[pkgsrc/trunk]: pkgsrc/x11/xorg-libs Fixes for CVE-2006-2006-3739 and CVE-200...

[joerg <joerg%pkgsrc.org@localhost>]

details:   https://anonhg.NetBSD.org/pkgsrc/rev/4ff851c81d73
branches:  trunk
changeset: 518549:4ff851c81d73
user:      joerg <joerg%pkgsrc.org@localhost>
date:      Wed Sep 13 12:27:26 2006 +0000

description:
Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
Bump revision.

diffstat:

 x11/xorg-libs/Makefile         |   4 +-
 x11/xorg-libs/distinfo         |   5 +++-
 x11/xorg-libs/patches/patch-cg |  27 +++++++++++++++++++++
 x11/xorg-libs/patches/patch-ch |  52 ++++++++++++++++++++++++++++++++++++++++++
 x11/xorg-libs/patches/patch-ci |  15 ++++++++++++
 5 files changed, 100 insertions(+), 3 deletions(-)

diffs (136 lines):

diff -r 0f83660034e2 -r 4ff851c81d73 x11/xorg-libs/Makefile
--- a/x11/xorg-libs/Makefile    Wed Sep 13 12:06:28 2006 +0000
+++ b/x11/xorg-libs/Makefile    Wed Sep 13 12:27:26 2006 +0000
@@ -1,8 +1,8 @@
-# $NetBSD: Makefile,v 1.42 2006/08/26 15:20:44 joerg Exp $
+# $NetBSD: Makefile,v 1.43 2006/09/13 12:27:26 joerg Exp $
 
 DISTNAME=              ${DISTFILES}
 PKGNAME=               xorg-libs-${XORG_VER}
-PKGREVISION=           8
+PKGREVISION=           9
 CATEGORIES=            x11
 MASTER_SITES=          ${MASTER_SITE_XORG}
 DISTFILES=             X11R${XORG_VER}-src1.tar.gz X11R${XORG_VER}-src2.tar.gz \
diff -r 0f83660034e2 -r 4ff851c81d73 x11/xorg-libs/distinfo
--- a/x11/xorg-libs/distinfo    Wed Sep 13 12:06:28 2006 +0000
+++ b/x11/xorg-libs/distinfo    Wed Sep 13 12:27:26 2006 +0000
@@ -1,4 +1,4 @@
-$NetBSD: distinfo,v 1.52 2006/08/22 18:12:14 joerg Exp $
+$NetBSD: distinfo,v 1.53 2006/09/13 12:27:26 joerg Exp $
 
 SHA1 (X11R6.9.0-src1.tar.gz) = a6c077ed8fdeee5fe1956a427c4cb0bc266e1bef
 RMD160 (X11R6.9.0-src1.tar.gz) = d12270a4f41a3ceee4bfd5da22d387a3aa707df8
@@ -59,3 +59,6 @@
 SHA1 (patch-cd) = e4bb522f4f3e896627aab68e39b0c643e4a6a5be
 SHA1 (patch-ce) = ce68c16dde6a924dbb43b44653bd4bc7c26c34ef
 SHA1 (patch-cf) = ec178ce36dbcd9b65d49584aa80e080b6f11132a
+SHA1 (patch-cg) = 82b40c8e39305bd320a88498c7202dc6e1e11743
+SHA1 (patch-ch) = e09e3fe3dd14caa70d2bcee1b58a72db0851632c
+SHA1 (patch-ci) = eaba43892d9968cf268ce1c0efe31a14c1a56ed5
diff -r 0f83660034e2 -r 4ff851c81d73 x11/xorg-libs/patches/patch-cg
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/xorg-libs/patches/patch-cg    Wed Sep 13 12:27:26 2006 +0000
@@ -0,0 +1,27 @@
+$NetBSD: patch-cg,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/afm.c.orig  2006-09-13 14:17:16.000000000 +0200
++++ lib/font/Type1/afm.c
+@@ -29,6 +29,7 @@
+ #include <stdio.h>
+ #include <string.h>
+ #include <stdlib.h>
++#include <limits.h>
+ #else
+ #include "Xmd.h"        /* For INT32 declaration */
+ #include "Xdefs.h"      /* For Bool */
+@@ -118,6 +119,12 @@ int CIDAFM(FILE *fd, FontInfo **pfi) {
+             
+             fi->nChars = atoi(p);
+ 
++          if (fi->nChars < 0 || fi->nChars  > INT_MAX / sizeof(Metrics)) {
++                xfree(afmbuf);
++                xfree(fi);
++                return(1);
++          }
++
+             fi->metrics = (Metrics *)xalloc(fi->nChars * 
+                 sizeof(Metrics));
+             if (fi->metrics == NULL) {
diff -r 0f83660034e2 -r 4ff851c81d73 x11/xorg-libs/patches/patch-ch
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/xorg-libs/patches/patch-ch    Wed Sep 13 12:27:26 2006 +0000
@@ -0,0 +1,52 @@
+$NetBSD: patch-ch,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/scanfont.c.orig     2006-09-13 14:18:59.000000000 +0200
++++ lib/font/Type1/scanfont.c
+@@ -57,6 +57,7 @@
+ 
+ #ifndef FONTMODULE
+ #include <string.h>
++#include <limits.h>
+ #else
+ #include "Xdefs.h"    /* Bool declaration */
+ #include "Xmd.h"      /* INT32 declaration */
+@@ -654,6 +655,7 @@ getFDArray(psobj *arrayP)
+   arrayP->data.valueP = tokenStartP;
+ 
+   /* allocate FDArray */
++  /* No integer overflow since arrayP->len is unsigned short */
+   FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont)));
+   if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY);
+ 
+@@ -850,7 +852,8 @@ BuildSubrs(psfont *FontP)
+      }
+      return(SCAN_OK);
+    }
+- 
++   if (N > INT_MAX / sizeof(psobj))
++     return (SCAN_ERROR);
+    arrayP = (psobj *)vm_alloc(N*sizeof(psobj));
+    if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY);
+    FontP->Subrs.len = N;
+@@ -911,7 +914,7 @@ BuildCharStrings(psfont *FontP)
+      }
+      else return(rc);  /* if next token was not an Int */
+    }
+-   if (N<=0) return(SCAN_ERROR);
++   if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR);
+    /* save number of entries in the dictionary */
+  
+    dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict));
+@@ -1719,6 +1722,10 @@ scan_cidfont(cidfont *CIDFontP, cmapres 
+     if (tokenType == TOKEN_INTEGER)
+       rangecnt = tokenValue.integer;
+ 
++    if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) {
++      rc = SCAN_ERROR;
++      break;
++    }
+     /* ==> tokenLength, tokenTooLong, tokenType, and */
+     /* tokenValue are now set                        */
+ 
diff -r 0f83660034e2 -r 4ff851c81d73 x11/xorg-libs/patches/patch-ci
--- /dev/null   Thu Jan 01 00:00:00 1970 +0000
+++ b/x11/xorg-libs/patches/patch-ci    Wed Sep 13 12:27:26 2006 +0000
@@ -0,0 +1,15 @@
+$NetBSD: patch-ci,v 1.1 2006/09/13 12:27:26 joerg Exp $
+
+Fixes for CVE-2006-2006-3739 and CVE-2006-3740.
+
+--- lib/font/Type1/util.c.orig 2006-09-13 14:22:13.000000000 +0200
++++ lib/font/Type1/util.c
+@@ -104,7 +104,7 @@ vm_alloc(int bytes)
+   bytes = (bytes + 7) & ~7;
+  
+   /* Allocate the space, if it is available */
+-  if (bytes <= vm_free) {
++  if (bytes > 0 && bytes <= vm_free) {
+     answer = vm_next;
+     vm_free -= bytes;
+     vm_next += bytes;