Apply by doing: cd /usr/XF4 patch -p0 < 012_font.patch Then rebuild and install X: cd /usr/obj lndir /usr/XF4 make build Index: xc/lib/font/fontfile/dirfile.c =================================================================== RCS file: /cvs/XF4/xc/lib/font/fontfile/dirfile.c,v retrieving revision 1.1.1.4 retrieving revision 1.1.1.4.2.2 diff -u -p -r1.1.1.4 -r1.1.1.4.2.2 --- xc/lib/font/fontfile/dirfile.c 1 Apr 2003 18:44:59 -0000 1.1.1.4 +++ xc/lib/font/fontfile/dirfile.c 13 Feb 2004 07:46:49 -0000 1.1.1.4.2.2 @@ -68,6 +68,9 @@ FontFileReadDirectory (char *directory, FontDirectoryPtr dir = NullFontDirectory; + if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file)) + return BadFontPath; + #ifdef FONTDIRATTRIB /* Check for font directory attributes */ #ifndef __UNIXOS2__ @@ -154,6 +157,9 @@ FontFileDirectoryChanged(FontDirectoryPt char dir_file[MAXFONTFILENAMELEN]; struct stat statb; + if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file)) + return FALSE; + strcpy (dir_file, dir->directory); strcat (dir_file, FontDirFile); if (stat (dir_file, &statb) == -1) @@ -202,6 +208,8 @@ AddFileNameAliases(FontDirectoryPtr dir) continue; len = strlen (fileName) - renderer->fileSuffixLen; + if (len >= sizeof(copy)) + continue; CopyISOLatin1Lowered (copy, fileName, len); copy[len] = '\0'; name.name = copy; @@ -251,9 +259,13 @@ ReadFontAlias(char *directory, Bool isFi int status = Successful; struct stat statb; + if (strlen(directory) >= sizeof(alias_file)) + return BadFontPath; dir = *pdir; strcpy(alias_file, directory); if (!isFile) { + if (strlen(directory) + 1 + sizeof(FontAliasFile) > sizeof(alias_file)) + return BadFontPath; if (directory[strlen(directory) - 1] != '/') strcat(alias_file, "/"); strcat(alias_file, FontAliasFile); @@ -286,6 +298,10 @@ ReadFontAlias(char *directory, Bool isFi status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(alias)) { + status = BadFontPath; + break; + } strcpy(alias, lexToken); token = lexAlias(file, &lexToken); switch (token) { @@ -302,6 +318,10 @@ ReadFontAlias(char *directory, Bool isFi status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(font_name)) { + status = BadFontPath; + break; + } CopyISOLatin1Lowered(alias, alias, strlen(alias)); CopyISOLatin1Lowered(font_name, lexToken, strlen(lexToken)); if (!FontFileAddFontAlias (dir, alias, font_name)) Index: xc/lib/font/fontfile/encparse.c =================================================================== RCS file: /cvs/XF4/xc/lib/font/fontfile/encparse.c,v retrieving revision 1.1.1.2 retrieving revision 1.1.1.2.8.1 diff -u -p -r1.1.1.2 -r1.1.1.2.8.1 --- xc/lib/font/fontfile/encparse.c 19 Jan 2002 11:06:06 -0000 1.1.1.2 +++ xc/lib/font/fontfile/encparse.c 13 Feb 2004 07:46:49 -0000 1.1.1.2.8.1 @@ -833,6 +833,7 @@ FontEncReallyReallyLoad(const char *char char file_name[MAXFONTFILENAMELEN], encoding_name[MAXFONTNAMELEN], buf[MAXFONTFILENAMELEN]; int count, n; + static char format[24] = ""; /* As we don't really expect to open encodings that often, we don't take the trouble of caching encodings directories. */ @@ -848,8 +849,12 @@ FontEncReallyReallyLoad(const char *char } encoding = NULL; + if (!format[0]) { + sprintf(format, "%%%ds %%%d[^\n]\n", sizeof(encoding_name) - 1, + sizeof(file_name) - 1); + } for(;;) { - count = fscanf(file, "%s %[^\n]\n", encoding_name, file_name); + count = fscanf(file, format, encoding_name, file_name); if(count == EOF) break; if(count != 2) Index: xc/lib/font/fontfile/fontfile.c =================================================================== RCS file: /cvs/XF4/xc/lib/font/fontfile/fontfile.c,v retrieving revision 1.1.1.4 retrieving revision 1.1.1.4.2.1 diff -u -p -r1.1.1.4 -r1.1.1.4.2.1 --- xc/lib/font/fontfile/fontfile.c 1 Apr 2003 18:44:59 -0000 1.1.1.4 +++ xc/lib/font/fontfile/fontfile.c 13 Feb 2004 07:46:49 -0000 1.1.1.4.2.1 @@ -424,11 +424,16 @@ FontFileOpenFont (pointer client, FontPa vals.ranges = ranges; vals.nranges = nranges; - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->OpenScalable) (fpe, pFont, + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->OpenScalable) (fpe, pFont, flags, entry, fileName, &vals, format, fmask, non_cachable_font); + } /* In case rasterizer does something bad because of charset subsetting... */ @@ -497,6 +502,10 @@ FontFileOpenBitmapNCF (FontPathElementPt dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if(!bitmap || !bitmap->renderer->OpenBitmap) + return BadFontName; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->OpenBitmap) @@ -530,6 +539,10 @@ FontFileGetInfoBitmap (FontPathElementPt dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if (!bitmap || !bitmap->renderer->GetInfoBitmap) + return BadFontName; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName); @@ -891,10 +904,15 @@ FontFileListOneFontWithInfo (pointer cli vals.ranges = FontParseRanges(origName, &vals.nranges); ranges = vals.ranges; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) - (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) + (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + } if (ranges) xfree(ranges); } } @@ -931,10 +949,15 @@ FontFileListOneFontWithInfo (pointer cli bc = &entry->u.bc; entry = bc->entry; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals); + } break; #endif default: Index: xc-old/lib/font/fontfile/dirfile.c =================================================================== RCS file: /cvs/XF4/xc-old/lib/font/fontfile/dirfile.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.12.2 diff -u -p -r1.1.1.1 -r1.1.1.1.12.2 --- xc-old/lib/font/fontfile/dirfile.c 18 Feb 2001 16:08:19 -0000 1.1.1.1 +++ xc-old/lib/font/fontfile/dirfile.c 13 Feb 2004 07:46:49 -0000 1.1.1.1.12.2 @@ -73,6 +73,9 @@ FontFileReadDirectory (directory, pdir) FontDirectoryPtr dir = NullFontDirectory; + if (strlen(directory) + 1 + sizeof(FontDirFile) > sizeof(dir_file)) + return BadFontPath; + #ifdef FONTDIRATTRIB /* Check for font directory attributes */ #ifndef __EMX__ @@ -160,6 +163,9 @@ FontFileDirectoryChanged(dir) char dir_file[MAXFONTFILENAMELEN]; struct stat statb; + if (strlen(dir->directory) + sizeof(FontDirFile) > sizeof(dir_file)) + return FALSE; + strcpy (dir_file, dir->directory); strcat (dir_file, FontDirFile); if (stat (dir_file, &statb) == -1) @@ -209,6 +215,8 @@ AddFileNameAliases(dir) continue; len = strlen (fileName) - renderer->fileSuffixLen; + if (len >= sizeof(copy)) + continue; CopyISOLatin1Lowered (copy, fileName, len); copy[len] = '\0'; name.name = copy; @@ -263,6 +271,8 @@ ReadFontAlias(directory, isFile, pdir) int status = Successful; struct stat statb; + if (strlen(directory) >= sizeof(alias_file)) + return BadFontPath; dir = *pdir; strcpy(alias_file, directory); if (!isFile) { @@ -298,6 +308,10 @@ ReadFontAlias(directory, isFile, pdir) status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(alias)) { + status = BadFontPath; + break; + } strcpy(alias, lexToken); token = lexAlias(file, &lexToken); switch (token) { @@ -314,6 +328,10 @@ ReadFontAlias(directory, isFile, pdir) status = AllocError; break; case NAME: + if (strlen(lexToken) >= sizeof(font_name)) { + status = BadFontPath; + break; + } CopyISOLatin1Lowered((unsigned char *) alias, (unsigned char *) alias, strlen(alias)); Index: xc-old/lib/font/fontfile/fontfile.c =================================================================== RCS file: /cvs/XF4/xc-old/lib/font/fontfile/fontfile.c,v retrieving revision 1.1.1.1 retrieving revision 1.1.1.1.12.1 diff -u -p -r1.1.1.1 -r1.1.1.1.12.1 --- xc-old/lib/font/fontfile/fontfile.c 18 Feb 2001 16:08:20 -0000 1.1.1.1 +++ xc-old/lib/font/fontfile/fontfile.c 13 Feb 2004 07:46:49 -0000 1.1.1.1.12.1 @@ -438,11 +438,16 @@ FontFileOpenFont (client, fpe, flags, na vals.ranges = ranges; vals.nranges = nranges; - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->OpenScalable) (fpe, pFont, + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->OpenScalable) (fpe, pFont, flags, entry, fileName, &vals, format, fmask, non_cachable_font); + } /* In case rasterizer does something bad because of charset subsetting... */ @@ -517,6 +522,10 @@ FontFileOpenBitmapNCF (fpe, pFont, flags dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if(!bitmap || !bitmap->renderer->OpenBitmap) + return BadFontName; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->OpenBitmap) @@ -553,6 +562,10 @@ FontFileGetInfoBitmap (fpe, pFontInfo, e dir = (FontDirectoryPtr) fpe->private; bitmap = &entry->u.bitmap; + if (!bitmap || !bitmap->renderer->GetInfoBitmap) + return BadFontName; + if (strlen(dir->directory) + strlen(bitmap->fileName) >= sizeof(fileName)) + return BadFontName; strcpy (fileName, dir->directory); strcat (fileName, bitmap->fileName); ret = (*bitmap->renderer->GetInfoBitmap) (fpe, pFontInfo, entry, fileName); @@ -936,10 +949,15 @@ FontFileListOneFontWithInfo (client, fpe vals.ranges = FontParseRanges(origName, &vals.nranges); ranges = vals.ranges; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) - (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) + (fpe, *pFontInfo, entry, &tmpName, fileName, &vals); + } if (ranges) xfree(ranges); } } @@ -976,10 +994,15 @@ FontFileListOneFontWithInfo (client, fpe bc = &entry->u.bc; entry = bc->entry; /* Make a new scaled instance */ - strcpy (fileName, dir->directory); - strcat (fileName, scalable->fileName); - ret = (*scalable->renderer->GetInfoScalable) + if (strlen(dir->directory) + strlen(scalable->fileName) >= + sizeof(fileName)) { + ret = BadFontName; + } else { + strcpy (fileName, dir->directory); + strcat (fileName, scalable->fileName); + ret = (*scalable->renderer->GetInfoScalable) (fpe, *pFontInfo, entry, tmpName, fileName, &bc->vals); + } break; #endif default: