cpet/freebsd-ports
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix several buffer overflow issues in the fontpath handling code.

Browse Source 
Remove an earlier patch which only partially addressed these issues.

Approved by:	so
This commit is contained in:
Dag-Erling Smørgrav 2004-02-12 20:16:05 +00:00
parent 0ba554dd1a
commit 64c03a02ad
Notes: svn2git 2021-03-31 03:12:20 +00:00 
svn path=/head/; revision=100788
6 changed files with 373 additions and 29 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

2
x11-servers/XFree86-4-Server-snap/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= Server
PORTVERSION= 4.3.99.15
PORTREVISION= 1
PORTREVISION= 2
CATEGORIES= x11-servers
MASTER_SITES= ${MASTER_SITE_XFREE:S|source/||:S/$/:x/} \
${MASTER_SITE_LOCAL:S/$/:local/}

13
x11-servers/XFree86-4-Server-snap/files/patch-dirfile.c
View File

@ -1,13 +0,0 @@
--- lib/font/fontfile/dirfile.c.orig Fri May 31 20:45:50 2002
+++ lib/font/fontfile/dirfile.c Thu Feb 5 00:19:57 2004
@@ -286,6 +286,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(alias)) {
+ status = BadFontPath;
+ break;
+ }
strcpy(alias, lexToken);
token = lexAlias(file, &lexToken);
switch (token) {

185
x11-servers/XFree86-4-Server-snap/files/patch-xc::lib::font::fontfile Normal file
View File

@ -0,0 +1,185 @@
Index: lib/font/fontfile/dirfile.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/dirfile.c,v
retrieving revision 3.15
diff -u -r3.15 dirfile.c
--- dirfile.c 31 May 2002 18:45:50 -0000 3.15
+++ dirfile.c 11 Feb 2004 21:17:20 -0000
@@ -68,6 +68,9 @@
FontDirectoryPtr dir = NullFontDirectory;
+ if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file))
+ return BadFontPath;
+
#ifdef FONTDIRATTRIB
/* Check for font directory attributes */
#ifndef __UNIXOS2__
@@ -154,6 +157,9 @@
char dir_file[MAXFONTFILENAMELEN];
struct stat statb;
+ if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file))
+ return FALSE;
+
strcpy (dir_file, dir->directory);
strcat (dir_file, FontDirFile);
if (stat (dir_file, &statb) == -1)
@@ -202,6 +208,8 @@
continue;
len = strlen (fileName) - renderer->fileSuffixLen;
+ if (len >= sizeof(copy))
+ continue;
CopyISOLatin1Lowered (copy, fileName, len);
copy[len] = '\0';
name.name = copy;
@@ -251,9 +259,13 @@
int status = Successful;
struct stat statb;
+ if (strlen(directory) >= sizeof(alias_file))
+ return BadFontPath;
dir = *pdir;
strcpy(alias_file, directory);
if (!isFile) {
+ if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file))
+ return BadFontPath;
if (directory[strlen(directory) - 1] != '/')
strcat(alias_file, "/");
strcat(alias_file, FontAliasFile);
@@ -286,6 +298,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(alias)) {
+ status = BadFontPath;
+ break;
+ }
strcpy(alias, lexToken);
token = lexAlias(file, &lexToken);
switch (token) {
@@ -302,6 +318,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(font_name)) {
+ status = BadFontPath;
+ break;
+ }
CopyISOLatin1Lowered(alias, alias, strlen(alias));
CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
if (!FontFileAddFontAlias (dir, alias, font_name))
Index: lib/font/fontfile/encparse.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/encparse.c,v
retrieving revision 1.18
diff -u -r1.18 encparse.c
--- encparse.c 2 Nov 2001 03:06:40 -0000 1.18
+++ encparse.c 11 Feb 2004 21:17:20 -0000
@@ -833,6 +833,7 @@
char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN],
buf[MAXFONTFILENAMELEN];
int count, n;
+ static char format[24] = "";
/* As we don't really expect to open encodings that often, we don't
take the trouble of caching encodings directories. */
@@ -848,8 +849,12 @@
}
encoding = NULL;
+ if (!format[0]) {
+ sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1,
+ sizeof(file_name) - 1);
+ }
for(;;) {
- count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name);
+ count = fscanf(file, format, encoding_name, file_name);
if(count == EOF)
break;
if(count != 2)
Index: lib/font/fontfile/fontfile.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/fontfile.c,v
retrieving revision 3.16
diff -u -r3.16 fontfile.c
--- fontfile.c 31 May 2002 18:45:50 -0000 3.16
+++ fontfile.c 11 Feb 2004 21:17:20 -0000
@@ -424,11 +424,16 @@
vals.ranges = ranges;
vals.nranges = nranges;
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
flags, entry, fileName, &vals, format, fmask,
non_cachable_font);
+ }
/* In case rasterizer does something bad because of
charset subsetting... */
@@ -497,6 +502,8 @@
dir = (FontDirectoryPtr) fpe->private;
bitmap = &entry->u.bitmap;
+ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
+ return BadFontName;
strcpy (fileName, dir->directory);
strcat (fileName, bitmap->fileName);
ret = (*bitmap->renderer->OpenBitmap)
@@ -530,6 +537,8 @@
dir = (FontDirectoryPtr) fpe->private;
bitmap = &entry->u.bitmap;
+ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
+ return BadFontName;
strcpy (fileName, dir->directory);
strcat (fileName, bitmap->fileName);
ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName);
@@ -891,10 +900,15 @@
vals.ranges = FontParseRanges(origName, &vals.nranges);
ranges = vals.ranges;
/* Make a new scaled instance */
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->GetInfoScalable)
- (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->GetInfoScalable)
+ (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
+ }
if (ranges) xfree(ranges);
}
}
@@ -931,10 +945,15 @@
bc = &entry->u.bc;
entry = bc->entry;
/* Make a new scaled instance */
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->GetInfoScalable)
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->GetInfoScalable)
(fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals);
+ }
break;
#endif
default:

4
x11-servers/XFree86-4-Server/Makefile
View File

@ -7,7 +7,7 @@
PORTNAME= Server
PORTVERSION= 4.3.0
PORTREVISION= 13
PORTREVISION= 14
CATEGORIES= x11-servers
MASTER_SITES= ${MASTER_SITE_XFREE:S/$/:x/} \
${MASTER_SITE_LOCAL:S/$/:local/}
@ -36,7 +36,6 @@ EXTRA_PATCHES+= \
${FILESDIR}/patch-bus-Imakefile \
${FILESDIR}/patch-bus_Imakefile \
${FILESDIR}/patch-compiler.h \
${FILESDIR}/patch-dirfile.c \
${FILESDIR}/patch-elfloader.c \
${FILESDIR}/patch-freebsdPci.c \
${FILESDIR}/patch-ftfuncs.c \
@ -57,6 +56,7 @@ EXTRA_PATCHES+= \
${FILESDIR}/patch-savage-pci-id \
${FILESDIR}/patch-smi \
${FILESDIR}/patch-sunffb_Imakefile \
${FILESDIR}/patch-xc::lib::font::fontfile \
${FILESDIR}/patch-xf86-common-Imakefile \
${FILESDIR}/patch-xf86Events.c \
${FILESDIR}/patch-xf86Sbus.h \

13
x11-servers/XFree86-4-Server/files/patch-dirfile.c
View File

@ -1,13 +0,0 @@
--- lib/font/fontfile/dirfile.c.orig Fri May 31 20:45:50 2002
+++ lib/font/fontfile/dirfile.c Thu Feb 5 00:19:57 2004
@@ -286,6 +286,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(alias)) {
+ status = BadFontPath;
+ break;
+ }
strcpy(alias, lexToken);
token = lexAlias(file, &lexToken);
switch (token) {

185
x11-servers/XFree86-4-Server/files/patch-xc::lib::font::fontfile Normal file
View File

@ -0,0 +1,185 @@
Index: lib/font/fontfile/dirfile.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/dirfile.c,v
retrieving revision 3.15
diff -u -r3.15 dirfile.c
--- dirfile.c 31 May 2002 18:45:50 -0000 3.15
+++ dirfile.c 11 Feb 2004 21:17:20 -0000
@@ -68,6 +68,9 @@
FontDirectoryPtr dir = NullFontDirectory;
+ if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file))
+ return BadFontPath;
+
#ifdef FONTDIRATTRIB
/* Check for font directory attributes */
#ifndef __UNIXOS2__
@@ -154,6 +157,9 @@
char dir_file[MAXFONTFILENAMELEN];
struct stat statb;
+ if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file))
+ return FALSE;
+
strcpy (dir_file, dir->directory);
strcat (dir_file, FontDirFile);
if (stat (dir_file, &statb) == -1)
@@ -202,6 +208,8 @@
continue;
len = strlen (fileName) - renderer->fileSuffixLen;
+ if (len >= sizeof(copy))
+ continue;
CopyISOLatin1Lowered (copy, fileName, len);
copy[len] = '\0';
name.name = copy;
@@ -251,9 +259,13 @@
int status = Successful;
struct stat statb;
+ if (strlen(directory) >= sizeof(alias_file))
+ return BadFontPath;
dir = *pdir;
strcpy(alias_file, directory);
if (!isFile) {
+ if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file))
+ return BadFontPath;
if (directory[strlen(directory) - 1] != '/')
strcat(alias_file, "/");
strcat(alias_file, FontAliasFile);
@@ -286,6 +298,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(alias)) {
+ status = BadFontPath;
+ break;
+ }
strcpy(alias, lexToken);
token = lexAlias(file, &lexToken);
switch (token) {
@@ -302,6 +318,10 @@
status = AllocError;
break;
case NAME:
+ if (strlen(lexToken) >= sizeof(font_name)) {
+ status = BadFontPath;
+ break;
+ }
CopyISOLatin1Lowered(alias, alias, strlen(alias));
CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken));
if (!FontFileAddFontAlias (dir, alias, font_name))
Index: lib/font/fontfile/encparse.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/encparse.c,v
retrieving revision 1.18
diff -u -r1.18 encparse.c
--- encparse.c 2 Nov 2001 03:06:40 -0000 1.18
+++ encparse.c 11 Feb 2004 21:17:20 -0000
@@ -833,6 +833,7 @@
char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN],
buf[MAXFONTFILENAMELEN];
int count, n;
+ static char format[24] = "";
/* As we don't really expect to open encodings that often, we don't
take the trouble of caching encodings directories. */
@@ -848,8 +849,12 @@
}
encoding = NULL;
+ if (!format[0]) {
+ sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1,
+ sizeof(file_name) - 1);
+ }
for(;;) {
- count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name);
+ count = fscanf(file, format, encoding_name, file_name);
if(count == EOF)
break;
if(count != 2)
Index: lib/font/fontfile/fontfile.c
===================================================================
RCS file: /home/x-cvs/xc/lib/font/fontfile/fontfile.c,v
retrieving revision 3.16
diff -u -r3.16 fontfile.c
--- fontfile.c 31 May 2002 18:45:50 -0000 3.16
+++ fontfile.c 11 Feb 2004 21:17:20 -0000
@@ -424,11 +424,16 @@
vals.ranges = ranges;
vals.nranges = nranges;
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->OpenScalable) (fpe, pFont,
flags, entry, fileName, &vals, format, fmask,
non_cachable_font);
+ }
/* In case rasterizer does something bad because of
charset subsetting... */
@@ -497,6 +502,8 @@
dir = (FontDirectoryPtr) fpe->private;
bitmap = &entry->u.bitmap;
+ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
+ return BadFontName;
strcpy (fileName, dir->directory);
strcat (fileName, bitmap->fileName);
ret = (*bitmap->renderer->OpenBitmap)
@@ -530,6 +537,8 @@
dir = (FontDirectoryPtr) fpe->private;
bitmap = &entry->u.bitmap;
+ if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName))
+ return BadFontName;
strcpy (fileName, dir->directory);
strcat (fileName, bitmap->fileName);
ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName);
@@ -891,10 +900,15 @@
vals.ranges = FontParseRanges(origName, &vals.nranges);
ranges = vals.ranges;
/* Make a new scaled instance */
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->GetInfoScalable)
- (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->GetInfoScalable)
+ (fpe, *pFontInfo, entry, &tmpName, fileName, &vals);
+ }
if (ranges) xfree(ranges);
}
}
@@ -931,10 +945,15 @@
bc = &entry->u.bc;
entry = bc->entry;
/* Make a new scaled instance */
- strcpy (fileName, dir->directory);
- strcat (fileName, scalable->fileName);
- ret = (*scalable->renderer->GetInfoScalable)
+ if (strlen(dir->directory) + strlen(scalable->fileName) >=
+ sizeof(fileName)) {
+ ret = BadFontName;
+ } else {
+ strcpy (fileName, dir->directory);
+ strcat (fileName, scalable->fileName);
+ ret = (*scalable->renderer->GetInfoScalable)
(fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals);
+ }
break;
#endif
default: