2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
new file mode 100644
index 0000000000..cc66c12452
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
@@ -0,0 +1,40 @@
+From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Feb 2015 15:54:00 -0800
+Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read
+ [CVE-2015-1803]
+Previously would charge on ahead with a NULL pointer in ci->bits, and
+then crash later in FontCharInkMetrics() trying to access the bits.
+Found with afl-1.23b.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/bitmap/bdfread.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 6387908..1b29b81 100644
+--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
+@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+            ci->metrics.descent = -bb;
+            ci->metrics.characterWidth = wx;
+            ci->bits = NULL;
+-           bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
+           if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
+               bdfError("could not read bitmap for character '%s'\n", charName);
+               goto BAILOUT;
+           }
+            ci++;
+            ndx++;
+        } else
+-- 
+1.7.9.5
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index 4a3c9b7db7..64ec6a3422 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -19,6 +19,7 @@ XORG_PN = "libXfont"
 BBCLASSEXTEND = "native"
 SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
+            file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
           "
 SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"

diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch new file mode 100644 index 0000000000..cc66c12452 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
@@ -0,0 +1,40 @@
		1	From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 6 Feb 2015 15:54:00 -0800
		4	Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read
		5	[CVE-2015-1803]
		6
		7	Previously would charge on ahead with a NULL pointer in ci->bits, and
		8	then crash later in FontCharInkMetrics() trying to access the bits.
		9
		10	Found with afl-1.23b.
		11
		12	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		13	Reviewed-by: Julien Cristau <jcristau@debian.org>
		14
		15	Upstream-Status: backport
		16
		17	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		18	---
		19	src/bitmap/bdfread.c \| 5 ++++-
		20	1 file changed, 4 insertions(+), 1 deletion(-)
		21
		22	diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
		23	index 6387908..1b29b81 100644
		24	--- a/src/bitmap/bdfread.c
		25	+++ b/src/bitmap/bdfread.c
		26	@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
		27	ci->metrics.descent = -bb;
		28	ci->metrics.characterWidth = wx;
		29	ci->bits = NULL;
		30	- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
		31	+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
		32	+ bdfError("could not read bitmap for character '%s'\n", charName);
		33	+ goto BAILOUT;
		34	+ }
		35	ci++;
		36	ndx++;
		37	} else
		38	--
		39	1.7.9.5
		40


diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 4a3c9b7db7..64ec6a3422 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -19,6 +19,7 @@ XORG_PN = "libXfont"
19	BBCLASSEXTEND = "native"	19	BBCLASSEXTEND = "native"
20		20
21	SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \	21	SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
		22	file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
22	"	23	"
23		24
24	SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"	25	SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"