libXfont: Changes to 'libXfont-1.4-branch'
Alan Coopersmith
alanc at kemper.freedesktop.org
Tue Mar 17 08:48:15 PDT 2015
configure.ac | 2 +-
src/bitmap/bdfread.c | 35 +++++++++++++++++++++++++++++++----
src/fontfile/fileio.c | 5 ++++-
src/fontfile/filewr.c | 12 +++++++-----
4 files changed, 43 insertions(+), 11 deletions(-)
New commits:
commit b6ba8ef30642a2eb83e1beb406d195dde68f83dc
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Tue Mar 17 08:46:46 2015 -0700
libXfont 1.4.9
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
commit 6c60e85998252b641a50048a555de88bdaacd3c7
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Mar 6 22:54:58 2015 -0800
bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)
commit 3b8dba7b48863d860a040cb6516f6f53028a9426
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Feb 6 15:54:00 2015 -0800
bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Found with afl-1.23b.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c)
commit 1cf5752474dd3959cdd992d8f4f40fffe10291d5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Feb 6 15:50:45 2015 -0800
bdfReadProperties: property count needs range check [CVE-2015-1802]
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
(cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
commit 8ca608bdb5a5af7ee705ae4c3725ac774a69018b
Author: Christos Zoulas <christos at NetBSD.org>
Date: Wed Feb 25 21:39:30 2015 +0100
Set close-on-exec for font file I/O.
Reviewed-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Signed-off-by: Thomas Klausner <wiz at NetBSD.org>
(cherry picked from commit d9fda3d247942292a5f24694c22337c547006e11)
More information about the xorg-commit
mailing list