Submitted By: Dan Nicholson <dnicholson at linuxfromscratch dot org>
Date: 2006-10-11
Initial Package Version: 1.1.0
Origin: http://xorg.freedesktop.org/releases/X11R7.1/patches/
Upstream Status: Applied
Description: Fixes a security vulnerability. See the following advisory:
    http://lists.freedesktop.org/archives/xorg/2006-September/018021.html

diff -pNur libXfont-1.1.0.orig/src/Type1/afm.c libXfont-1.1.0/src/Type1/afm.c
--- libXfont-1.1.0.orig/src/Type1/afm.c	2005-07-09 23:30:06.000000000 +0000
+++ libXfont-1.1.0/src/Type1/afm.c	2006-10-11 20:30:29.000000000 +0000
@@ -37,6 +37,8 @@
 #include <X11/fonts/fontmisc.h>			/* for xalloc/xfree */
 #include "AFM.h"
 
+#include <limits.h>
+
 #define PBUF 256
 #define KBUF 20
 
@@ -118,6 +120,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
             
             fi->nChars = atoi(p);
 
+	    if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
+		xfree(afmbuf);
+		xfree(fi);
+		return(1);
+	    }
             fi->metrics = (Metrics *)xalloc(fi->nChars * 
                 sizeof(Metrics));
             if (fi->metrics == NULL) {
diff -pNur libXfont-1.1.0.orig/src/Type1/scanfont.c libXfont-1.1.0/src/Type1/scanfont.c
--- libXfont-1.1.0.orig/src/Type1/scanfont.c	2005-07-09 23:30:06.000000000 +0000
+++ libXfont-1.1.0/src/Type1/scanfont.c	2006-10-11 20:30:29.000000000 +0000
@@ -72,6 +72,8 @@
 #include "spaces.h"
 #include "fontfcn.h"
 #include "blues.h"
+
+#include <limits.h>
  
 #if XFONT_CID
 #define CID_BUFSIZE 80
@@ -654,6 +656,7 @@ getFDArray(psobj *arrayP)
   arrayP->data.valueP = tokenStartP;
 
   /* allocate FDArray */
+  /* No integer overflow since arrayP->len is unsigned short */
   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
 
@@ -850,7 +853,8 @@ BuildSubrs(psfont *FontP)
      }
      return(SCAN_OK);
    }
- 
+   if (N > INT_MAX / sizeof(psobj)) 
+       return (SCAN_ERROR);
    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
    FontP->Subrs.len = N;
@@ -911,7 +915,7 @@ BuildCharStrings(psfont *FontP)
      }
      else return(rc);  /* if next token was not an Int */
    }
-   if (N<=0) return(SCAN_ERROR);
+   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
    /* save number of entries in the dictionary */
  
    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
@@ -1719,6 +1723,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
     if (tokenType == TOKEN_INTEGER)
       rangecnt = tokenValue.integer;
 
+    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
+	rc = SCAN_ERROR;
+	break;
+    }
     /* ==> tokenLength, tokenTooLong, tokenType, and */
     /* tokenValue are now set                        */
 
diff -pNur libXfont-1.1.0.orig/src/Type1/util.c libXfont-1.1.0/src/Type1/util.c
--- libXfont-1.1.0.orig/src/Type1/util.c	2005-07-09 23:30:07.000000000 +0000
+++ libXfont-1.1.0/src/Type1/util.c	2006-10-11 20:30:29.000000000 +0000
@@ -104,7 +104,7 @@ vm_alloc(int bytes)
   bytes = (bytes + 7) & ~7;
  
   /* Allocate the space, if it is available */
-  if (bytes <= vm_free) {
+  if (bytes > 0 && bytes <= vm_free) {
     answer = vm_next;
     vm_free -= bytes;
     vm_next += bytes;