configure.ac | 7 ++++++-
src/FreeType/ftfuncs.c | 17 +++++++++--------
src/FreeType/xttcap.c | 23 +----------------------
src/FreeType/xttcap.h | 9 ---------
src/bitmap/bdfread.c | 16 ++++++++++++----
src/fontfile/fontdir.c | 10 +++-------
src/util/atom.c | 20 ++++++++++++--------
src/util/miscutil.c | 2 +-
8 files changed, 44 insertions(+), 60 deletions(-)
New commits:
commit 30110063857ff9a5f93f6d8d13f535c9b6e59e2a
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Tue Jan 7 08:22:31 2014 -0800
libXfont 1.4.7
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/configure.ac b/configure.ac
index 3591a1a..01e7b6e 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.4.6],
+AC_INIT([libXfont], [1.4.7],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
commit 2a84680376bafd74609c6ef3e38befcb8467d814
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Mon Dec 23 19:01:11 2013 -0800
Limit additional sscanf strings to fit buffer sizes
None of these could currently result in buffer overflow, as the input
and output buffers were the same size, but adding limits helps ensure
we keep it that way, if we ever resize any of these in the future.
Fixes cppcheck warnings:
[lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
scanf without field width limits can crash with huge input data.
[lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
scanf without field width limits can crash with huge input data.
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e11c5d2..914a024 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -69,6 +69,7 @@ from The Open Group.
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
+#define BDFLINESTR "%1023s" /* scanf specifier to read a BDFLINELEN string */
static Bool bdfPadToTerminal(FontPtr pFont);
extern int bdfFileLineNum;
@@ -544,13 +545,18 @@ bdfReadHeader(FontFilePtr file, bdfFileState *pState)
unsigned char lineBuf[BDFLINELEN];
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+ if (!line ||
+ sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
!bdfStrEqual(namebuf, "2.1")) {
bdfError("bad 'STARTFONT'\n");
return (FALSE);
}
line = bdfGetLine(file, lineBuf, BDFLINELEN);
- if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+ if (!line ||
+ sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
bdfError("bad 'FONT'\n");
return (FALSE);
}
@@ -633,7 +639,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont,
bdfFileState *pState)
while (*line && isspace(*line))
line++;
- switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+ switch (sscanf((char *) line,
+ BDFLINESTR BDFLINESTR BDFLINESTR,
+ namebuf, secondbuf, thirdbuf)) {
default:
bdfError("missing '%s' parameter value\n", namebuf);
goto BAILOUT;
commit 4d024ac10f964f6bd372ae0dd14f02772a6e5f63
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Mon Dec 23 18:34:02 2013 -0800
CVE-2013-6462: unlimited sscanf overflows stack buffer in
bdfReadCharacters()
Fixes cppcheck warning:
[lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
scanf without field width limits can crash with huge input data.
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Matthieu Herrb <matth...@herrb.eu>
Reviewed-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index e2770dc..e11c5d2 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -338,7 +338,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont,
bdfFileState *pState,
char charName[100];
int ignore;
- if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+ if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
bdfError("bad character name in BDF file\n");
goto BAILOUT; /* bottom of function, free and return error */
}
commit fdcf9a9be6a5d453659beadec5d1a1fdbab9afaf
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Dec 27 11:01:35 2013 -0800
Add AC_USE_SYSTEM_EXTENSIONS to expose non-standard extensions
Required on Solaris to expose definitions in system headers that
are not defined in the XPG standards now that xtrans 1.3 defines
_XOPEN_SOURCE to 600 on Solaris.
Fixes build failures:
fserve.c: In function 'fs_block_handler':
fserve.c:1210:5: error: 'fd_mask' undeclared (first use in this function)
fserve.c:1210:5: note: each undeclared identifier is reported only once for
each function it appears in
In file included from transport.c:67:0,
from fstrans.c:28:
Xtranssock.c: In function '_FontTransSocketINETConnect':
Xtranssock.c:1421:19: error: 'INET6_ADDRSTRLEN' undeclared (first use in
this function)
Xtranssock.c:1421:19: note: each undeclared identifier is reported only
once for each function it appears in
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Daniel Stone <dan...@fooishbar.org>
diff --git a/configure.ac b/configure.ac
index e0e81bb..3591a1a 100644
--- a/configure.ac
+++ b/configure.ac
@@ -29,6 +29,11 @@ AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
# Initialize Automake
AM_INIT_AUTOMAKE([foreign dist-bzip2])
+# Set common system defines for POSIX extensions, such as _GNU_SOURCE
+# Must be called before any macros that run the compiler (like
+# AC_PROG_LIBTOOL) to avoid autoconf errors.
+AC_USE_SYSTEM_EXTENSIONS
+
# Initialize libtool
AC_PROG_LIBTOOL
commit 0d24378a6f08f5ab594ff552d60cf5f8f74bcb33
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Dec 7 20:11:29 2013 -0800
Don't leak old allocation if realloc fails to enlarge it
In ftfuncs.c, since the buffer being reallocated is a function local
buffer, used to accumulate data for a single run of the function and
then freed at the end of the function, we just free the old buffer if
realloc fails.
In atom.c however, the ReverseMap is a static buffer, so we operate in
temporary variables until we know we're successful, then update the
static variables. If we fail, we leave the old static variables in place,
since they contain data about previous atoms we should maintain, not lose.
Reported by cppcheck:
[lib/libXfont/src/FreeType/ftfuncs.c:2122]: (error) Common realloc mistake:
'ranges' nulled but not freed upon failure
[lib/libXfont/src/util/atom.c:126]: (error) Common realloc mistake:
'reverseMap' nulled but not freed upon failure
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutte...@who-t.net>
diff --git a/src/FreeType/ftfuncs.c b/src/FreeType/ftfuncs.c
index 2c90cf9..44e5e02 100644
--- a/src/FreeType/ftfuncs.c
+++ b/src/FreeType/ftfuncs.c
@@ -2050,7 +2050,7 @@ restrict_code_range_by_str(int count,unsigned short
*refFirstCol,
{
int nRanges = 0;
int result = 0;
- fsRange *ranges = NULL;
+ fsRange *ranges = NULL, *oldRanges;
char const *p, *q;
p = q = str;
@@ -2119,10 +2119,13 @@ restrict_code_range_by_str(int count,unsigned short
*refFirstCol,
fflush(stderr);
#endif
nRanges++;
+ oldRanges = ranges;
ranges = realloc(ranges, nRanges*sizeof(*ranges));
- if (NULL == ranges)
+ if (NULL == ranges) {
+ free(oldRanges);
break;
- {
+ }
+ else {
fsRange *r = ranges+nRanges-1;
r->min_char_low = minpoint & 0xff;
diff --git a/src/util/atom.c b/src/util/atom.c
index c47cb5c..37811f9 100644
--- a/src/util/atom.c
+++ b/src/util/atom.c
@@ -118,19 +118,23 @@ ResizeHashTable (void)
static int
ResizeReverseMap (void)
{
- int ret = TRUE;
+ AtomListPtr *newMap;
+ int newMapSize;
+
if (reverseMapSize == 0)
- reverseMapSize = 1000;
+ newMapSize = 1000;
else
- reverseMapSize *= 2;
- reverseMap = realloc (reverseMap, reverseMapSize * sizeof (AtomListPtr));
- if (!reverseMap) {
+ newMapSize = reverseMapSize * 2;
+ newMap = realloc (reverseMap, newMapSize * sizeof (AtomListPtr));
+ if (newMap == NULL) {
fprintf(stderr, "ResizeReverseMap(): Error: Couldn't reallocate"
" reverseMap (%ld)\n",
- reverseMapSize * (unsigned long)sizeof(AtomListPtr));
- ret = FALSE;
+ newMapSize * (unsigned long)sizeof(AtomListPtr));
+ return FALSE;
}
- return ret;
+ reverseMap = newMap;
+ reverseMapSize = newMapSize;
+ return TRUE;
}
static int
commit 5e27c364b174497d427dcecd122d711ef6b9f630
Author: Julien Cristau <jcris...@debian.org>
Date: Mon Aug 12 18:40:27 2013 +0200
Make serverGeneration unsigned
Makes the definition match other declarations, and xserver's definition.
Debian bug#689439
Reported-by: Michael Tautschnig <m...@debian.org>
Signed-off-by: Julien Cristau <jcris...@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/src/util/miscutil.c b/src/util/miscutil.c
index 7173d36..3d802d2 100644
--- a/src/util/miscutil.c
+++ b/src/util/miscutil.c
@@ -47,7 +47,7 @@ extern void BuiltinRegisterFpeFunctions(void);
#ifndef NO_WEAK_SYMBOLS
/* make sure everything initializes themselves at least once */
-weak long serverGeneration = 1;
+weak unsigned long serverGeneration = 1;
#endif
weak void
commit 7d34534c050cb4366c7b14bff585c17d6d578f89
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Sat Oct 26 00:06:22 2013 -0700
Replace malloc(strlen)+strcpy/strcat calls with strdup
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
diff --git a/src/FreeType/ftfuncs.c b/src/FreeType/ftfuncs.c
index 091339d..2c90cf9 100644
--- a/src/FreeType/ftfuncs.c
+++ b/src/FreeType/ftfuncs.c
@@ -2289,13 +2289,11 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr
vals,
}
}
else{
- *dynStrFTFileName = malloc(strlen(*dynStrRealFileName)+1);
+ *dynStrFTFileName = strdup(*dynStrRealFileName);
if( *dynStrFTFileName == NULL ){
result = AllocError;
goto quit;
}
- **dynStrFTFileName = '\0';
- strcat(*dynStrFTFileName,*dynStrRealFileName);
}
}
/*
diff --git a/src/FreeType/xttcap.c b/src/FreeType/xttcap.c
index c1d8e67..104dc89 100644
--- a/src/FreeType/xttcap.c
+++ b/src/FreeType/xttcap.c
@@ -234,14 +234,13 @@ SPropRecValList_add_record(SDynPropRecValList *pThisList,
{
char *p;
- if (NULL == (p = malloc(strlen(strValue)+1))) {
+ if (NULL == (p = strdup(strValue))) {
fprintf(stderr,
"truetype font property : "
"cannot allocate memory.\n");
result = True;
goto quit;
}
- strcpy(p, strValue);
SPropContainer_value_str(&tmpContainerE) = p;
}
break;
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 97b2ba3..ef7ffa5 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -425,17 +425,13 @@ FontFileCountDashes (char *name, int namelen)
return ndashes;
}
+/* exported in public API in <X11/fonts/fntfil.h> */
char *
FontFileSaveString (char *s)
{
- char *n;
-
- n = malloc (strlen (s) + 1);
- if (!n)
- return 0;
- strcpy (n, s);
- return n;
+ return strdup(s);
}
+#define FontFileSaveString(s) strdup(s)
FontEntryPtr
FontFileFindNameInScalableDir(FontTablePtr table, FontNamePtr pat,
commit 8a9fc31628a98e3cdaae6078bb5d92bce06c37ac
Author: Alan Coopersmith <alan.coopersm...@oracle.com>
Date: Fri Oct 25 23:56:55 2013 -0700
xstrdup -> strdup
Missed in xalloc -> malloc etal conversion in 0cdc9b8f850342
Signed-off-by: Alan Coopersmith <alan.coopersm...@oracle.com>
Reviewed-by: Jasper St. Pierre <jstpie...@mecheye.net>
diff --git a/src/FreeType/ftfuncs.c b/src/FreeType/ftfuncs.c
index 918e3f3..091339d 100644
--- a/src/FreeType/ftfuncs.c
+++ b/src/FreeType/ftfuncs.c
@@ -2204,7 +2204,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
strcpy(*dynStrRealFileName+dirLen, p2+1);
capHead = p1;
} else {
- *dynStrRealFileName = xstrdup(fileName);
+ *dynStrRealFileName = strdup(fileName);
if( *dynStrRealFileName == NULL ) {
result = AllocError;
goto quit;
@@ -2549,7 +2549,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
if (SPropRecValList_search_record(&listPropRecVal,
&contRecValue,
"CodeRange")) {
- *dynStrTTCapCodeRange = xstrdup(SPropContainer_value_str(contRecValue));
+ *dynStrTTCapCodeRange = strdup(SPropContainer_value_str(contRecValue));
if( *dynStrTTCapCodeRange == NULL ) {
result = AllocError;
goto quit;
diff --git a/src/FreeType/xttcap.c b/src/FreeType/xttcap.c
index bf25cc5..c1d8e67 100644
--- a/src/FreeType/xttcap.c
+++ b/src/FreeType/xttcap.c
@@ -682,24 +682,4 @@ SPropRecValList_add_by_font_cap(SDynPropRecValList
*pThisList,
return result;
}
-
-/**************************************************************************
- Functions (xttmisc)
- */
-
-/* strdup clone with using the allocator of X server */
-char *
-XttXstrdup(char const *str)
-{
- char *result;
-
- result = malloc(strlen(str)+1);
-
- if (result)
- strcpy(result, str);
-
- return result;
-}
-
-
/* end of file */
diff --git a/src/FreeType/xttcap.h b/src/FreeType/xttcap.h
index 2931098..2822540 100644
--- a/src/FreeType/xttcap.h
+++ b/src/FreeType/xttcap.h
@@ -116,15 +116,6 @@ SPropRecValList_dump(SRefPropRecValList *refList);
#define SPropContainer_value_str(contRecVal)\
((contRecVal)->uValue.dynStringValue)
-/******************************************************
- Prototypes (xttmisc)
- */
-
-/* strdup clone */
-char * XttXstrdup(char const *str);
-#undef xstrdup
-#define xstrdup(s) XttXstrdup((char const*)s)
-
#endif /* !def _XTTCAP_H_ */
/* end of file */
--
To UNSUBSCRIBE, email to debian-x-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
Archive: http://lists.debian.org/e1w0a6b-0000kq...@moszumanska.debian.org
