client can instruct X server running under root to open any file by creating own directory with "fonts.dir", "fonts.alias" or any font file being a symbolic link to any other file in the system. X server will then open it. This can be issue with special files such as /dev/watchdog. Reviewed-by: Matthieu Herrb <>
2017-10-11libXfont 2.0.2libXfont2-2.0.2Adam Jackson1-1/+1
Signed-off-by: Adam Jackson <>
2017-10-04pcfGetProperties: Check string boundaries (CVE-2017-13722)Michal Srb1-2/+11
Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information. Signed-off-by: Julien Cristau <>
2017-10-04Check for end of string in PatternMatch (CVE-2017-13720)Michal Srb1-1/+3
If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer <> Signed-off-by: Julien Cristau <>
2017-04-27readme: Update for libXfont 2.0 interface changeAdam Jackson1-6/+11
While xfs can be more or less trivially ported to 2.0, bcftopcf cannot because the font file I/O API is no longer externally visible. This is intentional, because bdftopcf is literally the only consumer of that API, and is itself only used in the build process for the classic core fonts themselves. The plan for bdftopcf is to import a copy of libXfont 1.5 and link against that statically instead. Signed-off-by: Adam Jackson <> Acked-by: Peter Hutterer <> use quoted string variablesEmil Velikov1-4/+4
Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent fall-outs, when they contain space. Signed-off-by: Emil Velikov <> Reviewed-by: Peter Hutterer <> Signed-off-by: Peter Hutterer <> use exec instead of waiting for configure to finishPeter Hutterer1-1/+1
Syncs the invocation of configure with the one from the server. Signed-off-by: Peter Hutterer <> Reviewed-by: Emil Velikov <>
2016-06-10freetype: Fix a logic error in computing face nameAdam Jackson1-1/+0
gcc6 chirps an indentation warning here, but really this is bad code. Effectively this would ignore en_US or en_UK names for the font, despite that those are the English names the font is most likely to have. Signed-off-by: Adam Jackson <> Reviewed-by: Alan Coopersmith <>
2016-06-10autogen: Set a default subject prefix for patchesAdam Jackson1-0/+3
Signed-off-by: Adam Jackson <>
2016-06-08configure: Use -fvisibility=hidden if availableAdam Jackson1-0/+17
text data bss dec hex filename 233732 8168 1616 243516 3b73c .libs/ 217113 6816 1616 225545 37109 .libs/ Signed-off-by: Adam Jackson <> Reviewed-by: Emil Velikov <>
2016-05-30fserve: Fix a buffer read overrun in _fs_client_accessJeremy Huddleston Sequoia1-3/+1 Found by clang's Address Sanitizer crac.num_auths = set_font_authorizations(&authorizations, &authlen, client); /* Work around bug in xfs versions up through modular release 1.0.8 which rejects CreateAC packets with num_auths = 0 & authlen < 4 */ if (crac.num_auths == 0) { authorizations = padding; authlen = 4; } else { authlen = (authlen + 3) & ~0x3; } crac.length = (sizeof (fsCreateACReq) + authlen) >> 2; crac.acid = cur->acid; _fs_add_req_log(conn, FS_CreateAC); _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq)); _fs_write(conn, authorizations, authlen); In the case in the report, set_font_authorizations setup authorizations as a 34 byte buffer (and authlen set to 34 as one would expect). The following block changed authlen to 36 to make it 4byte aligned and the final _fs_write() caused us to read 36 bytes from this 34 byte buffer. This changes the incorrect size increase to instead use _fs_write_pad which takes care of the padding for us. Signed-off-by: Jeremy Huddleston Sequoia <>
2016-05-30fstrans: Remove unused foo() functionJeremy Huddleston Sequoia1-2/+0
The point of it seems to have been to silence an unused function warning, but there's no point if we're just transitioning that to another unused function warning. src/fc/fstrans.c:32:20: warning: unused function 'foo' [-Wunused-function] static inline void foo(void) { (void) is_numeric("a"); } ^ 1 warning generated. Signed-off-by: Jeremy Huddleston Sequoia <> Reviewed-by: Keith Packard <>
2016-05-29fserve: Silence a -Wformat warningJeremy Huddleston Sequoia1-2/+2
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat] " from font server\n", rep->length); ^~~~~~~~~~~ 1 warning generated. Signed-off-by: Jeremy Huddleston Sequoia <>
2016-05-29bitmap: Bail out on invalid input to FontFileMakeDir instead of calling ↵Jeremy Huddleston Sequoia1-0/+4
calloc for 0 bytes Found by clang static analysis: Call to 'calloc' has an allocation size of 0 bytes Signed-off-by: Jeremy Huddleston Sequoia <>
2016-05-29FreeType: Correct an allocation sizeJeremy Huddleston Sequoia1-1/+1
Found by clang static analysis: Result of 'calloc' is converted to a pointer of type 'int', which is incompatible with sizeof operand type 'int *' This is likely benign because the old size was larger on any platform where sizeof(int) <= sizeof(void *), which is everywhere. Signed-off-by: Jeremy Huddleston Sequoia <>
2015-12-12Revert "Add compiler warning flags". Leave warning fixes.Keith Packard2-307/+0
This reverts commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97, but leaves the warning fixes in place; it looks like either I was confused, or something has changed so that XORG_DEFAULT_OPTIONS now pulls in the appropriate compiler warnings.
2015-12-11Bump version to 2.0.1libXfont2-2.0.1Keith Packard1-1/+1
This release just fixes some build issues with 2.0.0 Signed-off-by: Keith Packard <>
2015-12-11Remove fontconf.hKeith Packard5-55/+4
This file used to advertise which font formats the library supports. The X server doesn't care, so let's just remove it so that it doesn't conflict with the older version of libXfont Signed-off-by: Keith Packard <>
2015-12-09Convert to non-recursive build.Matt Turner11-212/+114
2015-12-09Add missing 'attributes.m4' fileKeith Packard1-0/+283
Matt Turner noted that this file was missing; 'make distcheck' doesn't appear to catch this kind of problem. Signed-off-by: Keith Packard <>
2015-12-08Eliminate calls back to X server or font server functions by name (v4)libXfont2-2.0.0Keith Packard82-903/+981
This eliminates the weak symbol adventures and makes all of the calls back to the X server or Font server go through a table of functions instead, clarifying the required API. As this is a rather major change to the API for the library, it now installs itself as libXfont2 instead of libXfont, and the package config file is now xfont2.pc. All of the installed headers remain the same as the original library; there's now a new include file, libxfont2.h, which defines the X server and Font server interfaces. This moves util/atom.c to stubs/atom.c and reformats that file, hence the diff being larger than it would otherwise be. v2: Rename to libXfont2 instead of libXfont_2 as suggested by Emil Velikov Fix whitespace in stubs/atom.c, which was moved from util/ v3: Remove select masks from API. Expose single 'font_init' function for all library initialization. v4: Change name of distributed tarballs to libXfont2 as well Signed-off-by: Keith Packard <>
2015-12-08Add compiler warning flags and fix warningsKeith Packard5-9/+34
Mostly signed vs unsigned comparisons Signed-off-by: Keith Packard <>
2015-10-21Use NO_WEAK_SYMBOLS instead of -flat_namespaceJeremy Huddleston Sequoia2-13/+1
Lesser of two evil hacks, I suppose... This reverts commit 0386fa77367a305deea3cc27f8a3865cc3c467c0.
2015-10-21stubs: Add missing externs for declarations in the NO_WEAK_SYMBOLS && PIC ↵Jeremy Huddleston Sequoia1-23/+23
stubs resolution Signed-off-by: Jeremy Huddleston Sequoia <>
2015-10-20Fix is*() usage.Thomas Klausner4-11/+11
The argument must be an unsigned char or -1; in these cases we know it's not -1 so cast it to unsigned char. Fixes warning: array subscript is of type 'char' [-Wchar-subscripts] Signed-off-by: Thomas Klausner <>
2015-07-28bdfReadCharacters: Allow negative DWIDTH valuesBenjamin Tissoires1-1/+1
The fix for CVE-2015-1804 prevent DWIDTH to be negative. However, the spec states that "DWIDTH [...] is a vector indicating the position of the next glyph’s origin relative to the origin of this glyph." So negative values are correct. Found by trying to compile XTS. Signed-off-by: Benjamin Tissoires <> Reviewed-by: Peter Hutterer <> Signed-off-by: Alan Coopersmith <>
2015-03-20doc: add a couple olinks to fsproto & xfs-design docsAlan Coopersmith1-1/+4
Don't seem to have ability to link to BDF or Xserver internals docs yet Signed-off-by: Alan Coopersmith <>
2015-03-17libXfont 1.5.1libXfont-1.5.1Alan Coopersmith1-1/+1
Signed-off-by: Alan Coopersmith <>
2015-03-17bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]Alan Coopersmith1-2/+24
We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. Found by afl-1.24b. v2: Verify that additions won't overflow 32-bit int range either. v3: As Julien correctly observes, the previous check for bh & bw not being < 0 reduces the number of cases we need to check for overflow. Signed-off-by: Alan Coopersmith <> Reviewed-by: Julien Cristau <>