$NetBSD: patch-an,v 1.1.1.1 2004/01/24 08:47:31 xtraeme Exp $
Index: lib/FS/FSFontInfo.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSFontInfo.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSFontInfo.c	14 Dec 2001 19:53:32 -0000	1.2
+++ lib/FS/FSFontInfo.c	29 Aug 2003 18:01:10 -0000	1.3
@@ -65,7 +65,7 @@
     long        nbytes;
     int         i,
                 j;
-    int         size = 0;
+    size_t      size = 0;
     FSXFontInfoHeader **fhdr = (FSXFontInfoHeader **) 0;
     FSPropInfo **pi = (FSPropInfo **) 0;
     FSPropOffset **po = (FSPropOffset **) 0;
@@ -123,8 +123,14 @@
 	if (reply.nameLength == 0)	/* got last reply in version 1 */
 	    break;
 	if ((i + reply.nReplies) >= size) {
+
+	    if (reply.nReplies > SIZE_T_MAX - i - 1) 
+		goto badmem;
 	    size = i + reply.nReplies + 1;
 
+	    if (size > SIZE_T_MAX / sizeof(char *)) 
+		goto badmem;
+
 	    if (fhdr) {
 		FSXFontInfoHeader **tmp_fhdr = (FSXFontInfoHeader **)
 		FSrealloc((char *) fhdr,
@@ -237,6 +243,9 @@
 	pi[i]->num_offsets = local_pi.num_offsets;
 	pi[i]->data_len = local_pi.data_len;
 
+	if (pi[i]->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset))
+	    goto badmem;
+
 	po[i] = (FSPropOffset *)
 	    FSmalloc(pi[i]->num_offsets * sizeof(FSPropOffset));
 	if (!po[i]) {
@@ -281,6 +290,10 @@
 
 	    nbytes = pi[i]->data_len + reply.nameLength;
 	    _FSEatData(svr, (unsigned long) (((nbytes+3)&~3) - nbytes));
+	}
+	/* avoid integer overflow */
+	if (i > INT_MAX - 1) {
+	    goto badmem;
 	}
     }
     *info = fhdr;
Index: lib/FS/FSFtNames.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSFtNames.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSFtNames.c	14 Dec 2001 19:53:32 -0000	1.2
+++ lib/FS/FSFtNames.c	29 Aug 2003 18:01:10 -0000	1.3
@@ -78,7 +78,8 @@
 	  (SIZEOF(fsListFontsReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return (char **) 0;
 
-    if (rep.nFonts) {
+    if (rep.nFonts && rep.nFonts <= SIZE_T_MAX / sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX + SIZEOF(fsListFontsReply) - 1) >> 2)) {
 	flist = (char **) FSmalloc((unsigned) rep.nFonts * sizeof(char *));
 	rlen = (rep.length << 2) - SIZEOF(fsListFontsReply);
 	c = (char *) FSmalloc((unsigned) (rlen + 1));
Index: lib/FS/FSGetCats.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSGetCats.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSGetCats.c	14 Dec 2001 19:53:32 -0000	1.2
+++ lib/FS/FSGetCats.c	29 Aug 2003 18:01:10 -0000	1.3
@@ -72,9 +72,10 @@
 	SyncHandle();
 	return (char **) NULL;
     }
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX + SIZEOF(fsGetCataloguesReply) - 1)>>2)) {
 	list = (char **)
-	    FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
+	       FSmalloc((unsigned) (rep.num_catalogues * sizeof(char *)));
 	rlen = (rep.length << 2) - SIZEOF(fsGetCataloguesReply);
 	c = (char *) FSmalloc((unsigned) rlen + 1);
 	if ((!list) || (!c)) {
Index: lib/FS/FSListCats.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSListCats.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSListCats.c	14 Dec 2001 19:53:32 -0000	1.2
+++ lib/FS/FSListCats.c	29 Aug 2003 18:01:10 -0000	1.3
@@ -78,7 +78,8 @@
     (SIZEOF(fsListCataloguesReply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return (char **) 0;
 
-    if (rep.num_catalogues) {
+    if (rep.num_catalogues && rep.num_catalogues <= SIZE_T_MAX/sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX+SIZEOF(fsListCataloguesReply)+1)>>2)) {
 	clist = (char **)
 	    FSmalloc((unsigned) rep.num_catalogues * sizeof(char *));
 	rlen = (rep.length << 2) - SIZEOF(fsListCataloguesReply);
Index: lib/FS/FSListExt.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSListExt.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSListExt.c	14 Dec 2001 19:53:32 -0000	1.2
+++ lib/FS/FSListExt.c	29 Aug 2003 18:01:10 -0000	1.3
@@ -72,7 +72,8 @@
 	SyncHandle();
 	return (char **) NULL;
     }
-    if (rep.nExtensions) {
+    if (rep.nExtensions && rep.nExtensions <= SIZE_T_MAX / sizeof(char *)
+	&& rep.length <= ((SIZE_T_MAX+SIZEOF(fsListExtensionsReply)+1)>>2)) {
 	list = (char **) FSmalloc((unsigned)(rep.nExtensions * sizeof(char *)));
 	rlen = (rep.length << 2) - SIZEOF(fsListExtensionsReply);
 	c = (char *) FSmalloc((unsigned) rlen + 1);
Index: lib/FS/FSOpenServ.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSOpenServ.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -u -r1.6 -r1.7
--- lib/FS/FSOpenServ.c	14 Dec 2001 19:53:33 -0000	1.6
+++ lib/FS/FSOpenServ.c	29 Aug 2003 18:01:11 -0000	1.7
@@ -118,7 +118,7 @@
     AlternateServer *alts;
     int         altlen;
     char       *vendor_string;
-    long        setuplength;
+    unsigned long        setuplength;
 
     if (server == NULL || *server == '\0') {
 	if ((server = getenv("FONTSERVER")) == NULL) {
@@ -153,7 +153,8 @@
     _FSRead(svr, (char *) &prefix, (long) SIZEOF(fsConnSetup));
 
     setuplength = prefix.alternate_len << 2;
-    if ((alt_data = (char *)
+    if (setuplength > (SIZE_T_MAX>>2)
+	|| (alt_data = (char *)
 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
 	errno = ENOMEM;
 	FSfree((char *) svr);
@@ -162,6 +163,10 @@
     _FSRead(svr, (char *) alt_data, setuplength);
     ad = alt_data;
 
+    if (prefix.num_alternates > SIZE_T_MAX / sizeof(AlternateServer)) {
+	errno = ENOMEM;
+	return (FSServer *) 0;
+    }
     alts = (AlternateServer *)
 	FSmalloc(sizeof(AlternateServer) * prefix.num_alternates);
     if (!alts) {
@@ -193,7 +198,8 @@
     svr->num_alternates = prefix.num_alternates;
 
     setuplength = prefix.auth_len << 2;
-    if ((auth_data = (char *)
+    if (prefix.auth_len > (SIZE_T_MAX>>2) 
+	|| (auth_data = (char *)
 	 (setup = FSmalloc((unsigned) setuplength))) == NULL) {
 	errno = ENOMEM;
 	FSfree((char *) svr);
Index: lib/FS/FSQGlyphs.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSQGlyphs.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSQGlyphs.c	14 Dec 2001 19:53:33 -0000	1.2
+++ lib/FS/FSQGlyphs.c	29 Aug 2003 18:01:11 -0000	1.3
@@ -85,12 +85,20 @@
      (SIZEOF(fsQueryXBitmaps8Reply) - SIZEOF(fsGenericReply)) >> 2, fsFalse))
 	return FSBadAlloc;
 
+    if (reply.num_chars > SIZE_T_MAX / sizeof(FSOffset)) 
+	return FSBadAlloc;
+
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
 	return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps8Reply)
 	- (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX This thest is incomplete */
+    if (reply.length > (SIZE_T_MAX >> 2)) {
+	FSfree((char *) offs);
+	return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
@@ -141,6 +149,8 @@
 	int i;
 	fsChar2b_version1 *swapped_str;
 
+	if (str_len > SIZE_T_MAX/SIZEOF(fsChar2b_version1)) 
+	    return FSBadAlloc;
 	swapped_str = (fsChar2b_version1 *)
 	    FSmalloc(SIZEOF(fsChar2b_version1) * str_len);
 	if (!swapped_str)
@@ -160,12 +170,19 @@
 		  fsFalse))
 	return FSBadAlloc;
 
+    if(reply.num_chars > SIZE_T_MAX/sizeof(FSOffset))
+       return FSBadAlloc;
     offs = (FSOffset *) FSmalloc(sizeof(FSOffset) * reply.num_chars);
     *offsets = offs;
     if (!offs)
 	return FSBadAlloc;
     left = (reply.length << 2) - SIZEOF(fsQueryXBitmaps16Reply)
 	- (SIZEOF(fsOffset32) * reply.num_chars);
+    /* XXX - this test is incomplete */
+    if (reply.length > (SIZE_T_MAX>>2)) {
+	FSfree((char *) offs);
+	return FSBadAlloc;
+    }
     gd = (unsigned char *) FSmalloc(left);
     *glyphdata = gd;
     if (!gd) {
Index: lib/FS/FSQXExt.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXExt.c,v
retrieving revision 1.5
retrieving revision 1.6
diff -u -u -r1.5 -r1.6
--- lib/FS/FSQXExt.c	14 Dec 2001 19:53:33 -0000	1.5
+++ lib/FS/FSQXExt.c	29 Aug 2003 18:01:12 -0000	1.6
@@ -92,6 +92,9 @@
 	       (SIZEOF(fsQueryXExtents8Reply) - SIZEOF(fsGenericReply)) >> 2,
 		  fsFalse))
 	return FSBadAlloc;
+    
+    if (reply.num_extents > SIZE_T_MAX / sizeof(FSXCharInfo)) 
+	return FSBadAlloc;
 
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
     *extents = ext;
@@ -147,6 +150,9 @@
     if (!_FSReply(svr, (fsReply *) & reply,
 	      (SIZEOF(fsQueryXExtents16Reply) - SIZEOF(fsGenericReply)) >> 2,
 		  fsFalse))
+	return FSBadAlloc;
+
+    if (reply.num_extents > SIZE_T_MAX/sizeof(FSXCharInfo)) 
 	return FSBadAlloc;
 
     ext = (FSXCharInfo *) FSmalloc(sizeof(FSXCharInfo) * reply.num_extents);
Index: lib/FS/FSQXInfo.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSQXInfo.c,v
retrieving revision 1.2
retrieving revision 1.3
diff -u -u -r1.2 -r1.3
--- lib/FS/FSQXInfo.c	14 Dec 2001 19:53:33 -0000	1.2
+++ lib/FS/FSQXInfo.c	29 Aug 2003 18:01:12 -0000	1.3
@@ -91,6 +91,9 @@
     props->num_offsets = local_pi.num_offsets;
     props->data_len = local_pi.data_len;
 
+    if (props->num_offsets > SIZE_T_MAX / sizeof(FSPropOffset)) 
+	return FSBadAlloc;
+
     /* prepare for prop data */
     offset_data = (FSPropOffset *)
 	FSmalloc(props->num_offsets * sizeof(FSPropOffset));
Index: lib/FS/FSlibint.h
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/FS/FSlibint.h,v
retrieving revision 3.7
retrieving revision 3.8
diff -u -u -r3.7 -r3.8
--- lib/FS/FSlibint.h	14 Dec 2001 19:53:33 -0000	3.7
+++ lib/FS/FSlibint.h	29 Aug 2003 18:01:12 -0000	3.8
@@ -76,6 +76,11 @@
 #include	"FSlibos.h"
 #include	<errno.h>
 #include	<stddef.h>
+
+#include	<limits.h>
+#ifndef SIZE_T_MAX
+#define SIZE_T_MAX UINT_MAX
+#endif
 
 typedef int (* FSIOErrorHandler)(FSServer *);
 typedef int (* FSErrorHandler)(FSServer *, FSErrorEvent *);
Index: lib/font/fc/fserve.c
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/font/fc/fserve.c,v
retrieving revision 3.23
retrieving revision 3.24
diff -u -u -r3.23 -r3.24
--- lib/font/fc/fserve.c	27 May 2003 22:26:48 -0000	3.23
+++ lib/font/fc/fserve.c	29 Aug 2003 18:01:13 -0000	3.24
@@ -1505,8 +1505,8 @@
 
     if (conn->blockState & FS_GIVE_UP)
 	return BadFontName;
-    
-    if (namelen > sizeof (buf) - 1)
+ 
+    if (namelen <= 0 || namelen > sizeof (buf) - 1)
 	return BadFontName;
     
     /*
Index: lib/font/fc/fslibos.h
===================================================================
RCS file: /home/ncvs/xfree/xc/lib/font/fc/fslibos.h,v
retrieving revision 3.7
retrieving revision 3.8
diff -u -u -r3.7 -r3.8
--- lib/font/fc/fslibos.h	31 May 2002 18:45:49 -0000	3.7
+++ lib/font/fc/fslibos.h	29 Aug 2003 18:01:14 -0000	3.8
@@ -48,13 +48,16 @@
 #ifndef FONT_OPEN_MAX
 
 #ifndef X_NOT_POSIX
-#ifdef _POSIX_SOURCE
-#include <limits.h>
-#else
-#define _POSIX_SOURCE
-#include <limits.h>
-#undef _POSIX_SOURCE
+# ifdef _POSIX_SOURCE
+#  include <limits.h>
+# else
+#  define _POSIX_SOURCE
+#  include <limits.h>
+#  undef _POSIX_SOURCE
+# endif
 #endif
+#ifndef SIZE_T_MAX
+# define SIZE_T_MAX UINT_MAX
 #endif
 #ifndef OPEN_MAX
 #if defined(SVR4) || defined(__UNIXOS2__)

