commit 3a4f68284c5aeea77789af1fe395cac35efc8562
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Aug 1 17:36:43 2021 -0700

    libXfont2 2.0.5
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit daff8876379c64c7bee126319af804896f83b5da
Author: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Date:   Wed Jul 14 17:23:48 2021 +0100

    Fix out-of-bounds read in FontFileMakeDir()
    
    BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and
    this causes the `dirName[dirlen - 1]` access to read before the start of
    the string. I found this while porting Xvnc to CHERI-RISC-V (which has
    bounds and permissions on all pointers).

commit ce7a3265019e4d66198c1581d9e8c859c34e8ef1
Author: Bernd Kuhls <bernd.kuhls@t-online.de>
Date:   Sat Oct 19 09:32:41 2019 +0200

    configure: define HAVE_LIBBSD when libbsd was found

commit 9529d2351fe52ffaaf9342343865073d5c5b6802
Author: Peter Harris <pharris@opentext.com>
Date:   Tue Mar 2 14:39:45 2021 -0500

    Fix use after free when font server connection lost
    
    If there are multiple blocks waiting for the same font, only one of them
    will have ->freeFont set. The rest will be in a state of FS_DEPENDING.
    
    If the font server dies before the font finishes opening, the block with
    ->freeFont set will call ->unload_font, invalidating the pfont pointers
    in the remaining FS_DEPENDING blocks.
    
    Avoid a use after free (and potential crash) by passing conn to
    fs_cleanup_font instead of dereferencing pfont to find the conn.
    
    Signed-off-by: Peter Harris <pharris@opentext.com>

commit e7b2cae1ad9f07c188bcad27767a2f4fa6e0c2a4
Author: Peter Harris <pharris@opentext.com>
Date:   Fri Mar 6 10:42:03 2020 -0500

    Fix crash when font server connection lost
    
    Always initialize the return value of fs_new_block_rec. Even if the
    conn->blockState is FS_BROKEN_CONNECTION | FS_RECONNECTING, we must not
    return with an uninitialized blockrec on the block list. When the
    blockrec times out, _fs_clean_aborted_blockrec calls fs_cleanup_bfont,
    which will try to follow pointers in the blockrec (which has not been
    initialized).
    
    Signed-off-by: Peter Harris <pharris@opentext.com>

commit 608640b87dc47233940664632e3ab8f13972be2b
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date:   Thu Oct 17 19:11:52 2019 +0100

    Fix Win32 build since c4ed2e06 "Add some unit testing utilities"
    
    Provide Win32 replacements for realpath() and err.h

commit 13ebb8f32f767c596b1b8bd16b90703a8135f20b
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Sep 16 10:47:27 2019 -0400

    README: Remove mention of libXfont 1.5
    
    xfs was ported to libXfont2 in release 1.2, and bdftopcf 1.1 includes a
    copy of enough of the old libXfont1 code to not need an external
    libXfont at all.

commit ed8b8e9fe544ec51ab1b1dfaea6fced35470ad6c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Sep 14 11:34:03 2019 -0700

    libXfont2 2.0.4
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit b46cd2fef2bfe192579930f29a830051670d4d00
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Sep 14 11:32:02 2019 -0700

    Add src/util/replace.h to noinst_HEADERS so it gets included in tarballs
    
    Found when "make distcheck" failed.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 5561a9dc835a249e58cfdb3c384547f6f401a15d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 14:31:24 2019 -0700

    fs_read_glyphs: check if rep is null before dereferencing
    
    Resolves coverity warning def16 from the list in
    https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c84ce6be6a7e2e70c9ab20b60bc7198699690d50
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 14:19:04 2019 -0700

    CatalogueRescan: if opendir() fails, unref fpes, but don't free the cat
    
    None of the callers of CatalogueRescan check for failure before accessing
    the cat pointer so don't free it (especially without clearing the pointer
    to it in fpe->private), just unref the contents.
    
    Can only be triggered if somehow stat() succeeds on the directory, but
    opendir fails anyway (removed between the calls?  permission problem?).
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c1c5c9aa4cacb9138d6a2e5d37619f7960b54536
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 13:56:03 2019 -0700

    ComputeScaledProperties: check for valid pointers before making atoms
    
    Resolves coverity warning def23 from the list in
    https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 78085e6b683b4e5a13b38508597a0c93ac2ed9ea
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 13:41:02 2019 -0700

    stubs/atom.c: check for ResizeHashTable failure
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 3e0e36e4a9fee32105aa7c5cb6e089c495b92b10
Author: Maya Rashish <maya@NetBSD.org>
Date:   Fri Aug 9 12:53:48 2019 +0300

    Fix whitespace

commit 194cb45ceb510c3e580460919cd7e5dd31a285c8
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Aug 4 11:14:39 2019 -0700

    fontxlfd.c: tell gcc that switch fallthrough is intentional
    
    Quiets:
    src/util/fontxlfd.c: In function ‘FontParseXLFDName’:
    src/util/fontxlfd.c:450:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
      replaceChar = '*';
      ~~~~~~~~~~~~^~~~~
    src/util/fontxlfd.c:451:5: note: here
         case FONT_XLFD_REPLACE_ZERO:
         ^~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit ddbee30d3525cdd66b84056affc407601680cc29
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 19:29:05 2019 -0700

    Convert multiplying malloc calls to use mallocarray instead
    
    Introduces mallocarray as a macro calling reallocarray with a NULL
    pointer for the old allocation.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit f54470dab5b392380df61a22b4b4bef685b6cee2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 19:09:19 2019 -0700

    Convert multiplying realloc calls to use reallocarray instead
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 27207d35d4b4bbd5d2b2c5f7e13a61ea43d04a4a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 16:13:21 2019 -0700

    Add reallocarray fallback if not provided by libc nor libbsd
    
    Implementation copied from the Xserver
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 2178c7445a3464bd69637ad91a2dd0320a60e0df
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 18:19:11 2019 -0700

    Use bounds checking string functions everywhere
    
    Replace strcpy, strcat, sprintf with strlcpy, strlcat, snprintf
    everywhere, even where there were already bounds checks in place,
    to reduce time spent checking static analysis results.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit d4c941ea8b1dc07a14efce656bff58d31a14c985
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 16:05:21 2019 -0700

    Add strlcat & strlcpy fallbacks if not provided by libc nor libbsd
    
    Implementations copied from the Xserver
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c4ed2e069dc8aa5b8b7ef2fc926ae8584ff2a67b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 13:45:54 2019 -0700

    Add some unit testing utilities
    
    The test/utils directory contains some standalone test programs for testing
    libXfont funtionality without needing a full X server session.  They could
    be used to generate automated unit testing in the future, but that work has
    not yet been done.
    
    [v2: updated original work from libXfont 1.5 to 2.0 API & makefiles]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 77ae4048564eff2e96b80cedfac013877e46d506
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jan 4 12:13:04 2017 -0500

    fontfile: Remove unused 'bc' slot from _FontEntry
    
    Whatever this is, we're not using it. On my machine we allocate about
    1100 of these structs, and this change reduces the struct from 152 to 48
    bytes, so this saves about 100k of memory.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 6624b5e705da8333a3bc63d1ddeea6b11e831e24
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 16 12:40:03 2019 -0700

    Update configure.ac bug URL for gitlab migration
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 66a26687b2b86b53c315544483b740deb6f01c1e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Nov 19 22:05:10 2018 -0800

    Update README for gitlab migration
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 099ed6fa9f293d283163b138830d43bbd47c5df1
Author: Rin Okuyama <rin@NetBSD.org>
Date:   Tue Feb 21 06:18:37 2017 +0000

    avoid -Wformat errors from clang when building with -DDEBUG
    
    https://bugs.freedesktop.org/show_bug.cgi?id=99882
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit cdb2f990348c3bd1407022f7e0e5fcba552d539f
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sat Nov 25 12:01:16 2017 +0100

    libXfont2 2.0.3
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

commit 7b377456f95d2ec3ead40f4fb74ea620191f88c8
Author: Michal Srb <msrb@suse.com>
Date:   Thu Oct 26 09:48:13 2017 +0200

    Open files with O_NOFOLLOW. (CVE-2017-16611)
    
    A non-privileged X client can instruct X server running under root to open any
    file by creating own directory with "fonts.dir", "fonts.alias" or any font file
    being a symbolic link to any other file in the system. X server will then open
    it. This can be issue with special files such as /dev/watchdog.
    
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit d82dfe25491c599f650b2ad868772c3b8e6ba7bc
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Oct 11 11:33:29 2017 -0400

    libXfont 2.0.2
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 672bb944311392e2415b39c0d63b1e1902905bcd
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 20 17:05:23 2017 +0200

    pcfGetProperties: Check string boundaries (CVE-2017-13722)
    
    Without the checks a malformed PCF file can cause the library to make
    atom from random heap memory that was behind the `strings` buffer.
    This may crash the process or leak information.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d1e670a4a8704b8708e493ab6155589bcd570608
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 20 13:38:53 2017 +0200

    Check for end of string in PatternMatch (CVE-2017-13720)
    
    If a pattern contains '?' character, any character in the string is skipped,
    even if it is '\0'. The rest of the matching then reads invalid memory.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 9112a6846b9d8ff18f7568c58e06d0a450e25814
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Apr 13 12:10:05 2017 -0400

    readme: Update for libXfont 2.0 interface change
    
    While xfs can be more or less trivially ported to 2.0, bcftopcf cannot
    because the font file I/O API is no longer externally visible. This is
    intentional, because bdftopcf is literally the only consumer of that
    API, and is itself only used in the build process for the classic core
    fonts themselves. The plan for bdftopcf is to import a copy of libXfont
    1.5 and link against that statically instead.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f8ff8d5f7442b3cbac57d5fe343aabd8f54a030f
Author: Emil Velikov <emil.l.velikov@gmail.com>
Date:   Mon Mar 9 12:00:52 2015 +0000

    autogen.sh: use quoted string variables
    
    Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
    fall-outs, when they contain space.
    
    Signed-off-by: Emil Velikov <emil.l.velikov@gmail.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 75b9a15b51a062941a549fef0dedaee9daef4867
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jan 24 10:32:07 2017 +1000

    autogen.sh: use exec instead of waiting for configure to finish
    
    Syncs the invocation of configure with the one from the server.
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Reviewed-by: Emil Velikov <emil.velikov@collabora.com>

commit 33a98f2b5343da927f29191348e992f505544873
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jun 8 14:28:09 2016 -0400

    freetype: Fix a logic error in computing face name
    
    gcc6 chirps an indentation warning here, but really this is bad code.
    Effectively this would ignore en_US or en_UK names for the font, despite
    that those are the English names the font is most likely to have.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 79084468fb844e386a72d938c67be0728959a2bd
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed May 18 11:49:52 2016 -0400

    autogen: Set a default subject prefix for patches
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 7557fe152d9948bcb4b805bb7b6b6f8121bd34fb
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed May 18 11:52:27 2016 -0400

    configure: Use -fvisibility=hidden if available
    
    text       data     bss     dec     hex filename
     233732    8168    1616  243516   3b73c .libs/libXfont2.so.2.before
     217113    6816    1616  225545   37109 .libs/libXfont2.so.2.after
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Emil Velikov <emil.l.velikov@gmail.com>

commit 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Mon May 30 00:46:21 2016 -0700

    fserve: Fix a buffer read overrun in _fs_client_access
    
    https://bugs.freedesktop.org/show_bug.cgi?id=83224
    
    Found by clang's Address Sanitizer
    
            crac.num_auths = set_font_authorizations(&authorizations, &authlen,
                                                     client);
            /* Work around bug in xfs versions up through modular release 1.0.8
               which rejects CreateAC packets with num_auths = 0 & authlen < 4 */
            if (crac.num_auths == 0) {
                authorizations = padding;
                authlen = 4;
            } else {
                authlen = (authlen + 3) & ~0x3;
            }
            crac.length = (sizeof (fsCreateACReq) + authlen) >> 2;
            crac.acid = cur->acid;
            _fs_add_req_log(conn, FS_CreateAC);
            _fs_write(conn, (char *) &crac, sizeof (fsCreateACReq));
            _fs_write(conn, authorizations, authlen);
    
    In the case in the report, set_font_authorizations setup authorizations as a
    34 byte buffer (and authlen set to 34 as one would expect). The following
    block changed authlen to 36 to make it 4byte aligned and the final _fs_write()
    caused us to read 36 bytes from this 34 byte buffer.
    
    This changes the incorrect size increase to instead use _fs_write_pad which
    takes care of the padding for us.
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit d967caa988eaabd9e84c82879e2f21bd33b952a7
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Sun May 29 23:39:06 2016 -0700

    fstrans: Remove unused foo() function
    
    The point of it seems to have been to silence an unused function warning, but
    there's no point if we're just transitioning that to another unused function
    warning.
    
    src/fc/fstrans.c:32:20: warning: unused function 'foo' [-Wunused-function]
    static inline void foo(void) { (void) is_numeric("a"); }
                       ^
    1 warning generated.
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
    Reviewed-by: Keith Packard <keithp@keithp.com>

commit e6009adbc89ec3e1f924bcb57b333c1c02f5e66d
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Sun May 29 23:37:13 2016 -0700

    fserve: Silence a -Wformat warning
    
    src/fc/fserve.c:653:32: warning: format specifies type 'int' but the argument has type 'CARD32' (aka 'unsigned long') [-Wformat]
                   " from font server\n", rep->length);
                                          ^~~~~~~~~~~
    1 warning generated.
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit ac559fad20bbae45332c758abb6a790c3fd341a2
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Sun May 29 23:34:35 2016 -0700

    bitmap: Bail out on invalid input to FontFileMakeDir instead of calling calloc for 0 bytes
    
    Found by clang static analysis:
        Call to 'calloc' has an allocation size of 0 bytes
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit d0fff111992fed9d9bfbf0c19e136bda9ba1db55
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Sun May 29 23:29:50 2016 -0700

    FreeType: Correct an allocation size
    
    Found by clang static analysis:
        Result of 'calloc' is converted to a pointer of type 'int', which is
        incompatible with sizeof operand type 'int *'
    
    This is likely benign because the old size was larger on any platform where
    sizeof(int) <= sizeof(void *), which is everywhere.
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit eefc0b0b908eb8533e704d7156ce983ad7891cc5
Author: Keith Packard <keithp@keithp.com>
Date:   Sat Dec 12 14:54:26 2015 -0800

    Revert "Add compiler warning flags". Leave warning fixes.
    
    This reverts commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97, but
    leaves the warning fixes in place; it looks like either I was
    confused, or something has changed so that XORG_DEFAULT_OPTIONS now
    pulls in the appropriate compiler warnings.

commit 14488af0338191356c0177e3d0b5fa473ffbd59c
Author: Keith Packard <keithp@keithp.com>
Date:   Fri Dec 11 07:08:29 2015 -0800

    Bump version to 2.0.1
    
    This release just fixes some build issues with 2.0.0
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

commit 95a40553b8f12cd9479dd4b3c531e2069c53b870
Author: Keith Packard <keithp@keithp.com>
Date:   Wed Dec 9 14:53:26 2015 -0800

    Remove fontconf.h
    
    This file used to advertise which font formats the library
    supports. The X server doesn't care, so let's just remove it so that
    it doesn't conflict with the older version of libXfont
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

commit 903cd14547b445d7f40b52462750fc8b28441581
Author: Matt Turner <mattst88@gmail.com>
Date:   Wed Sep 2 19:15:27 2015 -0700

    Convert to non-recursive build.

commit 9928d71ec04cd630a8ed9c583d144decb4e98c05
Author: Keith Packard <keithp@keithp.com>
Date:   Wed Dec 9 09:07:30 2015 -0800

    Add missing 'attributes.m4' file
    
    Matt Turner noted that this file was missing; 'make distcheck' doesn't
    appear to catch this kind of problem.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

commit 135fb032e940ce226c9feb13e6e903f3ecbc5eb0
Author: Keith Packard <keithp@keithp.com>
Date:   Wed Sep 2 00:04:32 2015 -0700

    Eliminate calls back to X server or font server functions by name (v4)
    
    This eliminates the weak symbol adventures and makes all of the calls
    back to the X server or Font server go through a table of functions
    instead, clarifying the required API.
    
    As this is a rather major change to the API for the library, it now
    installs itself as libXfont2 instead of libXfont, and the package
    config file is now xfont2.pc.
    
    All of the installed headers remain the same as the original library;
    there's now a new include file, libxfont2.h, which defines the X
    server and Font server interfaces.
    
    This moves util/atom.c to stubs/atom.c and reformats that file, hence
    the diff being larger than it would otherwise be.
    
    v2: Rename to libXfont2 instead of libXfont_2 as suggested by Emil Velikov
        Fix whitespace in stubs/atom.c, which was moved from util/
    
    v3: Remove select masks from API. Expose single 'font_init' function
        for all library initialization.
    
    v4: Change name of distributed tarballs to libXfont2 as well
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

commit eb67d10ae82b364a4324e96ce53baaa4e5e75f97
Author: Keith Packard <keithp@keithp.com>
Date:   Mon Dec 7 15:46:13 2015 -0800

    Add compiler warning flags and fix warnings
    
    Mostly signed vs unsigned comparisons
    
    Signed-off-by: Keith Packard <keithp@keithp.com>

commit d6877a7c1c35985f6a75b6cd4e814595e781adc4
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Wed Oct 21 21:03:00 2015 -0700

    Use NO_WEAK_SYMBOLS instead of -flat_namespace
    
    Lesser of two evil hacks, I suppose...
    
    This reverts commit 0386fa77367a305deea3cc27f8a3865cc3c467c0.

commit 2788c6984bc54bfba61b2dbdb5353978199d8a37
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Wed Oct 21 21:27:26 2015 -0700

    stubs: Add missing externs for declarations in the NO_WEAK_SYMBOLS && PIC stubs resolution
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit d66f107d6e714a54515f39d94caf46aef9be7416
Author: Thomas Klausner <wiz@NetBSD.org>
Date:   Wed Feb 25 21:45:50 2015 +0100

    Fix is*() usage.
    
    The argument must be an unsigned char or -1; in these cases
    we know it's not -1 so cast it to unsigned char.
    Fixes
    warning: array subscript is of type 'char' [-Wchar-subscripts]
    
    Signed-off-by: Thomas Klausner <wiz@NetBSD.org>

commit 1a73d6828dfa03924f2d68644fb5b99afd9c78e2
Author: Benjamin Tissoires <benjamin.tissoires@gmail.com>
Date:   Mon Jul 13 14:43:06 2015 -0400

    bdfReadCharacters: Allow negative DWIDTH values
    
    The fix for CVE-2015-1804 prevent DWIDTH to be negative.
    However, the spec states that "DWIDTH [...] is a vector indicating the
    position of the next glyph’s origin relative to the origin of this glyph."
    
    So negative values are correct.
    
    Found by trying to compile XTS.
    
    Signed-off-by: Benjamin Tissoires <benjamin.tissoires@gmail.com>
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 159bfa4ec094e7d342c9b59c31bfea7dccbac58a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 7 17:24:48 2015 -0800

    doc: add a couple olinks to fsproto & xfs-design docs
    
    Don't seem to have ability to link to BDF or Xserver internals docs yet
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit da4246c98bc51297daeec47c15181e179df94013
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Mar 17 08:12:19 2015 -0700

    libXfont 1.5.1
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 2351c83a77a478b49cba6beb2ad386835e264744
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Mar 6 22:54:58 2015 -0800

    bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
    
    We use 32-bit ints to read from the bdf file, but then try to stick
    into a 16-bit int in the xCharInfo struct, so make sure they won't
    overflow that range.
    
    Found by afl-1.24b.
    
    v2: Verify that additions won't overflow 32-bit int range either.
    v3: As Julien correctly observes, the previous check for bh & bw not
        being < 0 reduces the number of cases we need to check for overflow.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>

commit 78c2e3d70d29698244f70164428bd2868c0ab34c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Feb 6 15:54:00 2015 -0800

    bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
    
    Previously would charge on ahead with a NULL pointer in ci->bits, and
    then crash later in FontCharInkMetrics() trying to access the bits.
    
    Found with afl-1.23b.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>

commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Feb 6 15:50:45 2015 -0800

    bdfReadProperties: property count needs range check [CVE-2015-1802]
    
    Avoid integer overflow or underflow when allocating memory arrays
    by multiplying the number of properties reported for a BDF font.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Julien Cristau <jcristau@debian.org>

commit d9fda3d247942292a5f24694c22337c547006e11
Author: Christos Zoulas <christos@NetBSD.org>
Date:   Wed Feb 25 21:39:30 2015 +0100

    Set close-on-exec for font file I/O.
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Thomas Klausner <wiz@NetBSD.org>

commit 3b33588117c2ca3099b999939985ffe098d479b3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Nov 5 17:41:24 2014 -0800

    Use 'imdent' to realign cpp indentation levels in fslibos.h
    
    Parts were indented, others weren't, now is more consistent.
    'git diff -w' shows no non-whitespace changes in this commit
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 03c035b061a0582159467dcadfc8e95074e2a84f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Nov 5 17:39:05 2014 -0800

    Remove unneeded checks for #ifndef X_NOT_POSIX
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit ad4f4d8a2d0730c0ea3c09210bf921638b4682bc
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Jul 19 09:49:23 2014 -0700

    libXfont 1.5.0
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit b19cf2a78f7f721c43d0d9e2f32b71fc746142a3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Jul 7 13:18:18 2014 -0700

    libXfont 1.4.99.901
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 0dcdd82059c69ec417bb094f4da2afef7cc1426a
Author: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
Date:   Sun Apr 6 14:18:32 2014 -0500

    Make shared library work on Cygwin/MinGW
    
    Weak symbols on PE platforms do not work the same way as on ELF
    platforms, hence we have been unable to have a fully functional shared
    libXfont until now.  This patch works around these issues so that we
    can fix that.
    
    In summary, only when compiling shared libraries on NO_WEAK_SYMBOLS
    platforms, when the first stub is called, the invoking program is first
    checked to determine if it exports the stubbed functions.  Then, for
    every stub call, if the function is exported by the loader, it is called
    instead of the stub code.
    
    serverClient and serverGeneration are data pointers, and therefore are
    replaced by getter functions. ErrorF is variadic, so the override is
    routed through VErrorF instead. FatalError has no va_list equivalent,
    but it is not actually used in libXfont and therefore should be safe to
    remove.
    
    This requires all X servers to export their symbols, which requires
    forthcoming patches for hw/xwin and xfs; the other xservers (including
    tigervnc) already do this via LD_EXPORT_SYMBOLS_FLAG.
    
    Signed-off-by: Yaakov Selkowitz <yselkowitz@users.sourceforge.net>
    Reviewed-by: Colin Harrison <colin.harrison@virgin.net>
    Acked-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Tested-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit 783a406d6258509abfbdc54c0b32366dcaf13044
Author: Keith Packard <keithp@keithp.com>
Date:   Mon Apr 21 13:37:00 2014 -0700

    Use default glyphs when getting 16-bit font with 8-bit text
    
    When accessing a 16-bit font with firstRow > 0 with 8-bit text, check
    to see if the font has a default character and return that for every
    incoming character.
    
    Signed-off-by: Keith Packard <keithp@keithp.com>
    Reviewed-by: Eric Anholt <eric@anholt.net>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit e8d20171fe04dbdc5f97739d5a59e02f0b091ba0
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 15 23:04:23 2014 -0700

    Don't build unused code in bitmapfunc.c if all bitmap formats are disabled
    
    If the only bitmaps we support are builtins, don't need the code to
    register all the bitmap font file handlers.
    
    Fixes gcc warnings:
    bitmapfunc.c:110:1: warning: 'BitmapOpenBitmap' defined but not used [-Wunused-function]
     BitmapOpenBitmap (FontPathElementPtr fpe, FontPtr *ppFont, int flags,
     ^
    bitmapfunc.c:155:1: warning: 'BitmapGetInfoBitmap' defined but not used [-Wunused-function]
     BitmapGetInfoBitmap (FontPathElementPtr fpe, FontInfoPtr pFontInfo,
     ^
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Rémi Cardona <remi@gentoo.org>

commit c2b7758d268fd98e09c3e66a0e7717b47ff12a47
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 15 22:44:38 2014 -0700

    Don't compile bitmap source files for disabled formats
    
    pcfread.c is a special case - it's needed for either reading pcf files
    from disk (--enable-pcfformat) or from the builtin fonts in memory
    (--enable-builtins), so needed a new AM_CONDITIONAL case.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Rémi Cardona <remi@gentoo.org>

commit a81f1a9bd3cd0a9d45d93d5b9e392b4e08ac60f7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 15 20:43:34 2014 -0700

    Drop imake/monolithic compatibility #define mapping
    
    Require the #defines from configure.ac now that we're not sharing source
    with the imake builds any longer.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Rémi Cardona <remi@gentoo.org>

commit 37595cfd4feaf031552d66f96dc6d58686f9c851
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 15 20:26:41 2014 -0700

    Change default to disabling SNF support
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Rémi Cardona <remi@gentoo.org>

commit 9f677e55c7bf07df280427f127af21e5b70f1e03
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu May 15 20:21:29 2014 -0700

    Use AS_HELP_STRING to provide help for AC_ARG_ENABLE & AC_ARG_WITH options
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Rémi Cardona <remi@gentoo.org>

commit d338f81df1e188eb16e1d6aeea7f4800f89c1218
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri May 2 19:24:17 2014 -0700

    CVE-2014-0210: unvalidated length fields in fs_read_list_info()
    
    fs_read_list_info() parses a reply from the font server.  The reply
    contains a number of additional data items with embedded length or
    count fields, none of which are validated. This can cause out of
    bound reads when looping over these items in the reply.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri May 2 19:24:17 2014 -0700

    CVE-2014-0210: unvalidated length fields in fs_read_list()
    
    fs_read_list() parses a reply from the font server.  The reply
    contains a list of strings with embedded length fields, none of
    which are validated. This can cause out of bound reads when looping
    over the strings in the reply.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 520683652564c2a4e42328ae23eef9bb63271565
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:03:24 2014 -0700

    CVE-2014-0210: unvalidated length fields in fs_read_glyphs()
    
    fs_read_glyphs() parses a reply from the font server.  The reply
    contains embedded length fields, none of which are validated.
    This can cause out of bound reads when looping over the glyph
    bitmaps in the reply.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:03:05 2014 -0700

    CVE-2014-0210: unvalidated length fields in fs_read_extent_info()
    
    Looping over the extents in the reply could go past the end of the
    reply buffer if the reply indicated more extents than could fit in
    the specified reply length.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:54 2014 -0700

    CVE-2014-0211: integer overflow in fs_alloc_glyphs()
    
    fs_alloc_glyphs() is a malloc wrapper used by the font code.
    It contains a classic integer overflow in the malloc() call,
    which can cause memory corruption.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:42 2014 -0700

    CVE-2014-0211: integer overflow in fs_read_extent_info()
    
    fs_read_extent_info() parses a reply from the font server.
    The reply contains a 32bit number of elements field which is used
    to calculate a buffer length. There is an integer overflow in this
    calculation which can lead to memory corruption.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit 491291cabf78efdeec8f18b09e14726a9030cc8f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:34 2014 -0700

    CVE-2014-0210: unvalidated length fields in fs_read_query_info()
    
    fs_read_query_info() parses a reply from the font server.  The reply
    contains embedded length fields, none of which are validated.  This
    can cause out of bound reads in either fs_read_query_info() or in
    _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:25 2014 -0700

    CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read
    
    fs_get_reply() would take any reply size, multiply it by 4 and pass to
    _fs_start_read.  If that size was bigger than the current reply buffer
    size, _fs_start_read would add it to the existing buffer size plus the
    buffer size increment constant and realloc the buffer to that result.
    
    This math could overflow, causing the code to allocate a smaller
    buffer than the amount it was about to read into that buffer from
    the network.  It could also succeed, allowing the remote font server
    to cause massive allocations in the X server, possibly using up all
    the address space in a 32-bit X server, allowing the triggering of
    other bugs in code that fails to handle malloc failure properly.
    
    This patch protects against both problems, by disconnecting any
    font server trying to feed us more than (the somewhat arbitrary)
    64 mb in a single reply.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit cbb64aef35960b2882be721f4b8fbaa0fb649d12
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:12 2014 -0700

    CVE-2014-0210: unvalidated lengths when reading replies from font server
    
    Functions to handle replies to font server requests were casting replies
    from the generic form to reply specific structs without first checking
    that the reply was at least as long as the struct being cast to.
    
    Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Reviewed-by: Adam Jackson <ajax@redhat.com>
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit 891e084b26837162b12f841060086a105edde86d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Apr 25 23:02:00 2014 -0700

    CVE-2014-0210: unvalidated length in _fs_recv_conn_setup()
    
    The connection setup reply from the font server can include a list
    of alternate servers to contact if this font server stops working.
    
    The reply specifies a total size of all the font server names, and
    then provides a list of names. _fs_recv_conn_setup() allocated the
