1. 19 Jul, 2018 3 commits
  2. 10 Jul, 2018 1 commit
  3. 13 Jun, 2018 1 commit
  4. 11 Jun, 2018 1 commit
  5. 25 May, 2018 2 commits
  6. 16 May, 2018 1 commit
    • Chris Lamb's avatar
      Ensure cache checksums are deterministic · f098adac
      Chris Lamb authored and Akira TAGOH's avatar Akira TAGOH committed
      Whilst working on the Reproducible Builds[0] effort, we noticed that
      fontconfig generates unreproducible cache files.
      
      This is due to fc-cache uses the modification timestamps of each
      directory in the "checksum" and "checksum_nano" members of the _FcCache
      struct. This is so that it can identify which cache files are valid
      and/or require regeneration.
      
      This patch changes the behaviour of the checksum calculations to prefer
      the value of the SOURCE_DATE_EPOCH[1] environment variable over the
      directory's own mtime. This variable can then be exported by build
      systems to ensure reproducible output.
      
      If SOURCE_DATE_EPOCH is not set or is newer than the mtime of the
      directory, the existing behaviour is unchanged.
      
      This work was sponsored by Tails[2].
      
       [0] https://reproducible-builds.org/
       [1] https://reproducible-builds.org/specs/source-date-epoch/
       [2] https://tails.boum.org/
      f098adac
  7. 13 May, 2018 1 commit
  8. 18 Dec, 2017 3 commits
  9. 20 Nov, 2017 5 commits
  10. 14 Nov, 2017 1 commit
  11. 14 Nov, 2016 1 commit
    • Akira TAGOH's avatar
      Fix FcCacheOffsetsValid() · 0e9b2a15
      Akira TAGOH authored
      Validation fails when the FcValueList contains more than font->num.
      this logic was wrong because font->num contains a number of the elements
      in FcPatternElt but FcValue in FcValueList.
      
      This corrects 7a4a5bd7.
      
      Patch from Tobias Stoeckmann
      0e9b2a15
  12. 05 Aug, 2016 1 commit
    • Tobias Stoeckmann's avatar
      Properly validate offsets in cache files. · 7a4a5bd7
      Tobias Stoeckmann authored and Akira TAGOH's avatar Akira TAGOH committed
      
      
      The cache files are insufficiently validated. Even though the magic
      number at the beginning of the file as well as time stamps are checked,
      it is not verified if contained offsets are in legal ranges or are
      even pointers.
      
      The lack of validation allows an attacker to trigger arbitrary free()
      calls, which in turn allows double free attacks and therefore arbitrary
      code execution. Due to the conversion from offsets into pointers through
      macros, this even allows to circumvent ASLR protections.
      
      This attack vector allows privilege escalation when used with setuid
      binaries like fbterm. A user can create ~/.fonts or any other
      system-defined user-private font directory, run fc-cache and adjust
      cache files in ~/.cache/fontconfig. The execution of setuid binaries will
      scan these files and therefore are prone to attacks.
      
      If it's not about code execution, an endless loop can be created by
      letting linked lists become circular linked lists.
      
      This patch verifies that:
      
      - The file is not larger than the maximum addressable space, which
        basically only affects 32 bit systems. This allows out of boundary
        access into unallocated memory.
      - Offsets are always positive or zero
      - Offsets do not point outside file boundaries
      - No pointers are allowed in cache files, every "pointer or offset"
        field must be an offset or NULL
      - Iterating linked lists must not take longer than the amount of elements
        specified. A violation of this rule can break a possible endless loop.
      
      If one or more of these points are violated, the cache is recreated.
      This is current behaviour.
      
      Even though this patch fixes many issues, the use of mmap() shall be
      forbidden in setuid binaries. It is impossible to guarantee with these
      checks that a malicious user does not change cache files after
      verification. This should be handled in a different patch.
      Signed-off-by: Tobias Stoeckmann's avatarTobias Stoeckmann <tobias@stoeckmann.org>
      7a4a5bd7
  13. 30 May, 2016 1 commit
  14. 23 May, 2016 1 commit
  15. 06 Apr, 2016 1 commit
  16. 12 Jan, 2016 1 commit
    • Patrick Haller's avatar
      Optimizations in FcStrSet · d570a841
      Patrick Haller authored and Akira TAGOH's avatar Akira TAGOH committed
      Applied optimizations:
      - skip duplicate check in FcStrSetAppend for values originating from readdir()
      - grow FcStrSet in 64-element bulks for local FcStrSets (FcConfig layout unaltered)
      
      Starting gedit is measured to
      
                              Unoptimized     Optimized
      user[s]                         0,806         0,579
      sys[s]                          0,062         0,062
      Total Instr Fetch Cost: 1.658.683.750   895.069.820
      Cachegrind D Refs:        513.917.619   312.000.436
      Cachegrind Dl Misses:       8.605.632     4.954.639
      d570a841
  17. 15 Oct, 2015 1 commit
  18. 13 Oct, 2015 2 commits
  19. 14 Aug, 2015 1 commit
  20. 27 May, 2015 1 commit
  21. 17 Jun, 2014 1 commit
  22. 05 Jun, 2014 1 commit
  23. 20 Dec, 2013 1 commit
  24. 02 Dec, 2013 1 commit
  25. 21 Oct, 2013 1 commit
  26. 26 Sep, 2013 1 commit
    • Akira TAGOH's avatar
      avoid reading config.h twice · 43f768b5
      Akira TAGOH authored
      config.h is read from fcint.h now so having a line of the sort of #include "config.h"
      is duplicate.
      
      Bug 69833 - Incorrect SIZEOF_VOID_P and ALIGNOF_DOUBLE definitions causes nasty warnings on MacOSX when building fat libraries
      43f768b5
  27. 07 Aug, 2013 1 commit
  28. 05 Mar, 2013 1 commit
  29. 22 Jan, 2013 1 commit
  30. 16 Jan, 2013 1 commit