Update to libXfont 1.4.7. Include fix for CVE-2013-6462.

unlimited sscanf overflows stack buffer in bdfReadCharacters

lib/libXfont/ChangeLog

@@ -1,3 +1,129 @@
+commit 30110063857ff9a5f93f6d8d13f535c9b6e59e2a
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Tue Jan 7 08:22:31 2014 -0800
+
+    libXfont 1.4.7
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 2a84680376bafd74609c6ef3e38befcb8467d814
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Mon Dec 23 19:01:11 2013 -0800
+
+    Limit additional sscanf strings to fit buffer sizes
+    
+    None of these could currently result in buffer overflow, as the input
+    and output buffers were the same size, but adding limits helps ensure
+    we keep it that way, if we ever resize any of these in the future.
+    
+    Fixes cppcheck warnings:
+     [lib/libXfont/src/bitmap/bdfread.c:547]: (warning)
+      scanf without field width limits can crash with huge input data.
+     [lib/libXfont/src/bitmap/bdfread.c:553]: (warning)
+      scanf without field width limits can crash with huge input data.
+     [lib/libXfont/src/bitmap/bdfread.c:636]: (warning)
+      scanf without field width limits can crash with huge input data.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+
+commit 4d024ac10f964f6bd372ae0dd14f02772a6e5f63
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Mon Dec 23 18:34:02 2013 -0800
+
+    CVE-2013-6462: unlimited sscanf overflows stack buffer in bdfReadCharacters()
+    
+    Fixes cppcheck warning:
+     [lib/libXfont/src/bitmap/bdfread.c:341]: (warning)
+      scanf without field width limits can crash with huge input data.
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+    Reviewed-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
+
+commit fdcf9a9be6a5d453659beadec5d1a1fdbab9afaf
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Dec 27 11:01:35 2013 -0800
+
+    Add AC_USE_SYSTEM_EXTENSIONS to expose non-standard extensions
+    
+    Required on Solaris to expose definitions in system headers that
+    are not defined in the XPG standards now that xtrans 1.3 defines
+    _XOPEN_SOURCE to 600 on Solaris.
+    
+    Fixes build failures:
+    fserve.c: In function 'fs_block_handler':
+    fserve.c:1210:5: error: 'fd_mask' undeclared (first use in this function)
+    fserve.c:1210:5: note: each undeclared identifier is reported only once for each function it appears in
+    In file included from transport.c:67:0,
+                     from fstrans.c:28:
+    Xtranssock.c: In function '_FontTransSocketINETConnect':
+    Xtranssock.c:1421:19: error: 'INET6_ADDRSTRLEN' undeclared (first use in this function)
+    Xtranssock.c:1421:19: note: each undeclared identifier is reported only once for each function it appears in
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Reviewed-by: Daniel Stone <daniel@fooishbar.org>
+
+commit 0d24378a6f08f5ab594ff552d60cf5f8f74bcb33
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat Dec 7 20:11:29 2013 -0800
+
+    Don't leak old allocation if realloc fails to enlarge it
+    
+    In ftfuncs.c, since the buffer being reallocated is a function local
+    buffer, used to accumulate data for a single run of the function and
+    then freed at the end of the function, we just free the old buffer if
+    realloc fails.
+    
+    In atom.c however, the ReverseMap is a static buffer, so we operate in
+    temporary variables until we know we're successful, then update the
+    static variables.  If we fail, we leave the old static variables in place,
+    since they contain data about previous atoms we should maintain, not lose.
+    
+    Reported by cppcheck:
+    [lib/libXfont/src/FreeType/ftfuncs.c:2122]: (error) Common realloc mistake:
+     'ranges' nulled but not freed upon failure
+    [lib/libXfont/src/util/atom.c:126]: (error) Common realloc mistake:
+     'reverseMap' nulled but not freed upon failure
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
+
+commit 5e27c364b174497d427dcecd122d711ef6b9f630
+Author: Julien Cristau <jcristau@debian.org>
+Date:   Mon Aug 12 18:40:27 2013 +0200
+
+    Make serverGeneration unsigned
+    
+    Makes the definition match other declarations, and xserver's definition.
+    
+    Debian bug#689439
+    
+    Reported-by: Michael Tautschnig <mt@debian.org>
+    Signed-off-by: Julien Cristau <jcristau@debian.org>
+    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 7d34534c050cb4366c7b14bff585c17d6d578f89
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Sat Oct 26 00:06:22 2013 -0700
+
+    Replace malloc(strlen)+strcpy/strcat calls with strdup
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+
+commit 8a9fc31628a98e3cdaae6078bb5d92bce06c37ac
+Author: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date:   Fri Oct 25 23:56:55 2013 -0700
+
+    xstrdup -> strdup
+    
+    Missed in xalloc -> malloc etal conversion in 0cdc9b8f850342
+    
+    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+    Reviewed-by: Jasper St. Pierre <jstpierre@mecheye.net>
+
 commit 8b289e10c5013cdcbf817c06bd929e3ea8339987
 Author: Alan Coopersmith <alan.coopersmith@oracle.com>
 Date:   Sun Jul 21 16:53:47 2013 -0700

lib/libXfont/Makefile.bsd-wrapper

@@ -1,7 +1,7 @@
-# $OpenBSD: Makefile.bsd-wrapper,v 1.11 2013/08/13 07:07:15 guenther Exp $
+# $OpenBSD: Makefile.bsd-wrapper,v 1.12 2014/01/07 20:42:20 matthieu Exp $
 .include <bsd.xconf.mk>
 
-SHARED_LIBS=	Xfont 10.0
+SHARED_LIBS=	Xfont 11.0
 
 CONFIGURE_ARGS+= --with-xmlto=no
 

lib/libXfont/aclocal.m4

@@ -9828,7 +9828,7 @@ dnl DEALINGS IN THE SOFTWARE.
 # See the "minimum version" comment for each macro you use to see what
 # version you require.
 m4_defun([XORG_MACROS_VERSION],[
-m4_define([vers_have], [1.16.2])
+m4_define([vers_have], [1.17.1])
 m4_define([maj_have], m4_substr(vers_have, 0, m4_index(vers_have, [.])))
 m4_define([maj_needed], m4_substr([$1], 0, m4_index([$1], [.])))
 m4_if(m4_cmp(maj_have, maj_needed), 0,,
@@ -11334,18 +11334,18 @@ fi
 found="no"
 m4_foreach([flag], m4_cdr($@), [
 	if test $found = "no" ; then
-		if test "x$xorg_testset_unknown_warning_option" = "xyes" ; then
+		if test "x$xorg_testset_]CACHE_PREFIX[_unknown_warning_option" = "xyes" ; then
 			PREFIX[FLAGS]="$PREFIX[FLAGS] -Werror=unknown-warning-option"
 		fi
 
-		if test "x$xorg_testset_unused_command_line_argument" = "xyes" ; then
+		if test "x$xorg_testset_]CACHE_PREFIX[_unused_command_line_argument" = "xyes" ; then
 			PREFIX[FLAGS]="$PREFIX[FLAGS] -Werror=unused-command-line-argument"
 		fi
 
 		PREFIX[FLAGS]="$PREFIX[FLAGS] ]flag["
 
 dnl Some hackery here since AC_CACHE_VAL can't handle a non-literal varname
-		AC_MSG_CHECKING([if ]COMPILER[ supports]flag[])
+		AC_MSG_CHECKING([if ]COMPILER[ supports ]flag[])
 		cacheid=AS_TR_SH([xorg_cv_]CACHE_PREFIX[_flag_]flag[])
 		AC_CACHE_VAL($cacheid,
 			     [AC_LINK_IFELSE([AC_LANG_PROGRAM([int i;])],

lib/libXfont/config.h.in

@@ -106,6 +106,28 @@
 /* Support UNIX socket connections */
 #undef UNIXCONN
 
+/* Enable extensions on AIX 3, Interix.  */
+#ifndef _ALL_SOURCE
+# undef _ALL_SOURCE
+#endif
+/* Enable GNU extensions on systems that have them.  */
+#ifndef _GNU_SOURCE
+# undef _GNU_SOURCE
+#endif
+/* Enable threading extensions on Solaris.  */
+#ifndef _POSIX_PTHREAD_SEMANTICS
+# undef _POSIX_PTHREAD_SEMANTICS
+#endif
+/* Enable extensions on HP NonStop.  */
+#ifndef _TANDEM_SOURCE
+# undef _TANDEM_SOURCE
+#endif
+/* Enable general extensions on Solaris.  */
+#ifndef __EXTENSIONS__
+# undef __EXTENSIONS__
+#endif
+
+
 /* Version number of package */
 #undef VERSION
 
@@ -138,3 +160,13 @@
 
 /* Support gzip for bitmap fonts */
 #undef X_GZIP_FONT_COMPRESSION
+
+/* Define to 1 if on MINIX. */
+#undef _MINIX
+
+/* Define to 2 if the system does not provide POSIX.1 features except with
+   this defined. */
+#undef _POSIX_1_SOURCE
+
+/* Define to 1 if you need to in order for `stat' and other things to work. */
+#undef _POSIX_SOURCE

lib/libXfont/configure.ac

@@ -21,7 +21,7 @@
 
 # Initialize Autoconf
 AC_PREREQ([2.60])
-AC_INIT([libXfont], [1.4.6],
+AC_INIT([libXfont], [1.4.7],
 	[https://bugs.freedesktop.org/enter_bug.cgi?product=xorg], [libXfont])
 AC_CONFIG_SRCDIR([Makefile.am])
 AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
@@ -29,6 +29,11 @@ AC_CONFIG_HEADERS([config.h include/X11/fonts/fontconf.h])
 # Initialize Automake
 AM_INIT_AUTOMAKE([foreign dist-bzip2])
 
+# Set common system defines for POSIX extensions, such as _GNU_SOURCE
+# Must be called before any macros that run the compiler (like
+# AC_PROG_LIBTOOL) to avoid autoconf errors.
+AC_USE_SYSTEM_EXTENSIONS
+
 # Initialize libtool
 AC_PROG_LIBTOOL
 

lib/libXfont/src/FreeType/ftfuncs.c

@@ -2050,7 +2050,7 @@ restrict_code_range_by_str(int count,unsigned short *refFirstCol,
 {
     int nRanges = 0;
     int result = 0;
-    fsRange *ranges = NULL;
+    fsRange *ranges = NULL, *oldRanges;
     char const *p, *q;
 
     p = q = str;
@@ -2119,10 +2119,13 @@ restrict_code_range_by_str(int count,unsigned short *refFirstCol,
         fflush(stderr);
 #endif
         nRanges++;
+        oldRanges = ranges;
         ranges = realloc(ranges, nRanges*sizeof(*ranges));
-        if (NULL == ranges)
+        if (NULL == ranges) {
+            free(oldRanges);
             break;
-        {
+        }
+        else {
             fsRange *r = ranges+nRanges-1;
 
             r->min_char_low = minpoint & 0xff;
@@ -2204,7 +2207,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
 		strcpy(*dynStrRealFileName+dirLen, p2+1);
 		capHead = p1;
 	    } else {
-		*dynStrRealFileName = xstrdup(fileName);
+		*dynStrRealFileName = strdup(fileName);
 		if( *dynStrRealFileName == NULL ) {
 		    result = AllocError;
 		    goto quit;
@@ -2289,13 +2292,11 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
 	    }
 	}
 	else{
-	    *dynStrFTFileName = malloc(strlen(*dynStrRealFileName)+1);
+	    *dynStrFTFileName = strdup(*dynStrRealFileName);
 	    if( *dynStrFTFileName == NULL ){
 		result = AllocError;
 		goto quit;
 	    }
-	    **dynStrFTFileName = '\0';
-	    strcat(*dynStrFTFileName,*dynStrRealFileName);
 	}
     }
     /*
@@ -2549,7 +2550,7 @@ FreeTypeSetUpTTCap( char *fileName, FontScalablePtr vals,
     if (SPropRecValList_search_record(&listPropRecVal,
 				      &contRecValue,
 				      "CodeRange")) {
-	*dynStrTTCapCodeRange = xstrdup(SPropContainer_value_str(contRecValue));
+	*dynStrTTCapCodeRange = strdup(SPropContainer_value_str(contRecValue));
 	if( *dynStrTTCapCodeRange == NULL ) {
 	    result = AllocError;
 	    goto quit;

lib/libXfont/src/FreeType/xttcap.c

@@ -234,14 +234,13 @@ SPropRecValList_add_record(SDynPropRecValList *pThisList,
             {
                 char *p;
 
-                if (NULL == (p = malloc(strlen(strValue)+1))) {
+                if (NULL == (p = strdup(strValue))) {
                     fprintf(stderr,
                             "truetype font property : "
                             "cannot allocate memory.\n");
                     result = True;
                     goto quit;
                 }
-                strcpy(p, strValue);
                 SPropContainer_value_str(&tmpContainerE) = p;
             }
             break;
@@ -682,24 +681,4 @@ SPropRecValList_add_by_font_cap(SDynPropRecValList *pThisList,
     return result;
 }
 
-
-/**************************************************************************
-  Functions (xttmisc)
- */
-
-/* strdup clone with using the allocator of X server */
-char *
-XttXstrdup(char const *str)
-{
-    char *result;
-
-    result = malloc(strlen(str)+1);
-
-    if (result)
-        strcpy(result, str);
-
-    return result;
-}
-
-
 /* end of file */

lib/libXfont/src/FreeType/xttcap.h

@@ -116,15 +116,6 @@ SPropRecValList_dump(SRefPropRecValList *refList);
 #define SPropContainer_value_str(contRecVal)\
   ((contRecVal)->uValue.dynStringValue)
 
-/******************************************************
-  Prototypes (xttmisc)
- */
-
-/* strdup clone */
-char * XttXstrdup(char const *str);
-#undef xstrdup
-#define xstrdup(s) XttXstrdup((char const*)s)
-
 #endif /* !def _XTTCAP_H_ */
 
 /* end of file */

lib/libXfont/src/bitmap/bdfread.c

@@ -69,6 +69,7 @@ from The Open Group.
 #define INDICES 256
 #define MAXENCODING 0xFFFF
 #define BDFLINELEN  1024
+#define BDFLINESTR  "%1023s" /* scanf specifier to read a BDFLINELEN string */
 
 static Bool bdfPadToTerminal(FontPtr pFont);
 extern int  bdfFileLineNum;
@@ -338,7 +339,7 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
 	char        charName[100];
 	int         ignore;
 
-	if (sscanf((char *) line, "STARTCHAR %s", charName) != 1) {
+	if (sscanf((char *) line, "STARTCHAR %99s", charName) != 1) {
 	    bdfError("bad character name in BDF file\n");
 	    goto BAILOUT;	/* bottom of function, free and return error */
 	}
@@ -544,13 +545,18 @@ bdfReadHeader(FontFilePtr file, bdfFileState *pState)
     unsigned char        lineBuf[BDFLINELEN];
 
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "STARTFONT %s", namebuf) != 1 ||
+    if (!line ||
+        sscanf((char *) line, "STARTFONT " BDFLINESTR, namebuf) != 1 ||
 	    !bdfStrEqual(namebuf, "2.1")) {
 	bdfError("bad 'STARTFONT'\n");
 	return (FALSE);
     }
     line = bdfGetLine(file, lineBuf, BDFLINELEN);
-    if (!line || sscanf((char *) line, "FONT %[^\n]", pState->fontName) != 1) {
+#if MAXFONTNAMELEN != 1024
+# error "need to adjust sscanf length limit to be MAXFONTNAMELEN - 1"
+#endif
+    if (!line ||
+        sscanf((char *) line, "FONT %1023[^\n]", pState->fontName) != 1) {
 	bdfError("bad 'FONT'\n");
 	return (FALSE);
     }
@@ -633,7 +639,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
 	while (*line && isspace(*line))
 	    line++;
 
-	switch (sscanf((char *) line, "%s%s%s", namebuf, secondbuf, thirdbuf)) {
+	switch (sscanf((char *) line,
+                       BDFLINESTR BDFLINESTR BDFLINESTR,
+                       namebuf, secondbuf, thirdbuf)) {
 	default:
 	    bdfError("missing '%s' parameter value\n", namebuf);
 	    goto BAILOUT;

lib/libXfont/src/fontfile/fontdir.c

@@ -425,17 +425,13 @@ FontFileCountDashes (char *name, int namelen)
     return ndashes;
 }
 
+/* exported in public API in <X11/fonts/fntfil.h> */
 char *
 FontFileSaveString (char *s)
 {
-    char    *n;
-
-    n = malloc (strlen (s) + 1);
-    if (!n)
-	return 0;
-    strcpy (n, s);
-    return n;
+    return strdup(s);
 }
+#define FontFileSaveString(s) strdup(s)
 
 FontEntryPtr
 FontFileFindNameInScalableDir(FontTablePtr table, FontNamePtr pat,

lib/libXfont/src/util/atom.c

@@ -118,19 +118,23 @@ ResizeHashTable (void)
 static int
 ResizeReverseMap (void)
 {
-    int ret = TRUE;
+    AtomListPtr *newMap;
+    int newMapSize;
+
     if (reverseMapSize == 0)
-	reverseMapSize = 1000;
+	newMapSize = 1000;
     else
-	reverseMapSize *= 2;
-    reverseMap = realloc (reverseMap, reverseMapSize * sizeof (AtomListPtr));
-    if (!reverseMap) {
+	newMapSize = reverseMapSize * 2;
+    newMap = realloc (reverseMap, newMapSize * sizeof (AtomListPtr));
+    if (newMap == NULL) {
 	fprintf(stderr, "ResizeReverseMap(): Error: Couldn't reallocate"
 		" reverseMap (%ld)\n",
-		reverseMapSize * (unsigned long)sizeof(AtomListPtr));
-	ret = FALSE;
+		newMapSize * (unsigned long)sizeof(AtomListPtr));
+	return FALSE;
     }
-    return ret;
+    reverseMap = newMap;
+    reverseMapSize = newMapSize;
+    return TRUE;
 }
 
 static int

lib/libXfont/src/util/miscutil.c

@@ -47,7 +47,7 @@ extern void BuiltinRegisterFpeFunctions(void);
 
 #ifndef NO_WEAK_SYMBOLS
 /* make sure everything initializes themselves at least once */
-weak long serverGeneration = 1;
+weak unsigned long serverGeneration = 1;
 #endif
 
 weak void