libXfont: Changes to 'libXfont-1.5-branch'
Jeremy Huddleston
jeremyhu at kemper.freedesktop.org
Tue May 31 04:25:58 UTC 2016
src/FreeType/ftfuncs.c | 14 +++++++-------
src/bitmap/bdfread.c | 4 ++--
src/bitmap/bitscale.c | 4 ++++
src/bitmap/pcfread.c | 1 -
src/fc/fserve.c | 8 +++-----
5 files changed, 16 insertions(+), 15 deletions(-)
New commits:
commit 42d85d1293b2753f3f200de0e960bacef0c973c7
Author: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Date: Mon May 30 00:46:21 2016 -0700
fserve: Fix a buffer read overrun in _fs_client_access
https://bugs.freedesktop.org/show_bug.cgi?id=83224
Found by clang's Address Sanitizer
crac.num_auths = set_font_authorizations(&authorizations, &authlen,
client);
/* Work around bug in xfs versions up through modular release 1.0.8
which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
if (crac.num_auths == 0) {
authorizations = padding;
authlen = 4;
} else {
authlen = (authlen + 3) & ~0x3;
}
crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
crac.acid = cur->acid;
_fs_add_req_log(conn, FS_CreateAC);
_fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
_fs_write(conn, authorizations, authlen);
In the case in the report, set_font_authorizations setup authorizations as a
34 byte buffer (and authlen set to 34 as one would expect). The following
block changed authlen to 36 to make it 4byte aligned and the final _fs_write()
caused us to read 36 bytes from this 34 byte buffer.
This changes the incorrect size increase to instead use _fs_write_pad which
takes care of the padding for us.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
(cherry picked from commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561)
commit 2b09a7af9f19db886567e524f978ad393593f7c0
Author: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Date: Sun May 29 23:37:13 2016 -0700
fserve: Silence a -Wformat warning
src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat]
" from font server\n", rep->length);
^~~~~~~~~~~
1 warning generated.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
(cherry picked from commit e6009adbc89ec3e1f924bcb57b333c1c02f5e66d)
commit 3eddbca2690381bbbaf14adadb2679eea702095f
Author: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Date: Sun May 29 23:34:35 2016 -0700
bitmap: Bail out on invalid input to FontFileMakeDir instead of calling calloc for 0 bytes
Found by clang static analysis:
Call to 'calloc' has an allocation size of 0 bytes
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
(cherry picked from commit ac559fad20bbae45332c758abb6a790c3fd341a2)
commit dfa572ea522a3019e91f2de7854b252c629342f2
Author: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
Date: Sun May 29 23:29:50 2016 -0700
FreeType: Correct an allocation size
Found by clang static analysis:
Result of 'calloc' is converted to a pointer of type 'int', which is
incompatible with sizeof operand type 'int *'
This is likely benign because the old size was larger on any platform where
sizeof(int) <= sizeof(void *), which is everywhere.
Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu at apple.com>
(cherry picked from commit d0fff111992fed9d9bfbf0c19e136bda9ba1db55)
commit bee4a764ccef46101dca03c70d4ad1793a5a5d78
Author: Keith Packard <keithp at keithp.com>
Date: Mon Dec 7 15:46:13 2015 -0800
Fix warnings
Mostly signed vs unsigned comparisons
Signed-off-by: Keith Packard <keithp at keithp.com>
Squashed commit of three cherry-picks from master:
(cherry picked from commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97)
(cherry picked from commit eefc0b0b908eb8533e704d7156ce983ad7891cc5)
(cherry picked from commit d967caa988eaabd9e84c82879e2f21bd33b952a7)
More information about the xorg-commit
mailing list