libXfont: Changes to 'libXfont-1.4-branch'

Alan Coopersmith alanc at kemper.freedesktop.org
Tue Mar 17 08:48:15 PDT 2015 

 configure.ac          |    2 +-
 src/bitmap/bdfread.c  |   35 +++++++++++++++++++++++++++++++----
 src/fontfile/fileio.c |    5 ++++-
 src/fontfile/filewr.c |   12 +++++++-----
 4 files changed, 43 insertions(+), 11 deletions(-)

New commits:
commit b6ba8ef30642a2eb83e1beb406d195dde68f83dc
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Tue Mar 17 08:46:46 2015 -0700

    libXfont 1.4.9
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>

commit 6c60e85998252b641a50048a555de88bdaacd3c7
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Mar 6 22:54:58 2015 -0800

    bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
    
    We use 32-bit ints to read from the bdf file, but then try to stick
    into a 16-bit int in the xCharInfo struct, so make sure they won't
    overflow that range.
    
    Found by afl-1.24b.
    
    v2: Verify that additions won't overflow 32-bit int range either.
    v3: As Julien correctly observes, the previous check for bh & bw not
        being < 0 reduces the number of cases we need to check for overflow.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Julien Cristau <jcristau at debian.org>
    (cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)

commit 3b8dba7b48863d860a040cb6516f6f53028a9426
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Feb 6 15:54:00 2015 -0800

    bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
    
    Previously would charge on ahead with a NULL pointer in ci->bits, and
    then crash later in FontCharInkMetrics() trying to access the bits.
    
    Found with afl-1.23b.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Julien Cristau <jcristau at debian.org>
    (cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c)

commit 1cf5752474dd3959cdd992d8f4f40fffe10291d5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Feb 6 15:50:45 2015 -0800

    bdfReadProperties: property count needs range check [CVE-2015-1802]
    
    Avoid integer overflow or underflow when allocating memory arrays
    by multiplying the number of properties reported for a BDF font.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Julien Cristau <jcristau at debian.org>
    (cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)

commit 8ca608bdb5a5af7ee705ae4c3725ac774a69018b
Author: Christos Zoulas <christos at NetBSD.org>
Date:   Wed Feb 25 21:39:30 2015 +0100

    Set close-on-exec for font file I/O.
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Signed-off-by: Thomas Klausner <wiz at NetBSD.org>
    (cherry picked from commit d9fda3d247942292a5f24694c22337c547006e11)

More information about the xorg-commit mailing list