0 files changed
New commits:
commit 8cce9834b2e74dccad94ca0adf79ae5585e37d48
Author: Adam Jackson <a...@redhat.com>
Date: Wed Aug 31 16:19:11 2016 -0400
libXfont 1.5.2
Signed-off-by: Adam Jackson <a...@redhat.com>
diff --git a/configure.ac b/configure.ac
index 640cc92..3325aa3 100644
--- a/configure.ac
+++ b/configure.ac
@@ -21,7 +21,7 @@
# Initialize Autoconf
AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.5.1],
+AC_INIT([libXfont], [1.5.2],
[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
AC_CONFIG_SRCDIR([Makefile.am])
AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
commit 42d85d1293b2753f3f200de0e960bacef0c973c7
Author: Jeremy Huddleston Sequoia <jerem...@apple.com>
Date: Mon May 30 00:46:21 2016 -0700
fserve: Fix a buffer read overrun in _fs_client_access
https://bugs.freedesktop.org/show_bug.cgi?id=83224
Found by clang's Address Sanitizer
crac.num_auths = set_font_authorizations(&authorizations, &authlen,
client);
/* Work around bug in xfs versions up through modular release 1.0.8
which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
if (crac.num_auths == 0) {
authorizations = padding;
authlen = 4;
} else {
authlen = (authlen + 3) & ~0x3;
}
crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
crac.acid = cur->acid;
_fs_add_req_log(conn, FS_CreateAC);
_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
_fs_write(conn, authorizations, authlen);
In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
block changed authlen to 36 to make it 4byte aligned and the final
_fs_write()
caused us to read 36 bytes from this 34 byte buffer.
This changes the incorrect size increase to instead use _fs_write_pad which
takes care of the padding for us.
Signed-off-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
(cherry picked from commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561)
diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index bbaa8bf..4fb5551 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -2850,14 +2850,12 @@ _fs_client_access (FSFpePtr conn, pointer client, Bool
sync)
if (crac.num_auths == 0) {
authorizations = padding;
authlen = 4;
- } else {
- authlen = (authlen + 3) & ~0x3;
}
crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
crac.acid = cur->acid;
_fs_add_req_log(conn, FS_CreateAC);
_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
- _fs_write(conn, authorizations, authlen);
+ _fs_write_pad(conn, authorizations, authlen);
/* ignore reply; we don't even care about it */
conn->curacid = 0;
cur->auth_generation = client_auth_generation(client);
commit 2b09a7af9f19db886567e524f978ad393593f7c0
Author: Jeremy Huddleston Sequoia <jerem...@apple.com>
Date: Sun May 29 23:37:13 2016 -0700
fserve: Silence a -Wformat warning
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the
argument has type 'CARD32' (aka 'unsigned long') [-Wformat]
" from font server\n", rep->length);
^~~~~~~~~~~
1 warning generated.
Signed-off-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
(cherry picked from commit e6009adbc89ec3e1f924bcb57b333c1c02f5e66d)
diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index 92b0d53..bbaa8bf 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -631,8 +631,8 @@ fs_get_reply (FSFpePtr conn, int *error)
*/
if (rep->length > MAX_REPLY_LENGTH)
{
- ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
- " from font server\n", rep->length);
+ ErrorF("fserve: reply length %ld > MAX_REPLY_LENGTH, disconnecting"
+ " from font server\n", (long)rep->length);
_fs_connection_died (conn);
*error = FSIO_ERROR;
return 0;
commit 3eddbca2690381bbbaf14adadb2679eea702095f
Author: Jeremy Huddleston Sequoia <jerem...@apple.com>
Date: Sun May 29 23:34:35 2016 -0700
bitmap: Bail out on invalid input to FontFileMakeDir instead of calling
calloc for 0 bytes
Found by clang static analysis:
Call to 'calloc' has an allocation size of 0 bytes
Signed-off-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
(cherry picked from commit ac559fad20bbae45332c758abb6a790c3fd341a2)
diff --git a/src/bitmap/bitscale.c b/src/bitmap/bitscale.c
index c9af4c0..13ed924 100644
--- a/src/bitmap/bitscale.c
+++ b/src/bitmap/bitscale.c
@@ -1479,6 +1479,10 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */
lastRow = pfi->lastRow;
nchars = (lastRow - firstRow + 1) * (lastCol - firstCol + 1);
+ if (nchars <= 0) {
+ goto bail;
+ }
+
glyph = pf->glyph;
for (i = 0; i < nchars; i++)
{
commit dfa572ea522a3019e91f2de7854b252c629342f2
Author: Jeremy Huddleston Sequoia <jerem...@apple.com>
Date: Sun May 29 23:29:50 2016 -0700
FreeType: Correct an allocation size
Found by clang static analysis:
Result of 'calloc' is converted to a pointer of type 'int', which is
incompatible with sizeof operand type 'int *'
This is likely benign because the old size was larger on any platform where
sizeof(int) <= sizeof(void *), which is everywhere.
Signed-off-by: Jeremy Huddleston Sequoia <jerem...@apple.com>
(cherry picked from commit d0fff111992fed9d9bfbf0c19e136bda9ba1db55)
diff --git a/src/FreeType/ftfuncs.c b/src/FreeType/ftfuncs.c
index df64f5e..703353d 100644
--- a/src/FreeType/ftfuncs.c
+++ b/src/FreeType/ftfuncs.c
@@ -622,7 +622,7 @@ FreeTypeInstanceFindGlyph(unsigned idx_in, int flags,
FTInstancePtr instance,
offset = idx - segment * FONTSEGMENTSIZE;
if((*available)[segment] == NULL) {
- (*available)[segment] = calloc(FONTSEGMENTSIZE, sizeof(int *));
+ (*available)[segment] = calloc(FONTSEGMENTSIZE, sizeof(int));
if((*available)[segment] == NULL)
return AllocError;
}
commit bee4a764ccef46101dca03c70d4ad1793a5a5d78
Author: Keith Packard <kei...@keithp.com>
Date: Mon Dec 7 15:46:13 2015 -0800
Fix warnings
Mostly signed vs unsigned comparisons
Signed-off-by: Keith Packard <kei...@keithp.com>
Squashed commit of three cherry-picks from master:
(cherry picked from commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97)
(cherry picked from commit eefc0b0b908eb8533e704d7156ce983ad7891cc5)
(cherry picked from commit d967caa988eaabd9e84c82879e2f21bd33b952a7)
diff --git a/src/FreeType/ftfuncs.c b/src/FreeType/ftfuncs.c
index c440fde..df64f5e 100644
--- a/src/FreeType/ftfuncs.c
+++ b/src/FreeType/ftfuncs.c
@@ -474,7 +474,7 @@ FreeTypeOpenInstance(FTInstancePtr *instance_return,
FTFacePtr face,
if( FT_IS_SFNT( face->face ) ) {
#if 1
FT_F26Dot6 tt_char_width, tt_char_height, tt_dim_x, tt_dim_y;
- FT_UInt nn;
+ FT_Int nn;
instance->strike_index=0xFFFFU;
@@ -1454,7 +1454,7 @@ FreeTypeRasteriseGlyph(unsigned idx, int flags,
CharInfoPtr tgp,
}
for( i = MAX(0, dy) ; i<ht ; i++ ){
int prev_jj,jj;
- if( bitmap->rows <= i-dy ) break;
+ if( bitmap->rows <= (unsigned) (i-dy) ) break;
current_buffer=(unsigned char
*)(bitmap->buffer+bitmap->pitch*(i-dy));
current_raster=(unsigned char *)(raster+i*bpr);
j = MAX(0,div_dx);
@@ -2985,13 +2985,13 @@ ft_compute_bounds(FTFontPtr font, FontInfoPtr pinfo,
FontScalablePtr vals )
c = row<<8|col;
flags=0;
if ( !force_c_outside ) {
- if ( c <= instance->ttcap.forceConstantSpacingEnd
- && instance->ttcap.forceConstantSpacingBegin <= c )
+ if ( (signed) c <= instance->ttcap.forceConstantSpacingEnd
+ && instance->ttcap.forceConstantSpacingBegin <= (signed) c )
flags|=FT_FORCE_CONSTANT_SPACING;
}
else { /* for GB18030 proportional */
- if ( c <= instance->ttcap.forceConstantSpacingEnd
- || instance->ttcap.forceConstantSpacingBegin <= c )
+ if ( (signed) c <= instance->ttcap.forceConstantSpacingEnd
+ || instance->ttcap.forceConstantSpacingBegin <= (signed) c )
flags|=FT_FORCE_CONSTANT_SPACING;
}
#if 0
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index eccd7b7..f343eed 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -298,7 +298,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont,
bdfFileState *pState,
bdfError("invalid number of CHARS in BDF file\n");
return (FALSE);
}
- if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
+ if (nchars > (signed) (INT32_MAX / sizeof(CharInfoRec))) {
bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
(int) sizeof(CharInfoRec));
goto BAILOUT;
@@ -631,7 +631,7 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont,
bdfFileState *pState)
}
if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
(nProps <= 0) ||
- (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ (nProps > (signed) ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS)))
{
bdfError("bad 'STARTPROPERTIES'\n");
return (FALSE);
}
diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c
index 34eeeb7..33871ae 100644
--- a/src/bitmap/pcfread.c
+++ b/src/bitmap/pcfread.c
@@ -487,7 +487,6 @@ pcfReadFont(FontPtr pFont, FontFilePtr file,
for (i = 0; i < GLYPHPADOPTIONS; i++) {
bitmapSizes[i] = pcfGetINT32(file, format);
if (IS_EOF(file)) goto Bail;
- if (bitmapSizes[i] < 0) goto Bail;
}
sizebitmaps = bitmapSizes[PCF_GLYPH_PAD_INDEX(format)];
