Timo Aaltonen pushed to branch debian-unstable at X Strike Force / lib / 
libxfont


Commits:
f476c0a0 by Guillem Jover at 2022-10-06T00:39:38+00:00
Switch from libbsd to libbsd-overlay

This is the preferred usage form for libbsd, as it makes the code more
portable and requires no special includes for libbsd, by transparently
injects the needed standard headers that would be used on a BSD.

Signed-off-by: Guillem Jover <[email protected]>

- - - - -
644bea5c by Alan Coopersmith at 2022-11-05T09:16:14-07:00
Only link with libbsd if needed for reallocarray() or strlcat()

Avoid unnecessary library dependency when using a libc with these
functions included

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
5ca90ec8 by Peter Harris at 2022-11-10T18:12:20+00:00
Fix font server reconnection timeout

The great libxfont2 rewrite 135fb032e940ce226c9feb13e6e903f3ecbc5eb0 split
fs_wakeup into fs_wakeup and fs_fd_handler. The fs_fd_handler side is
called when there is new data on the socket. The fs_wakeup side is called
on a timeout.

If there's a connection timeout, the block handler will set the timeout
to zero, expecting fs_wakeup to handle the timeout. Therefore, we need to
call _fs_check_reconnect in fs_wakeup to handle the connection timeout.
If we don't, the X server will go to 100% CPU (and the font server
connection will not be retried).

Signed-off-by: Peter Harris <[email protected]>

- - - - -
572d9d52 by Jeremy Huddleston Sequoia at 2022-11-26T22:35:40-08:00
atom: Update Hash() to be unsigned

This avoids undefined behavior (left shift overflow in signed integer type)

Signed-off-by: Jeremy Huddleston Sequoia <[email protected]>

- - - - -
0bee0362 by Alan Coopersmith at 2023-02-16T19:02:29-08:00
configure: raise minimum autoconf requirement to 2.70

Needed for builds on NetBSD to work correctly, since it depends on
AC_USE_SYSTEM_EXTENSIONS defining _OPENBSD_SOURCE to expose the
prototype for reallocarray() in the system headers.

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
a3a85df9 by Alan Coopersmith at 2023-02-25T09:26:20-08:00
Remove "All rights reserved" from Oracle copyright notices

Oracle no longer includes this term in our copyright & license notices.

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
a5ee0e9a by Alan Coopersmith at 2023-03-04T15:18:07-08:00
configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL

AC_PROG_LIBTOOL was replaced by LT_INIT in libtool 2 in 2008,
so it's time to rely on it.

Clears autoconf warnings:

configure.ac:38: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
configure.ac:38: You should run autoupdate.
aclocal.m4:3640: AC_PROG_LIBTOOL is expanded from...
configure.ac:38: the top level

libtoolize: Consider adding 'AC_CONFIG_MACRO_DIRS([m4])' to configure.ac,
libtoolize: and rerunning libtoolize and aclocal.

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
c0ab2a2c by Alan Coopersmith at 2023-03-25T10:40:19-07:00
Set close-on-exec when opening fonts.dir & fonts.alias files

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
b4b35189 by Alan Coopersmith at 2024-01-24T17:42:19-08:00
Modernize lseek() calls

Position should be stored in an off_t, not an int, and the
"whence" arg should use symbolic constants instead of raw numbers.

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
87b05995 by Alan Coopersmith at 2024-01-24T17:44:38-08:00
configure: Use AC_SYS_LARGEFILE to enable large file support

While font files should never be more than 2gb in size, they may be
stored on filesystems with large inodes or timestamps outside of the
32-bit range.

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
42d2b5ad by Alan Coopersmith at 2024-02-03T02:48:03+00:00
bitscale.c: ensure SCORE2 macro expands properly

Handles warning from Oracle Parfait 11.2 static analyzer:

Error: Misleading macro
   Misleading macro [misleading-macro]:
      misleading evaluation of '/' operator in expansion of macro SCORE2 due to 
missing parentheses
        at line 299 of src/bitmap/bitscale.c.
        '/' operator has lower precedence than '/' operator inside macro body 
at line 438
        low precedence '/' operator is hidden by expansion of macro argument m 
at line 299
   Misleading macro [misleading-macro]:
      misleading evaluation of '/' operator in expansion of macro SCORE2 due to 
missing parentheses
        at line 299 of src/bitmap/bitscale.c.
        binary '*' operator has lower precedence than '/' operator inside macro 
body at line 440
        low precedence binary '*' operator is hidden by expansion of macro 
argument m at line 299

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
0be12a9f by Alan Coopersmith at 2024-02-03T02:48:03+00:00
bitscale.c: ensure SCORE macro expands properly

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
c908d277 by Alan Coopersmith at 2024-02-03T02:48:03+00:00
bitscale.c: remove unused MAX() macro

Code that used it was removed in commit 632a2e90a4b209facc

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
24951703 by Alan Coopersmith at 2024-02-17T12:19:18-08:00
unifdef sony

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
e38d1d27 by Alan Coopersmith at 2024-02-17T12:20:37-08:00
unifdef __OSF1__

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
1f7b4edf by Alan Coopersmith at 2024-02-17T12:21:15-08:00
unifdef ISC

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
bac7adac by Alan Coopersmith at 2024-02-17T12:22:09-08:00
unifdef Lynx

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
3d412575 by Alan Coopersmith at 2024-02-17T12:25:15-08:00
unifdef NCD

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
c47d610a by Alan Coopersmith at 2024-02-17T12:56:52-08:00
Use autoconf to check for float.h instead of platform-specific ifdefs

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
00067372 by José Expósito at 2024-07-01T16:28:12+02:00
stubs/atom.c: Fix memory leak in __libxfont_internal__MakeAtom

Reported by a static analysis tool:

     9. libXfont2-2.0.6/src/stubs/atom.c:179:5:
        alloc_fn: Storage is returned from allocation function "malloc".
    10. libXfont2-2.0.6/src/stubs/atom.c:179:5:
        var_assign: Assigning: "a" = storage returned from
        "malloc(24UL + len + 1UL)".
    16. libXfont2-2.0.6/src/stubs/atom.c:194:6:
        leaked_storage: Variable "a" going out of scope leaks the
        storage it points to.
    #   192|  if ((ResizeHashTable() == FALSE) &&
    #   193|     ((hashTable == NULL) || (hashUsed == hashSize)))
    #   194|->   return None;
    #   195|  h = hash & hashMask;
    #   196|  if (hashTable[h]) {

Fixes: 78085e6b683b ("stubs/atom.c: check for ResizeHashTable failure")
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/27>

- - - - -
dbc2fbc5 by Enrico Weigelt, metux IT consult at 2024-07-19T13:35:11+02:00
include: libxfont2: fix missing includes of fontproto.h

* needs types from X11/fonts/fontproto.h (eg. NameCheckFunc) from this header,
but forgot to include it.
* needs NULL, which is defined in stddef.h

Signed-off-by: Enrico Weigelt, metux IT consult <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/28>

- - - - -
2c2e44c9 by Alan Coopersmith at 2024-08-01T15:53:10-07:00
libXfont2 2.0.7

Signed-off-by: Alan Coopersmith <[email protected]>

- - - - -
67520db2 by Alan Coopersmith at 2026-01-25T15:25:32-08:00
gitlab CI: drop the ci-fairy check-mr job

The only thing this checked was the checkbox for allowing maintainers to
edit the MR. Changed permissions checks now fail this job but luckily
the setting it checked has been the default for years anyway so we can
drop it.

https://gitlab.freedesktop.org/freedesktop/ci-templates/-/issues/81

Signed-off-by: Alan Coopersmith <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/30>

- - - - -
b1d2868b by Alan Coopersmith at 2026-06-02T10:39:29-07:00
gitlab CI: move back to Debian stable image

Debian 'testing' was needed to get autoconf >= 2.70 in 2023, but
it's made its way into the stable release now, so we can move back.

Signed-off-by: Alan Coopersmith <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/31>

- - - - -
63bdfc6f by Peter Hutterer at 2026-06-09T10:48:06+10:00
pcfread: fix strings memory leak in pcfGetProperties error path

The Bail label in pcfGetProperties() freed props and isStringProp but
not the strings buffer, leaking it on any error after allocation.

Initialize strings to NULL and free it in the Bail path.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

- - - - -
6594d129 by Peter Hutterer at 2026-06-09T10:48:06+10:00
bdfread: fix copy-paste error in RESOLUTION_X/Y property generation

Both the RESOLUTION_X and RESOLUTION_Y generation blocks incorrectly
set pState->resolutionProp instead of their respective
pState->resolutionXProp and pState->resolutionYProp fields.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

- - - - -
09d1c927 by Peter Hutterer at 2026-06-09T10:48:06+10:00
bdfread: fix BDF_GENPROPS undercount causing heap buffer overflow

BDF_GENPROPS was defined as 6, but up to 8 generated properties can be
appended in bdfReadProperties when the BDF file omits all optional
properties: POINT_SIZE, FONT, WEIGHT, RESOLUTION (when resolution_x ==
resolution_y), RESOLUTION_X, RESOLUTION_Y, X_HEIGHT, QUAD_WIDTH.

Change BDF_GENPROPS to 8 to match the actual maximum number of
generated properties.

Note: the overflow is not currently exploitable because the BDF parser
requires nProps >= 1 and both FONT_ASCENT and FONT_DESCENT (nProps >= 2),
and both are consumed by bdfSpecialProperty without occupying props[]
slots, so allocation is always nProps + BDF_GENPROPS >= 8 which fits
all 8 generated properties.  The constant is fixed for correctness
and defense in depth.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

- - - - -
39959747 by Peter Hutterer at 2026-06-09T10:48:06+10:00
fsio: fix unchecked realloc

Check the realloc return value and keep the existing buffer if the
reallocation fails.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

- - - - -
9cc9c4a7 by Peter Hutterer at 2026-06-09T10:48:06+10:00
render: use calloc for FontRec to prevent use of uninitialized memory

BuiltinOpenBitmap allocates a FontRec with malloc and only initializes
three fields before passing it to pcfReadFont.  If pcfReadFont fails
partway through, error cleanup paths may access uninitialized fields
in the FontRec.

This shouldn't ever happen for the builtin fonts but it's a trivial
change so let's do this. It also matches CreateFontRec() in private.c
which uses malloc+bzero.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

- - - - -
6141975c by Adam Jackson at 2026-06-24T01:38:58+00:00
freetype: Fix encoding string assembly

The code was building charset identifier strings as "encoding-registry"
(e.g. "1-iso10646") instead of the correct "registry-encoding" (e.g.
"iso10646-1"), causing charset comparisons to always fail.

Also remove a stale debug ErrorF left in from development.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

- - - - -
e3f40cb1 by Peter Hutterer at 2026-06-24T01:38:58+00:00
freetype: Remove premature break in find_cmap() Unicode fallback

Remove a premature break that made the Apple Unicode and ISO Unicode
cmap fallback loops unreachable when Microsoft Unicode was not available.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

- - - - -
2097fc4a by Adam Jackson at 2026-06-24T01:38:58+00:00
freetype: Remove misguided ifdef around BDF charset query

XFONT_BDFFORMAT controls whether libXfont builds its own BDF reader.
FT_Get_BDF_Charset_ID() is a FreeType library function whose
availability is orthogonal to our own BDF support. The call should
always be made when FreeType is available.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

- - - - -
dd5ff354 by Adam Jackson at 2026-06-24T01:38:58+00:00
fontfile: Remove ridiculously old compat API

Remove the binary compatibility shims for the old fontenc function
names (font_encoding_from_xlfd, font_encoding_find, etc). These have
been superseded by the FontEnc* names for years.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

- - - - -
be0b08e2 by Peter Hutterer at 2026-07-06T10:05:27+10:00
bitscale: fix integer overflow in BitmapScaleBitmaps bytestoalloc

bytestoalloc is declared as unsigned int (32-bit). When the sum of
per-glyph byte counts exceeds 2^32, the value wraps around and calloc()
allocates a buffer that is too small. The subsequent ScaleBitmap loop
then writes past the end of the allocated buffer.

Change bytestoalloc from unsigned int to size_t to match the actual
allocation size type, and add an explicit overflow check in the
accumulation loop to bail out if the total would exceed SIZE_MAX.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

CVE-2026-56001/ZDI-CAN-30558

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

- - - - -
b4389e0b by Peter Hutterer at 2026-07-06T10:05:35+10:00
pcfread: validate bitmap sizes and offsets against per-glyph metrics

pcfReadFont() uses bitmapSizes[] read directly from the PCF file to
allocate the repadded bitmap buffer. However, per-glyph metrics (also
from the file) control how much data RepadBitmap() writes. A malicious
PCF font can declare a small bitmapSizes[] value while having per-glyph
metrics that require more space, causing a heap buffer overflow.

A similar issue happens with the encoding offsets: pcfReadFont reads
encoding offsets from the PCF file and uses them to index into the
metrics array without bounds checking.  A crafted font can set an
encoding offset larger than nmetrics, causing an out-of-bounds pointer
that is later dereferenced when glyphs are accessed through the encoding
table.

And the no-repad bitmap path (when PCF_GLYPH_PAD matches the requested
glyph pad) only validated that each glyph's offset was within the bitmap
buffer, but did not check that the full glyph extent (offset +
BYTES_PER_ROW * height) fits within the buffer.  A crafted font with a
glyph offset near the end of a small bitmap buffer but large glyph
metrics causes a heap buffer over-read when the glyph is later rendered.

This vulnerability was discovered by:
  Anonymous working with TrendAI Zero Day Initiative

CVE-2026-56002/ZDI-CAN-30559

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

- - - - -
dff957a5 by Peter Hutterer at 2026-07-06T10:05:35+10:00
bitscale: add bounds check to computeProps for property buffer

ComputeScaledProperties allocates a fixed-size property buffer of 70
slots. computeProps iterates the source font's properties and writes 1
slot for unscaled properties or 2 slots for scaledX/scaledY properties,
with no bounds check. A malicious font with many duplicate properties
matching fontPropTable entries can overflow the allocated buffer.

Fix this by passing the remaining buffer capacity to computeProps and
checking it before each write. Properties that would exceed the buffer
are silently skipped.

The function is also restructured to handle the buffer writes for
scaledX/scaledY inside the switch cases directly, rather than in a
separate block after the switch. This makes the control flow clearer and
ensures the bounds check covers all writes.

This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative

CVE-2026-56003/ZDI-CAN-30560

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

- - - - -
6f2cc6e7 by Peter Hutterer at 2026-07-06T10:05:35+10:00
test: fix stubs in font-test-utils for use outside the X server

Several callback stubs in font-test-utils.c call err() (fatal) when
invoked, preventing test code from exercising font paths that use atoms,
font server initialization, or time queries.

Set the atom callbacks to NULL so that libxfontstubs falls back to the
internal atom implementation. Return Successful from init_fs_handlers
and 0 from get_time_in_millis so that font path initialization
completes without crashing.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

- - - - -
0cbdbe78 by Peter Hutterer at 2026-07-06T10:05:35+10:00
test: add PCF security regression tests

Add regression tests for five PCF font parsing and scaling
vulnerabilities.

Python scripts generate crafted PCF fonts at build time. Each test
binary loads its font through the font path element API and verifies
the library handles it without crashing. Under ASAN, these tests would
detect the heap buffer overflows that the fixes prevent.

Test fonts (built sources):
  gen_evil_pcf_repad.py        - Mismatched bitmapSizes vs per-glyph metrics
  gen_evil_pcf_norepad.py      - Out-of-bounds read in no-repad bitmap path
  gen_evil_pcf_props.py        - 40 duplicate MIN_SPACE properties
  gen_evil_pcf_encoding.py     - Out-of-bounds encoding offset
  gen_evil_pcf_bitmapscale.py  - Many glyphs that expand during scaling

Tests require Python 3; skipped automatically if unavailable.

Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <[email protected]>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

- - - - -
88b9df88 by Peter Hutterer at 2026-07-08T11:02:20+10:00
libXfont2 2.0.8

Signed-off-by: Peter Hutterer <[email protected]>

- - - - -
836b44e0 by Timo Aaltonen at 2026-07-09T21:02:35+03:00
Merge branch 'upstream-unstable' into debian-unstable

- - - - -
41652ab6 by Timo Aaltonen at 2026-07-09T21:03:57+03:00
version bump

- - - - -
359b9e56 by Timo Aaltonen at 2026-07-09T21:10:44+03:00
upstream: Add key from Peter Hutterer

- - - - -
75fb971a by Timo Aaltonen at 2026-07-09T21:12:16+03:00
releasing package libxfont version 1:2.0.8-1

- - - - -


41 changed files:

- .gitlab-ci.yml
- COPYING
- Makefile.am
- configure.ac
- debian/changelog
- debian/upstream/signing-key.asc
- include/X11/fonts/bdfint.h
- − include/X11/fonts/fontencc.h
- include/X11/fonts/libxfont2.h
- src/FreeType/ftenc.c
- src/bitmap/bdfread.c
- src/bitmap/bitscale.c
- src/bitmap/pcfread.c
- src/builtins/render.c
- src/fc/fserve.c
- src/fc/fsio.c
- src/fc/fsio.h
- src/fc/fslibos.h
- src/fontfile/bufio.c
- src/fontfile/bunzip2.c
- src/fontfile/dirfile.c
- − src/fontfile/fontencc.c
- src/fontfile/fontfile.c
- src/stubs/atom.c
- src/util/fontxlfd.c
- src/util/replace.h
- + test/gen_evil_pcf_bitmapscale.py
- + test/gen_evil_pcf_encoding.py
- + test/gen_evil_pcf_norepad.py
- + test/gen_evil_pcf_props.py
- + test/gen_evil_pcf_repad.py
- + test/pcf-test-common.c
- + test/pcf-test-common.h
- + test/test-pcf-bitmapscale.c
- + test/test-pcf-encoding.c
- + test/test-pcf-norepad.c
- + test/test-pcf-props.c
- + test/test-pcf-repad.c
- test/utils/font-test-utils.c
- test/utils/font-test-utils.h
- test/utils/lsfontdir.c


The diff was not included because it is too large.


View it on GitLab: 
https://salsa.debian.org/xorg-team/lib/libxfont/-/compare/80a8ed1784f5c18618d42acb94c7d57a4107e523...75fb971aa41c5a1291b87c2eb8d1c2eb2626192b

-- 
View it on GitLab: 
https://salsa.debian.org/xorg-team/lib/libxfont/-/compare/80a8ed1784f5c18618d42acb94c7d57a4107e523...75fb971aa41c5a1291b87c2eb8d1c2eb2626192b
You're receiving this email because of your account on salsa.debian.org. Manage 
all notifications: https://salsa.debian.org/-/profile/notifications | Help: 
https://salsa.debian.org/help


Reply via email to