diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch | 40 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch | 80 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch | 38 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont_1.5.1.bb (renamed from meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb) | 9 |
4 files changed, 2 insertions, 165 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch deleted file mode 100644 index cc66c12452..0000000000 --- a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch +++ /dev/null @@ -1,40 +0,0 @@ -From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 6 Feb 2015 15:54:00 -0800 -Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read - [CVE-2015-1803] - -Previously would charge on ahead with a NULL pointer in ci->bits, and -then crash later in FontCharInkMetrics() trying to access the bits. - -Found with afl-1.23b. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> - -Upstream-Status: backport - -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - src/bitmap/bdfread.c | 5 ++++- - 1 file changed, 4 insertions(+), 1 deletion(-) - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 6387908..1b29b81 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - ci->metrics.descent = -bb; - ci->metrics.characterWidth = wx; - ci->bits = NULL; -- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); -+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { -+ bdfError("could not read bitmap for character '%s'\n", charName); -+ goto BAILOUT; -+ } - ci++; - ndx++; - } else --- -1.7.9.5 - diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch deleted file mode 100644 index b64f1d9a87..0000000000 --- a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch +++ /dev/null @@ -1,80 +0,0 @@ -From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 6 Mar 2015 22:54:58 -0800 -Subject: [PATCH] bdfReadCharacters: ensure metrics fit into xCharInfo struct - [CVE-2015-1804] - -We use 32-bit ints to read from the bdf file, but then try to stick -into a 16-bit int in the xCharInfo struct, so make sure they won't -overflow that range. - -Found by afl-1.24b. - -v2: Verify that additions won't overflow 32-bit int range either. -v3: As Julien correctly observes, the previous check for bh & bw not - being < 0 reduces the number of cases we need to check for overflow. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> - -Upstream-Status: backport - -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - src/bitmap/bdfread.c | 26 ++++++++++++++++++++++++-- - 1 file changed, 24 insertions(+), 2 deletions(-) - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 1b29b81..a0ace8f 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -62,8 +62,16 @@ from The Open Group. - - #if HAVE_STDINT_H - #include <stdint.h> --#elif !defined(INT32_MAX) --#define INT32_MAX 0x7fffffff -+#else -+# ifndef INT32_MAX -+# define INT32_MAX 0x7fffffff -+# endif -+# ifndef INT16_MAX -+# define INT16_MAX 0x7fff -+# endif -+# ifndef INT16_MIN -+# define INT16_MIN (0 - 0x8000) -+# endif - #endif - - #define INDICES 256 -@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - bdfError("DWIDTH y value must be zero\n"); - goto BAILOUT; - } -+ /* xCharInfo metrics are stored as INT16 */ -+ if ((wx < 0) || (wx > INT16_MAX)) { -+ bdfError("character '%s' has out of range width, %d\n", -+ charName, wx); -+ goto BAILOUT; -+ } - line = bdfGetLine(file, lineBuf, BDFLINELEN); - if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { - bdfError("bad 'BBX'\n"); -@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, - charName, bw, bh); - goto BAILOUT; - } -+ /* xCharInfo metrics are read as int, but stored as INT16 */ -+ if ((bl > INT16_MAX) || (bl < INT16_MIN) || -+ (bb > INT16_MAX) || (bb < INT16_MIN) || -+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { -+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", -+ charName, bl, (bl+bw), (bh+bb), -bb); -+ goto BAILOUT; -+ } - line = bdfGetLine(file, lineBuf, BDFLINELEN); - if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { - for (p = line + strlen("ATTRIBUTES "); --- -1.7.9.5 - diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch deleted file mode 100644 index 0779c26dcd..0000000000 --- a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch +++ /dev/null @@ -1,38 +0,0 @@ -From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 6 Feb 2015 15:50:45 -0800 -Subject: [PATCH] bdfReadProperties: property count needs range check - [CVE-2015-1802] - -Avoid integer overflow or underflow when allocating memory arrays -by multiplying the number of properties reported for a BDF font. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Julien Cristau <jcristau@debian.org> - -Upstream-Status: backport - -Signed-off-by: Li Zhou <li.zhou@windriver.com> ---- - src/bitmap/bdfread.c | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c -index 914a024..6387908 100644 ---- a/src/bitmap/bdfread.c -+++ b/src/bitmap/bdfread.c -@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) - bdfError("missing 'STARTPROPERTIES'\n"); - return (FALSE); - } -- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { -+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || -+ (nProps <= 0) || -+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { - bdfError("bad 'STARTPROPERTIES'\n"); - return (FALSE); - } --- -1.7.9.5 - diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.1.bb index dfd2dc67a2..1b6e33c717 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.1.bb @@ -18,10 +18,5 @@ XORG_PN = "libXfont" BBCLASSEXTEND = "native" -SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ - file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ - file://0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch \ - " - -SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" -SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f" +SRC_URI[md5sum] = "96f76ba94b4c909230bac1e2dcd551c4" +SRC_URI[sha256sum] = "b70898527c73f9758f551bbab612af611b8a0962202829568d94f3edf4d86098" |