From 9950e38321120e3642638bf7c354e56a18cfce6a Mon Sep 17 00:00:00 2001
From: CentOS Sources <bugs@centos.org>
Date: Sep 03 2015 09:18:35 +0000
Subject: import libXfont-1.4.7-3.el7_1


---

diff --git a/SOURCES/cve-2015-1802.patch b/SOURCES/cve-2015-1802.patch
new file mode 100644
index 0000000..1d87333
--- /dev/null
+++ b/SOURCES/cve-2015-1802.patch
@@ -0,0 +1,30 @@
+From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Feb 2015 15:50:45 -0800
+Subject: bdfReadProperties: property count needs range check [CVE-2015-1802]
+
+Avoid integer overflow or underflow when allocating memory arrays
+by multiplying the number of properties reported for a BDF font.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 914a024..6387908 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
+ 	bdfError("missing 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
++    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
++	(nProps <= 0) ||
++	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ 	bdfError("bad 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-- 
+cgit v0.10.2
+
diff --git a/SOURCES/cve-2015-1803.patch b/SOURCES/cve-2015-1803.patch
new file mode 100644
index 0000000..22d2d5b
--- /dev/null
+++ b/SOURCES/cve-2015-1803.patch
@@ -0,0 +1,33 @@
+From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Feb 2015 15:54:00 -0800
+Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read
+ [CVE-2015-1803]
+
+Previously would charge on ahead with a NULL pointer in ci->bits, and
+then crash later in FontCharInkMetrics() trying to access the bits.
+
+Found with afl-1.23b.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 6387908..1b29b81 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 	    ci->metrics.descent = -bb;
+ 	    ci->metrics.characterWidth = wx;
+ 	    ci->bits = NULL;
+-	    bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
++	    if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
++		bdfError("could not read bitmap for character '%s'\n", charName);
++		goto BAILOUT;
++	    }
+ 	    ci++;
+ 	    ndx++;
+ 	} else
+-- 
+cgit v0.10.2
+
diff --git a/SOURCES/cve-2015-1804.patch b/SOURCES/cve-2015-1804.patch
new file mode 100644
index 0000000..dd8d5be
--- /dev/null
+++ b/SOURCES/cve-2015-1804.patch
@@ -0,0 +1,73 @@
+From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Mar 2015 22:54:58 -0800
+Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct
+ [CVE-2015-1804]
+
+We use 32-bit ints to read from the bdf file, but then try to stick
+into a 16-bit int in the xCharInfo struct, so make sure they won't
+overflow that range.
+
+Found by afl-1.24b.
+
+v2: Verify that additions won't overflow 32-bit int range either.
+v3: As Julien correctly observes, the previous check for bh & bw not
+    being < 0 reduces the number of cases we need to check for overflow.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 1b29b81..a0ace8f 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -62,8 +62,16 @@ from The Open Group.
+ 
+ #if HAVE_STDINT_H
+ #include <stdint.h>
+-#elif !defined(INT32_MAX)
+-#define INT32_MAX 0x7fffffff
++#else
++# ifndef INT32_MAX
++#  define INT32_MAX 0x7fffffff
++# endif
++# ifndef INT16_MAX
++#  define INT16_MAX 0x7fff
++# endif
++# ifndef INT16_MIN
++#  define INT16_MIN (0 - 0x8000)
++# endif
+ #endif
+ 
+ #define INDICES 256
+@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 	    bdfError("DWIDTH y value must be zero\n");
+ 	    goto BAILOUT;
+ 	}
++	/* xCharInfo metrics are stored as INT16 */
++	if ((wx < 0) || (wx > INT16_MAX)) {
++	    bdfError("character '%s' has out of range width, %d\n",
++		     charName, wx);
++	    goto BAILOUT;
++	}
+ 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ 	if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
+ 	    bdfError("bad 'BBX'\n");
+@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 		     charName, bw, bh);
+ 	    goto BAILOUT;
+ 	}
++	/* xCharInfo metrics are read as int, but stored as INT16 */
++	if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
++	    (bb > INT16_MAX) || (bb < INT16_MIN) ||
++	    (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
++	    bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
++		     charName, bl, (bl+bw), (bh+bb), -bb);
++	    goto BAILOUT;
++	}
+ 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ 	if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
+ 	    for (p = line + strlen("ATTRIBUTES ");
+-- 
+cgit v0.10.2
+
diff --git a/SPECS/libXfont.spec b/SPECS/libXfont.spec
index 06f8492..1b5567a 100644
--- a/SPECS/libXfont.spec
+++ b/SPECS/libXfont.spec
@@ -1,7 +1,7 @@
 Summary: X.Org X11 libXfont runtime library
 Name: libXfont
 Version: 1.4.7
-Release: 2%{?dist}
+Release: 3%{?dist}
 License: MIT
 Group: System Environment/Libraries
 URL: http://www.x.org
@@ -28,6 +28,9 @@ Patch8: 0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
 Patch9: 0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch
 Patch10: 0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
 Patch11: 0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
+Patch12: cve-2015-1802.patch
+Patch13: cve-2015-1803.patch
+Patch14: cve-2015-1804.patch
 
 %description
 X.Org X11 libXfont runtime library
@@ -56,6 +59,9 @@ X.Org X11 libXfont development package
 %patch9  -p1 -b .cve20140210.10
 %patch10 -p1 -b .cve20140210.11
 %patch11 -p1 -b .cve20140210.12
+%patch12 -p1 -b .cve20151802.13
+%patch13 -p1 -b .cve20151803.14
+%patch14 -p1 -b .cve20151804.15
 
 %build
 autoreconf -v --install --force
@@ -106,6 +112,11 @@ rm -rf $RPM_BUILD_ROOT
 %{_libdir}/pkgconfig/xfont.pc
 
 %changelog
+* Tue Sep 01 2015 Benjamin Tissoires <benjamin.tissoires@redhat.com> 1.4.7-3
+- CVE-2015-1802: missing range check in bdfReadProperties (bug 1258894)
+- CVE-2015-1803: crash on invalid read in bdfReadCharacters (bug 1258894)
+- CVE-2015-1804: out-of-bounds memory access in bdfReadCharacters (bug 1258894)
+
 * Thu Nov 13 2014 Benjamin Tissoires <btissoir@redhat.com> 1.4.7-2
 - CVE-2014-0209: integer overflow of allocations in font metadata file parsing (bug 1163604, bug 1163603)
 - CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies (bug 1163604, bug 1163603)