Index: xfree/xc/lib/Xcursor/file.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/Xcursor/Attic/file.c,v retrieving revision 1.1.1.1 diff -p -u -u -r1.1.1.1 file.c --- xfree/xc/lib/Xcursor/file.c 28 Feb 2003 13:18:51 -0000 1.1.1.1 +++ xfree/xc/lib/Xcursor/file.c 30 Nov 2017 02:18:14 -0000 @@ -31,6 +31,11 @@ XcursorImageCreate (int width, int heigh { XcursorImage *image; + if (width < 0 || height < 0) + return NULL; + if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + image = malloc (sizeof (XcursorImage) + width * height * sizeof (XcursorPixel)); if (!image) @@ -79,7 +84,7 @@ XcursorCommentCreate (XcursorUInt commen { XcursorComment *comment; - if (length > XCURSOR_COMMENT_MAX_LEN) + if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN) return 0; comment = malloc (sizeof (XcursorComment) + length + 1); @@ -103,6 +108,9 @@ XcursorCommentsCreate (int size) { XcursorComments *comments; + if (size < 0 || size > XCURSOR_COMMENT_MAX_LEN) + return NULL; + comments = malloc (sizeof (XcursorComments) + size * sizeof (XcursorComment *)); if (!comments) @@ -397,7 +405,8 @@ _XcursorReadImage (XcursorFile *file, if (!_XcursorReadUInt (file, &head.delay)) return 0; /* sanity check data */ - if (head.width >= 0x10000 || head.height > 0x10000) + if (head.width > XCURSOR_IMAGE_MAX_SIZE || + head.height > XCURSOR_IMAGE_MAX_SIZE) return 0; if (head.width == 0 || head.height == 0) return 0; @@ -406,6 +415,8 @@ _XcursorReadImage (XcursorFile *file, /* Create the image and initialize it */ image = XcursorImageCreate (head.width, head.height); + if (image == NULL) + return NULL; if (chunkHeader.version < image->version) image->version = chunkHeader.version; image->size = chunkHeader.subtype; Index: xfree/xc/lib/Xcursor/library.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/Xcursor/Attic/library.c,v retrieving revision 1.1.1.2 diff -p -u -u -r1.1.1.2 library.c --- xfree/xc/lib/Xcursor/library.c 5 Mar 2004 14:24:23 -0000 1.1.1.2 +++ xfree/xc/lib/Xcursor/library.c 30 Nov 2017 02:18:14 -0000 @@ -174,7 +174,7 @@ _XcursorThemeInherits (const char *full) if (*l != '=') continue; l++; while (*l == ' ') l++; - result = malloc (strlen (l)); + result = malloc (strlen (l) + 1); if (result) { r = result; Index: xfree/xc/lib/font/bitmap/pcfread.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/font/bitmap/Attic/pcfread.c,v retrieving revision 1.3 diff -p -u -u -r1.3 pcfread.c --- xfree/xc/lib/font/bitmap/pcfread.c 20 Jan 2008 22:17:15 -0000 1.3 +++ xfree/xc/lib/font/bitmap/pcfread.c 30 Nov 2017 02:18:14 -0000 @@ -42,6 +42,7 @@ from The Open Group. #include #include +#include void pcfError(const char* message, ...) @@ -305,11 +306,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, if (IS_EOF(file)) goto Bail; position += string_size; for (i = 0; i < nprops; i++) { + if (props[i].name >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size); + goto Bail; + } props[i].name = MakeAtom(strings + props[i].name, - strlen(strings + props[i].name), TRUE); + strnlen(strings + props[i].name, string_size - props[i].name), TRUE); if (isStringProp[i]) { + if (props[i].value >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size); + goto Bail; + } props[i].value = MakeAtom(strings + props[i].value, - strlen(strings + props[i].value), TRUE); + strnlen(strings + props[i].value, string_size - props[i].value), TRUE); } } xfree(strings); Index: xfree/xc/lib/font/fontfile/dirfile.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/font/fontfile/Attic/dirfile.c,v retrieving revision 1.4.14.1 diff -p -u -u -r1.4.14.1 dirfile.c --- xfree/xc/lib/font/fontfile/dirfile.c 14 May 2014 03:34:12 -0000 1.4.14.1 +++ xfree/xc/lib/font/fontfile/dirfile.c 30 Nov 2017 02:18:14 -0000 @@ -41,6 +41,7 @@ in this Software without prior written a #include #include #include +#include #include #include @@ -60,8 +61,9 @@ FontFileReadDirectory (char *directory, char dir_path[MAXFONTFILENAMELEN]; char *ptr; #endif - FILE *file; - int count, + FILE *file = 0; + int file_fd, + count, i, status; struct stat statb; @@ -92,7 +94,14 @@ FontFileReadDirectory (char *directory, if (dir_file[strlen(dir_file) - 1] != '/') strcat(dir_file, "/"); strcat(dir_file, FontDirFile); +#ifndef WIN32 + file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "r"); + } +#else file = fopen(dir_file, "r"); +#endif if (file) { Bool found_font = FALSE; @@ -258,7 +267,8 @@ ReadFontAlias(char *directory, Bool isFi char alias[MAXFONTNAMELEN]; char font_name[MAXFONTNAMELEN]; char alias_file[MAXFONTFILENAMELEN]; - FILE *file; + int file_fd; + FILE *file = 0; FontDirectoryPtr dir; int token; char *lexToken; @@ -276,7 +286,15 @@ ReadFontAlias(char *directory, Bool isFi strcat(alias_file, "/"); strcat(alias_file, FontAliasFile); } +#ifndef WIN32 + file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "r"); + } +#else file = fopen(alias_file, "r"); +#endif + if (!file) return ((errno == ENOENT) ? Successful : BadFontPath); if (!dir) Index: xfree/xc/lib/font/fontfile/fileio.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/font/fontfile/Attic/fileio.c,v retrieving revision 1.1.1.5 diff -p -u -u -r1.1.1.5 fileio.c --- xfree/xc/lib/font/fontfile/fileio.c 28 Feb 2003 13:18:56 -0000 1.1.1.5 +++ xfree/xc/lib/font/fontfile/fileio.c 30 Nov 2017 02:18:14 -0000 @@ -36,6 +36,9 @@ in this Software without prior written a #ifndef O_BINARY #define O_BINARY O_RDONLY #endif +#ifndef O_NOFOLLOW +#define O_NOFOLLOW 0 +#endif FontFilePtr FontFileOpen (const char *name) @@ -44,7 +47,7 @@ FontFileOpen (const char *name) int len; BufFilePtr raw, cooked; - fd = open (name, O_BINARY); + fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW); if (fd < 0) return 0; raw = BufFileOpenRead (fd); Index: xfree/xc/lib/font/fontfile/fontdir.c =================================================================== RCS file: /cvsroot/xsrc/xfree/xc/lib/font/fontfile/Attic/fontdir.c,v retrieving revision 1.2 diff -p -u -u -r1.2 fontdir.c --- xfree/xc/lib/font/fontfile/fontdir.c 3 Apr 2007 20:12:22 -0000 1.2 +++ xfree/xc/lib/font/fontfile/fontdir.c 30 Nov 2017 02:18:14 -0000 @@ -413,8 +413,10 @@ PatternMatch(char *pat, int patdashes, c } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0'); Index: external/mit/libXcursor/dist/src/file.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXcursor/dist/src/file.c,v retrieving revision 1.1.1.3.2.1 diff -p -u -u -r1.1.1.3.2.1 file.c --- external/mit/libXcursor/dist/src/file.c 6 Jun 2013 03:44:25 -0000 1.1.1.3.2.1 +++ external/mit/libXcursor/dist/src/file.c 30 Nov 2017 02:18:14 -0000 @@ -29,6 +29,11 @@ XcursorImageCreate (int width, int heigh { XcursorImage *image; + if (width < 0 || height < 0) + return NULL; + if (width > XCURSOR_IMAGE_MAX_SIZE || height > XCURSOR_IMAGE_MAX_SIZE) + return NULL; + image = malloc (sizeof (XcursorImage) + width * height * sizeof (XcursorPixel)); if (!image) @@ -102,7 +107,7 @@ XcursorCommentCreate (XcursorUInt commen { XcursorComment *comment; - if (length > XCURSOR_COMMENT_MAX_LEN) + if (length < 0 || length > XCURSOR_COMMENT_MAX_LEN) return NULL; comment = malloc (sizeof (XcursorComment) + length + 1); @@ -449,7 +454,8 @@ _XcursorReadImage (XcursorFile *file, if (!_XcursorReadUInt (file, &head.delay)) return NULL; /* sanity check data */ - if (head.width >= 0x10000 || head.height > 0x10000) + if (head.width > XCURSOR_IMAGE_MAX_SIZE || + head.height > XCURSOR_IMAGE_MAX_SIZE) return NULL; if (head.width == 0 || head.height == 0) return NULL; @@ -458,6 +464,8 @@ _XcursorReadImage (XcursorFile *file, /* Create the image and initialize it */ image = XcursorImageCreate (head.width, head.height); + if (image == NULL) + return NULL; if (chunkHeader.version < image->version) image->version = chunkHeader.version; image->size = chunkHeader.subtype; Index: external/mit/libXcursor/dist/src/library.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXcursor/dist/src/library.c,v retrieving revision 1.1.1.2 diff -p -u -u -r1.1.1.2 library.c --- external/mit/libXcursor/dist/src/library.c 8 Nov 2009 09:42:56 -0000 1.1.1.2 +++ external/mit/libXcursor/dist/src/library.c 30 Nov 2017 02:18:14 -0000 @@ -180,7 +180,7 @@ _XcursorThemeInherits (const char *full) if (*l != '=') continue; l++; while (*l == ' ') l++; - result = malloc (strlen (l)); + result = malloc (strlen (l) + 1); if (result) { r = result; Index: external/mit/libXfont/dist/src/bitmap/pcfread.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXfont/dist/src/bitmap/pcfread.c,v retrieving revision 1.1.1.2.2.1 diff -p -u -u -r1.1.1.2.2.1 pcfread.c --- external/mit/libXfont/dist/src/bitmap/pcfread.c 19 May 2012 15:40:31 -0000 1.1.1.2.2.1 +++ external/mit/libXfont/dist/src/bitmap/pcfread.c 30 Nov 2017 02:18:14 -0000 @@ -45,6 +45,7 @@ from The Open Group. #include #include +#include void pcfError(const char* message, ...) @@ -308,11 +309,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, if (IS_EOF(file)) goto Bail; position += string_size; for (i = 0; i < nprops; i++) { + if (props[i].name >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size); + goto Bail; + } props[i].name = MakeAtom(strings + props[i].name, - strlen(strings + props[i].name), TRUE); + strnlen(strings + props[i].name, string_size - props[i].name), TRUE); if (isStringProp[i]) { + if (props[i].value >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size); + goto Bail; + } props[i].value = MakeAtom(strings + props[i].value, - strlen(strings + props[i].value), TRUE); + strnlen(strings + props[i].value, string_size - props[i].value), TRUE); } } free(strings); Index: external/mit/libXfont/dist/src/fontfile/dirfile.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXfont/dist/src/fontfile/dirfile.c,v retrieving revision 1.1.1.2.2.1 diff -p -u -u -r1.1.1.2.2.1 dirfile.c --- external/mit/libXfont/dist/src/fontfile/dirfile.c 14 May 2014 03:34:12 -0000 1.1.1.2.2.1 +++ external/mit/libXfont/dist/src/fontfile/dirfile.c 30 Nov 2017 02:18:14 -0000 @@ -44,6 +44,7 @@ in this Software without prior written a #include #include #include +#include #include #include @@ -61,8 +62,9 @@ FontFileReadDirectory (char *directory, char dir_file[MAXFONTFILENAMELEN]; char dir_path[MAXFONTFILENAMELEN]; char *ptr; - FILE *file; - int count, + FILE *file = 0; + int file_fd, + count, num_fonts, status; struct stat statb; @@ -92,7 +94,14 @@ FontFileReadDirectory (char *directory, if (dir_file[strlen(dir_file) - 1] != '/') strcat(dir_file, "/"); strcat(dir_file, FontDirFile); +#ifndef WIN32 + file_fd = open(dir_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "rt"); + } +#else file = fopen(dir_file, "rt"); +#endif if (file) { #ifndef WIN32 if (fstat (fileno(file), &statb) == -1) @@ -262,7 +271,8 @@ ReadFontAlias(char *directory, Bool isFi char alias[MAXFONTNAMELEN]; char font_name[MAXFONTNAMELEN]; char alias_file[MAXFONTFILENAMELEN]; - FILE *file; + int file_fd; + FILE *file = 0; FontDirectoryPtr dir; int token; char *lexToken; @@ -280,7 +290,16 @@ ReadFontAlias(char *directory, Bool isFi strcat(alias_file, "/"); strcat(alias_file, FontAliasFile); } + +#ifndef WIN32 + file_fd = open(alias_file, O_RDONLY | O_NOFOLLOW); + if (file_fd >= 0) { + file = fdopen(file_fd, "rt"); + } +#else file = fopen(alias_file, "rt"); +#endif + if (!file) return ((errno == ENOENT) ? Successful : BadFontPath); if (!dir) Index: external/mit/libXfont/dist/src/fontfile/fileio.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXfont/dist/src/fontfile/fileio.c,v retrieving revision 1.1.1.2 diff -p -u -u -r1.1.1.2 fileio.c --- external/mit/libXfont/dist/src/fontfile/fileio.c 10 Jun 2009 07:33:40 -0000 1.1.1.2 +++ external/mit/libXfont/dist/src/fontfile/fileio.c 30 Nov 2017 02:18:14 -0000 @@ -39,6 +39,9 @@ in this Software without prior written a #ifndef O_BINARY #define O_BINARY O_RDONLY #endif +#ifndef O_NOFOLLOW +#define O_NOFOLLOW 0 +#endif FontFilePtr FontFileOpen (const char *name) @@ -47,7 +50,7 @@ FontFileOpen (const char *name) int len; BufFilePtr raw, cooked; - fd = open (name, O_BINARY); + fd = open (name, O_BINARY|O_CLOEXEC|O_NOFOLLOW); if (fd < 0) return 0; raw = BufFileOpenRead (fd); Index: external/mit/libXfont/dist/src/fontfile/fontdir.c =================================================================== RCS file: /cvsroot/xsrc/external/mit/libXfont/dist/src/fontfile/fontdir.c,v retrieving revision 1.1.1.3 diff -p -u -u -r1.1.1.3 fontdir.c --- external/mit/libXfont/dist/src/fontfile/fontdir.c 9 Nov 2009 06:22:29 -0000 1.1.1.3 +++ external/mit/libXfont/dist/src/fontfile/fontdir.c 30 Nov 2017 02:18:14 -0000 @@ -398,8 +398,10 @@ PatternMatch(char *pat, int patdashes, c } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0');