Submitted By: Archaic <archaic AT linuxfromscratch DOT org>
Date: 2007-04-28
Initial Package Version: 1.2.7
Upstream Status: Applied
Origin: http://xorg.freedesktop.org/archive/X11R7.2/patches/
Description: Fixes possible memory corruption from specially crafted images and
a file parsing integer overflow.
http://lists.freedesktop.org/archives/xorg-announce/2007-April/000286.html

diff -Naur libXfont-1.2.7.orig/src/bitmap/bdfread.c libXfont-1.2.7/src/bitmap/bdfread.c
--- libXfont-1.2.7.orig/src/bitmap/bdfread.c	2006-07-04 18:55:31.000000000 +0000
+++ libXfont-1.2.7/src/bitmap/bdfread.c	2007-04-29 02:05:54.000000000 +0000
@@ -65,6 +65,12 @@
 #include <X11/fonts/bitmap.h>
 #include <X11/fonts/bdfint.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
@@ -288,6 +294,11 @@
 	bdfError("invalid number of CHARS in BDF file\n");
 	return (FALSE);
     }
+    if (nchars > INT32_MAX / sizeof(CharInfoRec)) {
+	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
+		 sizeof(CharInfoRec));
+	goto BAILOUT;
+    }
     ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
     if (!ci) {
 	bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,
diff -Naur libXfont-1.2.7.orig/src/fontfile/fontdir.c libXfont-1.2.7/src/fontfile/fontdir.c
--- libXfont-1.2.7.orig/src/fontfile/fontdir.c	2006-07-04 18:55:31.000000000 +0000
+++ libXfont-1.2.7/src/fontfile/fontdir.c	2007-04-29 02:05:54.000000000 +0000
@@ -38,9 +38,17 @@
 #include    <X11/fonts/fntfilst.h>
 #include    <X11/keysym.h>
 
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
 Bool
 FontFileInitTable (FontTablePtr table, int size)
 {
+    if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec))) 
+	return FALSE;
     if (size)
     {
 	table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);