[pkgsrc/trunk]: pkgsrc/x11/XFree86-libs Fix for CVE-2006-3739 and CVE-2006-3740.

[adrianp <adrianp%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/291393b93e12
branches:  trunk
changeset: 518723:291393b93e12
user:      adrianp <adrianp%pkgsrc.org@localhost>
date:      Sat Sep 16 08:28:36 2006 +0000

description:
Fix for CVE-2006-3739 and CVE-2006-3740.

diffstat:

 x11/XFree86-libs/Makefile         |   4 +-
 x11/XFree86-libs/distinfo         |   5 +++-
 x11/XFree86-libs/patches/patch-av |  25 +++++++++++++++++++
 x11/XFree86-libs/patches/patch-aw |  51 +++++++++++++++++++++++++++++++++++++++
 x11/XFree86-libs/patches/patch-ax |  13 +++++++++
 5 files changed, 95 insertions(+), 3 deletions(-)

diffs (131 lines):

diff -r 8081c69bf834 -r 291393b93e12 x11/XFree86-libs/Makefile
--- a/x11/XFree86-libs/Makefile Sat Sep 16 07:18:59 2006 +0000
+++ b/x11/XFree86-libs/Makefile Sat Sep 16 08:28:36 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.29 2006/09/04 20:48:04 adrianp Exp $
+# $NetBSD: Makefile,v 1.30 2006/09/16 08:28:36 adrianp Exp $
 
 DISTNAME=              ${DISTFILES}
 PKGNAME=               XFree86-libs-${XF_VER}
-PKGREVISION=           8
+PKGREVISION=           9
 CATEGORIES=            x11
 MASTER_SITES=          ${MASTER_SITE_XFREE}
 DISTFILES=             XFree86-${XF_VER}-src-1.tgz XFree86-${XF_VER}-src-2.tgz \
diff -r 8081c69bf834 -r 291393b93e12 x11/XFree86-libs/distinfo
--- a/x11/XFree86-libs/distinfo Sat Sep 16 07:18:59 2006 +0000
+++ b/x11/XFree86-libs/distinfo Sat Sep 16 08:28:36 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.11 2006/09/04 20:48:04 adrianp Exp $
+$NetBSD: distinfo,v 1.12 2006/09/16 08:28:36 adrianp Exp $
 
 SHA1 (XFree86-4.4.0-src-1.tgz) = 44b38a7044c82d0b2f785b0e6a935349abcb5d79
 RMD160 (XFree86-4.4.0-src-1.tgz) = 40917951f1f661bfa28450771bbe86e8f0dd2549
@@ -33,3 +33,6 @@
 SHA1 (patch-as) = c0b27ef82c688c535fdd46cb5de3315e24677fc6
 SHA1 (patch-at) = 7cd02712c1ae4ca070564d2f7b5cb4e3e5b6e93b
 SHA1 (patch-au) = 8e121828d0f826f9029c0aee0f39e4e7ea2b0dac
+SHA1 (patch-av) = bb9adf1a535781ef9f765d8e705a031cfabf7edb
+SHA1 (patch-aw) = ee25a878725b00e6c1f4cbd592ee6e63c33a9d55
+SHA1 (patch-ax) = c90ff7bfe7dbb9d7bf3bf3300ec386da187aec29
diff -r 8081c69bf834 -r 291393b93e12 x11/XFree86-libs/patches/patch-av
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/XFree86-libs/patches/patch-av Sat Sep 16 08:28:36 2006 +0000
@@ -0,0 +1,25 @@
+$NetBSD: patch-av,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/afm.c.orig  2001-08-27 20:49:52.000000000 +0100
++++ lib/font/Type1/afm.c
+@@ -30,6 +30,8 @@
+ #include "fontmisc.h"                 /* for xalloc/xfree */
+ #include "AFM.h"
+ 
++#include <limits.h>
++
+ #define PBUF 256
+ #define KBUF 20
+ 
+@@ -111,6 +113,11 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
+             
+             fi->nChars = atoi(p);
+ 
++          if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) {
++              xfree(afmbuf);
++              xfree(fi);
++              return(1);
++          }
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
diff -r 8081c69bf834 -r 291393b93e12 x11/XFree86-libs/patches/patch-aw
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/XFree86-libs/patches/patch-aw Sat Sep 16 08:28:36 2006 +0000
@@ -0,0 +1,51 @@
+$NetBSD: patch-aw,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/scanfont.c.orig     2003-11-29 04:55:28.000000000 +0000
++++ lib/font/Type1/scanfont.c
+@@ -64,6 +64,8 @@
+ #include "spaces.h"
+ #include "fontfcn.h"
+ #include "blues.h"
++
++#include <limits.h>
+  
+ #ifdef BUILDCID
+ #define CID_BUFSIZE 80
+@@ -646,6 +648,7 @@ getFDArray(psobj *arrayP)
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -842,7 +845,8 @@ BuildSubrs(psfont *FontP)
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj)) 
++       return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -903,7 +907,7 @@ BuildCharStrings(psfont *FontP)
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1711,6 +1715,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++      rc = SCAN_ERROR;
++      break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
diff -r 8081c69bf834 -r 291393b93e12 x11/XFree86-libs/patches/patch-ax
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/XFree86-libs/patches/patch-ax Sat Sep 16 08:28:36 2006 +0000
@@ -0,0 +1,13 @@
+$NetBSD: patch-ax,v 1.3 2006/09/16 08:28:36 adrianp Exp $
+
+--- lib/font/Type1/util.c.orig 2001-01-17 19:43:24.000000000 +0000
++++ lib/font/Type1/util.c
+@@ -97,7 +97,7 @@ vm_alloc(int bytes)
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;