Submitted By: Dan Nicholson <dnicholson AT linuxfromscratch DOT org>
Date: 2008-04-22
Initial Package Version: 1.2.8
Upstream Status: Applied (available in 1.3.2)
Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/
Description: Fixes CVE-2008-0006 - PCF Font parser buffer overflow
  http://lists.freedesktop.org/archives/xorg/2008-January/031918.html

diff -pNur libXfont-1.2.8.orig/src/bitmap/pcfread.c libXfont-1.2.8/src/bitmap/pcfread.c
--- libXfont-1.2.8.orig/src/bitmap/pcfread.c	2006-08-29 19:15:50.000000000 -0700
+++ libXfont-1.2.8/src/bitmap/pcfread.c	2008-04-21 20:15:16.000000000 -0700
@@ -588,6 +588,9 @@ pcfReadFont(FontPtr pFont, FontFilePtr f
     pFont->info.lastRow = pcfGetINT16(file, format);
     pFont->info.defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFont->info.firstCol > pFont->info.lastCol ||
+       pFont->info.firstRow > pFont->info.lastRow ||
+       pFont->info.lastCol-pFont->info.firstCol > 255) goto Bail;
 
     nencoding = (pFont->info.lastCol - pFont->info.firstCol + 1) *
 	(pFont->info.lastRow - pFont->info.firstRow + 1);
@@ -726,6 +729,9 @@ pcfReadFontInfo(FontInfoPtr pFontInfo, F
     pFontInfo->lastRow = pcfGetINT16(file, format);
     pFontInfo->defaultCh = pcfGetINT16(file, format);
     if (IS_EOF(file)) goto Bail;
+    if (pFontInfo->firstCol > pFontInfo->lastCol ||
+       pFontInfo->firstRow > pFontInfo->lastRow ||
+       pFontInfo->lastCol-pFontInfo->firstCol > 255) goto Bail;
 
     nencoding = (pFontInfo->lastCol - pFontInfo->firstCol + 1) *
 	(pFontInfo->lastRow - pFontInfo->firstRow + 1);