xorg: Updated for CVE-2006-3739/3740. Bug 13115.

Conflicts: x11-libs/xorg/DETAILS x11-libs/xorg/HISTORY
author: Jaka Kranjc 2007-01-11 09:43:48 +0100
committer: Jaka Kranjc 2007-01-11 09:45:06 +0100
commit: 194cc86b862143bb2ac6c7a3d2e38d68a5ca3061 (patch)
tree: b18cd0139d7c61822575055f7e8939abbaf2a339
parent: a1347d253bf9694a2725663e97c3af56a9286c8c (diff)
4 files changed, 104 insertions, 2 deletions
diff --git a/x11-libs/xorg/DETAILS b/x11-libs/xorg/DETAILS
index d527a2449f..86a1d39174 100755
--- a/x11-libs/xorg/DETAILS
+++ b/x11-libs/xorg/DETAILS
@@ -15,7 +15,7 @@ SOURCE_DIRECTORY=$BUILD_DIRECTORY/xc
    SOURCE_URL[1]=ftp://ftp.x.org/pub/${XVERSION}/src-single/$SOURCE
 #     SOURCE_HASH=sha512:8fe05f9e4ca1eb44fd344ce226c023a5904c0d94af9e769f8d24ea64f4695ed6904b2238acc16bea00637852de7cbd3241cb59f1af66e1d147dc4897308419bb
       SOURCE_GPG=gurus.gpg:$SOURCE.sig:WORKS_FOR_ME
-  SECURITY_PATCH=2
+  SECURITY_PATCH=3
 fi
         WEB_SITE=http://xorg.freedesktop.org/
          ENTERED=20040407
diff --git a/x11-libs/xorg/HISTORY b/x11-libs/xorg/HISTORY
index 98e92c19b9..58f6d53f6d 100644
--- a/x11-libs/xorg/HISTORY
+++ b/x11-libs/xorg/HISTORY
@@ -1,3 +1,8 @@
+2007-01-02 George Sherwood <george@beernabeer.com>
+	* DETAILS: SECURITY_PATCH++. Bug 13115.
+	* PRE_BUILD: Added patch.
+	* x11r6.9.0-cidfonts.diff: Added for CVE-2006-3739/3740
+ 
 2006-06-30 Florian Franzmann <siflfran@hawo.stw.uni-erlangen.de>
 	* init.d/xfs, init.d/xfs.conf: added init script for the font
 	  server
diff --git a/x11-libs/xorg/PRE_BUILD b/x11-libs/xorg/PRE_BUILD
index a003b7945d..d56fc377ed 100755
--- a/x11-libs/xorg/PRE_BUILD
+++ b/x11-libs/xorg/PRE_BUILD
@@ -4,7 +4,8 @@ cd  $SOURCE_DIRECTORY             &&
 
 if [[ $X_LATEST != y ]]; then
   patch  -p0  <  $SCRIPT_DIRECTORY/x11r6.9.0-geteuid.diff &&
-  patch  -p0  <  $SCRIPT_DIRECTORY/x11r6.9.0-mitri.diff
+  patch  -p0  <  $SCRIPT_DIRECTORY/x11r6.9.0-mitri.diff &&
+  patch  -p0  <  $SCRIPT_DIRECTORY/x11r6.9.0-cidfonts.diff
 fi  &&
 
 cp  $SOURCE_DIRECTORY/config/cf/xorgsite.def  \
diff --git a/x11-libs/xorg/x11r6.9.0-cidfonts.diff b/x11-libs/xorg/x11r6.9.0-cidfonts.diff
new file mode 100644
index 0000000000..035328e612
--- /dev/null
+++ b/x11-libs/xorg/x11r6.9.0-cidfonts.diff
@@ -0,0 +1,96 @@
+Index: lib/font/Type1/afm.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/afm.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 afm.c
+--- lib/font/Type1/afm.c	9 Jul 2005 23:30:06 -0000	1.5
++++ lib/font/Type1/afm.c	12 Sep 2006 07:49:46 -0000
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h"        /* For INT32 declaration */
+ #include "Xdefs.h"      /* For Bool */
+@@ -118,6 +119,11 @@
+             
+             fi->nChars = atoi(p);
+ 
++	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++		xfree(afmbuf);
++		xfree(fi);
++		return(1);
++	    }
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
+Index: lib/font/Type1/scanfont.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/scanfont.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 scanfont.c
+--- lib/font/Type1/scanfont.c	9 Jul 2005 23:30:06 -0000	1.5
++++ lib/font/Type1/scanfont.c	12 Sep 2006 07:49:46 -0000
+@@ -57,6 +57,7 @@
+ 
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h"	/* Bool declaration */
+ #include "Xmd.h"	/* INT32 declaration */
+@@ -654,6 +655,7 @@
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -850,7 +852,8 @@
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj)) 
++       return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++	rc = SCAN_ERROR;
++	break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
+Index: lib/font/Type1/util.c
+===================================================================
+RCS file: /cvs/xorg/xc/lib/font/Type1/util.c,v
+retrieving revision 1.5
+diff -u -u -r1.5 util.c
+--- lib/font/Type1/util.c	9 Jul 2005 23:30:07 -0000	1.5
++++ lib/font/Type1/util.c	12 Sep 2006 07:49:46 -0000
+@@ -104,7 +104,7 @@
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;
author	Jaka Kranjc	2007-01-11 09:43:48 +0100
committer	Jaka Kranjc	2007-01-11 09:45:06 +0100
commit	194cc86b862143bb2ac6c7a3d2e38d68a5ca3061 (patch)
tree	b18cd0139d7c61822575055f7e8939abbaf2a339
parent	a1347d253bf9694a2725663e97c3af56a9286c8c (diff)