commit 88b9df882c0ea91d7bb468aa4792ef1b6f13aa9d
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Wed Jul 8 10:52:21 2026 +1000

    libXfont2 2.0.8
    
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>

commit 0cbdbe780c9a7c7b064ba38d49c77cea73e24e0b
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jun 2 15:25:54 2026 +1000

    test: add PCF security regression tests
    
    Add regression tests for five PCF font parsing and scaling
    vulnerabilities.
    
    Python scripts generate crafted PCF fonts at build time. Each test
    binary loads its font through the font path element API and verifies
    the library handles it without crashing. Under ASAN, these tests would
    detect the heap buffer overflows that the fixes prevent.
    
    Test fonts (built sources):
      gen_evil_pcf_repad.py        - Mismatched bitmapSizes vs per-glyph metrics
      gen_evil_pcf_norepad.py      - Out-of-bounds read in no-repad bitmap path
      gen_evil_pcf_props.py        - 40 duplicate MIN_SPACE properties
      gen_evil_pcf_encoding.py     - Out-of-bounds encoding offset
      gen_evil_pcf_bitmapscale.py  - Many glyphs that expand during scaling
    
    Tests require Python 3; skipped automatically if unavailable.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

commit 6f2cc6e7547c777212387cfe0499d03066bb3aac
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jun 2 15:25:44 2026 +1000

    test: fix stubs in font-test-utils for use outside the X server
    
    Several callback stubs in font-test-utils.c call err() (fatal) when
    invoked, preventing test code from exercising font paths that use atoms,
    font server initialization, or time queries.
    
    Set the atom callbacks to NULL so that libxfontstubs falls back to the
    internal atom implementation. Return Successful from init_fs_handlers
    and 0 from get_time_in_millis so that font path initialization
    completes without crashing.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

commit dff957a5158da038a282a59a31fe736702732939
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 1 16:49:55 2026 +1000

    bitscale: add bounds check to computeProps for property buffer
    
    ComputeScaledProperties allocates a fixed-size property buffer of 70
    slots. computeProps iterates the source font's properties and writes 1
    slot for unscaled properties or 2 slots for scaledX/scaledY properties,
    with no bounds check. A malicious font with many duplicate properties
    matching fontPropTable entries can overflow the allocated buffer.
    
    Fix this by passing the remaining buffer capacity to computeProps and
    checking it before each write. Properties that would exceed the buffer
    are silently skipped.
    
    The function is also restructured to handle the buffer writes for
    scaledX/scaledY inside the switch cases directly, rather than in a
    separate block after the switch. This makes the control flow clearer and
    ensures the bounds check covers all writes.
    
    This vulnerability was discovered by:
    Anonymous working with TrendAI Zero Day Initiative
    
    CVE-2026-56003/ZDI-CAN-30560
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

commit b4389e0b1d84a690b819bb27b1439968811a3674
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 1 16:48:40 2026 +1000

    pcfread: validate bitmap sizes and offsets against per-glyph metrics
    
    pcfReadFont() uses bitmapSizes[] read directly from the PCF file to
    allocate the repadded bitmap buffer. However, per-glyph metrics (also
    from the file) control how much data RepadBitmap() writes. A malicious
    PCF font can declare a small bitmapSizes[] value while having per-glyph
    metrics that require more space, causing a heap buffer overflow.
    
    A similar issue happens with the encoding offsets: pcfReadFont reads
    encoding offsets from the PCF file and uses them to index into the
    metrics array without bounds checking.  A crafted font can set an
    encoding offset larger than nmetrics, causing an out-of-bounds pointer
    that is later dereferenced when glyphs are accessed through the encoding
    table.
    
    And the no-repad bitmap path (when PCF_GLYPH_PAD matches the requested
    glyph pad) only validated that each glyph's offset was within the bitmap
    buffer, but did not check that the full glyph extent (offset +
    BYTES_PER_ROW * height) fits within the buffer.  A crafted font with a
    glyph offset near the end of a small bitmap buffer but large glyph
    metrics causes a heap buffer over-read when the glyph is later rendered.
    
    This vulnerability was discovered by:
      Anonymous working with TrendAI Zero Day Initiative
    
    CVE-2026-56002/ZDI-CAN-30559
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

commit be0b08e2d354138d3222b4490e2a77c6ee42f778
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 1 16:46:10 2026 +1000

    bitscale: fix integer overflow in BitmapScaleBitmaps bytestoalloc
    
    bytestoalloc is declared as unsigned int (32-bit). When the sum of
    per-glyph byte counts exceeds 2^32, the value wraps around and calloc()
    allocates a buffer that is too small. The subsequent ScaleBitmap loop
    then writes past the end of the allocated buffer.
    
    Change bytestoalloc from unsigned int to size_t to match the actual
    allocation size type, and add an explicit overflow check in the
    accumulation loop to bail out if the total would exceed SIZE_MAX.
    
    This vulnerability was discovered by:
    Anonymous working with TrendAI Zero Day Initiative
    
    CVE-2026-56001/ZDI-CAN-30558
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>

commit dd5ff35403e9dcf8acdd4c8879eed65268d3ef94
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jun 3 16:49:03 2026 +1000

    fontfile: Remove ridiculously old compat API
    
    Remove the binary compatibility shims for the old fontenc function
    names (font_encoding_from_xlfd, font_encoding_find, etc). These have
    been superseded by the FontEnc* names for years.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

commit 2097fc4ac61c28831b5d440888fc07d77f043c44
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jun 3 16:43:15 2026 +1000

    freetype: Remove misguided ifdef around BDF charset query
    
    XFONT_BDFFORMAT controls whether libXfont builds its own BDF reader.
    FT_Get_BDF_Charset_ID() is a FreeType library function whose
    availability is orthogonal to our own BDF support. The call should
    always be made when FreeType is available.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

commit e3f40cb104e0ff6c0ee7e40548105ab1e5708115
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 8 15:07:41 2026 +1000

    freetype: Remove premature break in find_cmap() Unicode fallback
    
    Remove a premature break that made the Apple Unicode and ISO Unicode
    cmap fallback loops unreachable when Microsoft Unicode was not available.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

commit 6141975cb0bcd627ff9edd62bf13b151f4c8d360
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Jun 8 15:07:28 2026 +1000

    freetype: Fix encoding string assembly
    
    The code was building charset identifier strings as "encoding-registry"
    (e.g. "1-iso10646") instead of the correct "registry-encoding" (e.g.
    "iso10646-1"), causing charset comparisons to always fail.
    
    Also remove a stale debug ErrorF left in from development.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/33>

commit 9cc9c4a741bd95cd0820bd279cd67886e7962aa1
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jun 2 16:36:31 2026 +1000

    render: use calloc for FontRec to prevent use of uninitialized memory
    
    BuiltinOpenBitmap allocates a FontRec with malloc and only initializes
    three fields before passing it to pcfReadFont.  If pcfReadFont fails
    partway through, error cleanup paths may access uninitialized fields
    in the FontRec.
    
    This shouldn't ever happen for the builtin fonts but it's a trivial
    change so let's do this. It also matches CreateFontRec() in private.c
    which uses malloc+bzero.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

commit 39959747bbb19d673e2762d3be75b98466ce33f7
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Tue Jun 2 16:35:46 2026 +1000

    fsio: fix unchecked realloc
    
    Check the realloc return value and keep the existing buffer if the
    reallocation fails.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

commit 09d1c92778cf4fc5a6efe1e8539ea9a60b279a66
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 8 14:30:32 2026 +1000

    bdfread: fix BDF_GENPROPS undercount causing heap buffer overflow
    
    BDF_GENPROPS was defined as 6, but up to 8 generated properties can be
    appended in bdfReadProperties when the BDF file omits all optional
    properties: POINT_SIZE, FONT, WEIGHT, RESOLUTION (when resolution_x ==
    resolution_y), RESOLUTION_X, RESOLUTION_Y, X_HEIGHT, QUAD_WIDTH.
    
    Change BDF_GENPROPS to 8 to match the actual maximum number of
    generated properties.
    
    Note: the overflow is not currently exploitable because the BDF parser
    requires nProps >= 1 and both FONT_ASCENT and FONT_DESCENT (nProps >= 2),
    and both are consumed by bdfSpecialProperty without occupying props[]
    slots, so allocation is always nProps + BDF_GENPROPS >= 8 which fits
    all 8 generated properties.  The constant is fixed for correctness
    and defense in depth.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

commit 6594d1296a0fffac4b2886643a100050507301ec
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 8 13:54:35 2026 +1000

    bdfread: fix copy-paste error in RESOLUTION_X/Y property generation
    
    Both the RESOLUTION_X and RESOLUTION_Y generation blocks incorrectly
    set pState->resolutionProp instead of their respective
    pState->resolutionXProp and pState->resolutionYProp fields.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

commit 63bdfc6f60fcd2f3c0c173e26e2b6568248b3f9f
Author: Peter Hutterer <peter.hutterer@who-t.net>
Date:   Mon Jun 8 13:52:18 2026 +1000

    pcfread: fix strings memory leak in pcfGetProperties error path
    
    The Bail label in pcfGetProperties() freed props and isStringProp but
    not the strings buffer, leaking it on any error after allocation.
    
    Initialize strings to NULL and free it in the Bail path.
    
    Assisted-by: Claude:claude-opus-4-6
    Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/32>

commit b1d2868b3e2704936d45cdb97e6a82323593608f
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Jun 2 10:39:29 2026 -0700

    gitlab CI: move back to Debian stable image
    
    Debian 'testing' was needed to get autoconf >= 2.70 in 2023, but
    it's made its way into the stable release now, so we can move back.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/31>

commit 67520db20c6cc37927ae3a212f357e2dd26143f5
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Jan 11 11:20:41 2026 -0800

    gitlab CI: drop the ci-fairy check-mr job
    
    The only thing this checked was the checkbox for allowing maintainers to
    edit the MR. Changed permissions checks now fail this job but luckily
    the setting it checked has been the default for years anyway so we can
    drop it.
    
    https://gitlab.freedesktop.org/freedesktop/ci-templates/-/issues/81
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/30>

commit 2c2e44c94ef17ecd5003a173237b57b315e28d93
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu Aug 1 15:53:10 2024 -0700

    libXfont2 2.0.7
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit dbc2fbc5823e2a9fb6dc9536a1716674840da24c
Author: Enrico Weigelt, metux IT consult <info@metux.net>
Date:   Fri Jul 19 13:33:21 2024 +0200

    include: libxfont2: fix missing includes of fontproto.h
    
    * needs types from X11/fonts/fontproto.h (eg. NameCheckFunc) from this header,
    but forgot to include it.
    * needs NULL, which is defined in stddef.h
    
    Signed-off-by: Enrico Weigelt, metux IT consult <info@metux.net>
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/28>

commit 0006737243ee3599775e41b59c42028e07a68f0a
Author: José Expósito <jexposit@redhat.com>
Date:   Mon Jul 1 16:28:04 2024 +0200

    stubs/atom.c: Fix memory leak in __libxfont_internal__MakeAtom
    
    Reported by a static analysis tool:
    
         9. libXfont2-2.0.6/src/stubs/atom.c:179:5:
            alloc_fn: Storage is returned from allocation function "malloc".
        10. libXfont2-2.0.6/src/stubs/atom.c:179:5:
            var_assign: Assigning: "a" = storage returned from
            "malloc(24UL + len + 1UL)".
        16. libXfont2-2.0.6/src/stubs/atom.c:194:6:
            leaked_storage: Variable "a" going out of scope leaks the
            storage it points to.
        #   192|  if ((ResizeHashTable() == FALSE) &&
        #   193|     ((hashTable == NULL) || (hashUsed == hashSize)))
        #   194|->   return None;
        #   195|  h = hash & hashMask;
        #   196|  if (hashTable[h]) {
    
    Fixes: 78085e6b683b ("stubs/atom.c: check for ResizeHashTable failure")
    Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/27>

commit c47d610ae27e89911539773f15bd7940fc00d35d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:56:52 2024 -0800

    Use autoconf to check for float.h instead of platform-specific ifdefs
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 3d41257544d7903935e6a1407f3da6624bbc3914
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:25:15 2024 -0800

    unifdef NCD
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit bac7adac9a9865ef736589863ad144d4172585e1
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:22:09 2024 -0800

    unifdef Lynx
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 1f7b4edf09faa5ca8088745c0ad94a01c63043cd
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:21:15 2024 -0800

    unifdef ISC
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit e38d1d27a1867b79eb86309f9d757133216cb32c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:20:37 2024 -0800

    unifdef __OSF1__
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 24951703b738407e172343f7721bd8217ee8430e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 17 12:19:18 2024 -0800

    unifdef sony
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c908d2773aea21692edcd1ea8aa9e11e9f5828b7
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Jan 27 11:20:21 2024 -0800

    bitscale.c: remove unused MAX() macro
    
    Code that used it was removed in commit 632a2e90a4b209facc
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 0be12a9f7c8cbc710660d29ec54328916cc41beb
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Jan 27 11:19:36 2024 -0800

    bitscale.c: ensure SCORE macro expands properly
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 42d2b5add560ad9a14f36c5f628e83a39ac89f47
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Jan 27 11:12:09 2024 -0800

    bitscale.c: ensure SCORE2 macro expands properly
    
    Handles warning from Oracle Parfait 11.2 static analyzer:
    
    Error: Misleading macro
       Misleading macro [misleading-macro]:
          misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses
            at line 299 of src/bitmap/bitscale.c.
            '/' operator has lower precedence than '/' operator inside macro body at line 438
            low precedence '/' operator is hidden by expansion of macro argument m at line 299
       Misleading macro [misleading-macro]:
          misleading evaluation of '/' operator in expansion of macro SCORE2 due to missing parentheses
            at line 299 of src/bitmap/bitscale.c.
            binary '*' operator has lower precedence than '/' operator inside macro body at line 440
            low precedence binary '*' operator is hidden by expansion of macro argument m at line 299
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 87b05995a861f75e38b889659a56b13485e58ce2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 24 17:44:38 2024 -0800

    configure: Use AC_SYS_LARGEFILE to enable large file support
    
    While font files should never be more than 2gb in size, they may be
    stored on filesystems with large inodes or timestamps outside of the
    32-bit range.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit b4b35189d54bef2c5d6062518076505167c3dd9b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Jan 24 17:42:19 2024 -0800

    Modernize lseek() calls
    
    Position should be stored in an off_t, not an int, and the
    "whence" arg should use symbolic constants instead of raw numbers.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c0ab2a2c42af6d2f34a987c7b9903e9737e27a87
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 25 10:40:19 2023 -0700

    Set close-on-exec when opening fonts.dir & fonts.alias files
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit a5ee0e9ab968d795fdb9983457a9b7d16ed249ef
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 4 10:44:45 2023 -0800

    configure: Use LT_INIT from libtool 2 instead of deprecated AC_PROG_LIBTOOL
    
    AC_PROG_LIBTOOL was replaced by LT_INIT in libtool 2 in 2008,
    so it's time to rely on it.
    
    Clears autoconf warnings:
    
    configure.ac:38: warning: The macro `AC_PROG_LIBTOOL' is obsolete.
    configure.ac:38: You should run autoupdate.
    aclocal.m4:3640: AC_PROG_LIBTOOL is expanded from...
    configure.ac:38: the top level
    
    libtoolize: Consider adding 'AC_CONFIG_MACRO_DIRS([m4])' to configure.ac,
    libtoolize: and rerunning libtoolize and aclocal.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit a3a85df9a65a5185bdbd47823f336c4cb3fa14c3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Feb 25 09:26:20 2023 -0800

    Remove "All rights reserved" from Oracle copyright notices
    
    Oracle no longer includes this term in our copyright & license notices.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 0bee036267c8e44a3109002965d18c9224296c08
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Thu Feb 16 19:02:29 2023 -0800

    configure: raise minimum autoconf requirement to 2.70
    
    Needed for builds on NetBSD to work correctly, since it depends on
    AC_USE_SYSTEM_EXTENSIONS defining _OPENBSD_SOURCE to expose the
    prototype for reallocarray() in the system headers.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 572d9d52f408f23905d3af22a02108991944ab2d
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Sat Nov 26 21:55:16 2022 -0800

    atom: Update Hash() to be unsigned
    
    This avoids undefined behavior (left shift overflow in signed integer type)
    
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit 5ca90ec8665294cb8499a54c303b8275eeeaaf4d
Author: Peter Harris <pharris@opentext.com>
Date:   Wed Nov 2 15:38:19 2022 -0400

    Fix font server reconnection timeout
    
    The great libxfont2 rewrite 135fb032e940ce226c9feb13e6e903f3ecbc5eb0 split
    fs_wakeup into fs_wakeup and fs_fd_handler. The fs_fd_handler side is
    called when there is new data on the socket. The fs_wakeup side is called
    on a timeout.
    
    If there's a connection timeout, the block handler will set the timeout
    to zero, expecting fs_wakeup to handle the timeout. Therefore, we need to
    call _fs_check_reconnect in fs_wakeup to handle the connection timeout.
    If we don't, the X server will go to 100% CPU (and the font server
    connection will not be retried).
    
    Signed-off-by: Peter Harris <pharris@opentext.com>

commit 644bea5c481365343e709d0f2ddbc553a6d8fc30
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Nov 5 09:16:14 2022 -0700

    Only link with libbsd if needed for reallocarray() or strlcat()
    
    Avoid unnecessary library dependency when using a libc with these
    functions included
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit f476c0a09c0d0dd22d22f447cae9fa02eb560506
Author: Guillem Jover <guillem@hadrons.org>
Date:   Thu Oct 6 00:38:36 2022 +0000

    Switch from libbsd to libbsd-overlay
    
    This is the preferred usage form for libbsd, as it makes the code more
    portable and requires no special includes for libbsd, by transparently
    injects the needed standard headers that would be used on a BSD.
    
    Signed-off-by: Guillem Jover <guillem@hadrons.org>

commit d54aaf2483df6a1f98fadc09004157e657b7f73e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Fri Aug 26 16:22:15 2022 -0700

    libXfont2 2.0.6
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit efb287223612e9225e5089bed76e348c236b15f0
Author: Peter Harris <pharris@opentext.com>
Date:   Thu Mar 25 15:56:31 2021 -0400

    Fix buffer overrun in FontFileMakeDir on WIN32
    
    When dirName is "" (eg. when called by BuiltinReadDirectory),
    FontFileMakeDir would read after the string when WIN32 is defined.
    
    Fix the overrun issue by checking the location of the found :
    before adding two.
    
    Signed-off-by: Peter Harris <pharris@opentext.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 3c8fdf6e35bed077a5614b4094770e668c96b9e9
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Tue Jun 21 17:37:32 2022 -0700

    Fix comments to reflect removal of OS/2 support
    
    Commit 6c29007756301 removed OS/2 support from the code,
    but missed updating the comments to match.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 8e3d94c867741319bf75b47266176cf677218641
Author: Jeremy Huddleston Sequoia <jeremyhu@apple.com>
Date:   Mon Jun 20 23:32:52 2022 -0700

    Correct fsCreateACReq length
    
    Regressed-in: 6972ea08ee5b2ef1cfbdc2fcaf14f06bbd391561
    Fixes: https://gitlab.freedesktop.org/xorg/lib/libxfont/-/issues/13
    Signed-off-by: Jeremy Huddleston Sequoia <jeremyhu@apple.com>

commit 5cb3b8809b9f141a2cf8a4e00a8387c75dc6bc10
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Jun 20 12:30:41 2022 -0700

    configure: Use pkg-config to handle zlib dependency if possible
    
    Preserves fallback for systems like darwin without zlib.pc
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 12bed78985af1da2d1f4954a3491ee497a878b23
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Apr 6 14:37:42 2022 -0700

    Fix spelling/wording issues
    
    Found by using:
        codespell --builtin clear,rare,usage,informal,code,names
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit f83ea5e953c6904578a458e2c2bc2e1d5ae3cb47
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Apr 6 14:14:21 2022 -0700

    Build xz tarballs instead of bzip2
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit a6aee4c9a41a95a0509f654beca27009671731b3
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Wed Apr 6 14:10:16 2022 -0700

    gitlab CI: add a basic build test
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 3a4f68284c5aeea77789af1fe395cac35efc8562
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Aug 1 17:36:43 2021 -0700

    libXfont2 2.0.5
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit daff8876379c64c7bee126319af804896f83b5da
Author: Alex Richardson <Alexander.Richardson@cl.cam.ac.uk>
Date:   Wed Jul 14 17:23:48 2021 +0100

    Fix out-of-bounds read in FontFileMakeDir()
    
    BuiltinReadDirectory() calls FontFileMakeDir ("", builtin_dir_count); and
    this causes the `dirName[dirlen - 1]` access to read before the start of
    the string. I found this while porting Xvnc to CHERI-RISC-V (which has
    bounds and permissions on all pointers).

commit ce7a3265019e4d66198c1581d9e8c859c34e8ef1
Author: Bernd Kuhls <bernd.kuhls@t-online.de>
Date:   Sat Oct 19 09:32:41 2019 +0200

    configure: define HAVE_LIBBSD when libbsd was found

commit 9529d2351fe52ffaaf9342343865073d5c5b6802
Author: Peter Harris <pharris@opentext.com>
Date:   Tue Mar 2 14:39:45 2021 -0500

    Fix use after free when font server connection lost
    
    If there are multiple blocks waiting for the same font, only one of them
    will have ->freeFont set. The rest will be in a state of FS_DEPENDING.
    
    If the font server dies before the font finishes opening, the block with
    ->freeFont set will call ->unload_font, invalidating the pfont pointers
    in the remaining FS_DEPENDING blocks.
    
    Avoid a use after free (and potential crash) by passing conn to
    fs_cleanup_font instead of dereferencing pfont to find the conn.
    
    Signed-off-by: Peter Harris <pharris@opentext.com>

commit e7b2cae1ad9f07c188bcad27767a2f4fa6e0c2a4
Author: Peter Harris <pharris@opentext.com>
Date:   Fri Mar 6 10:42:03 2020 -0500

    Fix crash when font server connection lost
    
    Always initialize the return value of fs_new_block_rec. Even if the
    conn->blockState is FS_BROKEN_CONNECTION | FS_RECONNECTING, we must not
    return with an uninitialized blockrec on the block list. When the
    blockrec times out, _fs_clean_aborted_blockrec calls fs_cleanup_bfont,
    which will try to follow pointers in the blockrec (which has not been
    initialized).
    
    Signed-off-by: Peter Harris <pharris@opentext.com>

commit 608640b87dc47233940664632e3ab8f13972be2b
Author: Jon Turney <jon.turney@dronecode.org.uk>
Date:   Thu Oct 17 19:11:52 2019 +0100

    Fix Win32 build since c4ed2e06 "Add some unit testing utilities"
    
    Provide Win32 replacements for realpath() and err.h

commit 13ebb8f32f767c596b1b8bd16b90703a8135f20b
Author: Adam Jackson <ajax@redhat.com>
Date:   Mon Sep 16 10:47:27 2019 -0400

    README: Remove mention of libXfont 1.5
    
    xfs was ported to libXfont2 in release 1.2, and bdftopcf 1.1 includes a
    copy of enough of the old libXfont1 code to not need an external
    libXfont at all.

commit ed8b8e9fe544ec51ab1b1dfaea6fced35470ad6c
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Sep 14 11:34:03 2019 -0700

    libXfont2 2.0.4
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit b46cd2fef2bfe192579930f29a830051670d4d00
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Sep 14 11:32:02 2019 -0700

    Add src/util/replace.h to noinst_HEADERS so it gets included in tarballs
    
    Found when "make distcheck" failed.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 5561a9dc835a249e58cfdb3c384547f6f401a15d
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 14:31:24 2019 -0700

    fs_read_glyphs: check if rep is null before dereferencing
    
    Resolves coverity warning def16 from the list in
    https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c84ce6be6a7e2e70c9ab20b60bc7198699690d50
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 14:19:04 2019 -0700

    CatalogueRescan: if opendir() fails, unref fpes, but don't free the cat
    
    None of the callers of CatalogueRescan check for failure before accessing
    the cat pointer so don't free it (especially without clearing the pointer
    to it in fpe->private), just unref the contents.
    
    Can only be triggered if somehow stat() succeeds on the directory, but
    opendir fails anyway (removed between the calls?  permission problem?).
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c1c5c9aa4cacb9138d6a2e5d37619f7960b54536
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 13:56:03 2019 -0700

    ComputeScaledProperties: check for valid pointers before making atoms
    
    Resolves coverity warning def23 from the list in
    https://gitlab.freedesktop.org/xorg/lib/libxfont/issues/6
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 78085e6b683b4e5a13b38508597a0c93ac2ed9ea
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 17 13:41:02 2019 -0700

    stubs/atom.c: check for ResizeHashTable failure
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 3e0e36e4a9fee32105aa7c5cb6e089c495b92b10
Author: Maya Rashish <maya@NetBSD.org>
Date:   Fri Aug 9 12:53:48 2019 +0300

    Fix whitespace

commit 194cb45ceb510c3e580460919cd7e5dd31a285c8
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sun Aug 4 11:14:39 2019 -0700

    fontxlfd.c: tell gcc that switch fallthrough is intentional
    
    Quiets:
    src/util/fontxlfd.c: In function ‘FontParseXLFDName’:
    src/util/fontxlfd.c:450:14: warning: this statement may fall through [-Wimplicit-fallthrough=]
      replaceChar = '*';
      ~~~~~~~~~~~~^~~~~
    src/util/fontxlfd.c:451:5: note: here
         case FONT_XLFD_REPLACE_ZERO:
         ^~~~
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit ddbee30d3525cdd66b84056affc407601680cc29
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 19:29:05 2019 -0700

    Convert multiplying malloc calls to use mallocarray instead
    
    Introduces mallocarray as a macro calling reallocarray with a NULL
    pointer for the old allocation.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit f54470dab5b392380df61a22b4b4bef685b6cee2
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 19:09:19 2019 -0700

    Convert multiplying realloc calls to use reallocarray instead
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 27207d35d4b4bbd5d2b2c5f7e13a61ea43d04a4a
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 16:13:21 2019 -0700

    Add reallocarray fallback if not provided by libc nor libbsd
    
    Implementation copied from the Xserver
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 2178c7445a3464bd69637ad91a2dd0320a60e0df
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 18:19:11 2019 -0700

    Use bounds checking string functions everywhere
    
    Replace strcpy, strcat, sprintf with strlcpy, strlcat, snprintf
    everywhere, even where there were already bounds checks in place,
    to reduce time spent checking static analysis results.
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit d4c941ea8b1dc07a14efce656bff58d31a14c985
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 16:05:21 2019 -0700

    Add strlcat & strlcpy fallbacks if not provided by libc nor libbsd
    
    Implementations copied from the Xserver
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit c4ed2e069dc8aa5b8b7ef2fc926ae8584ff2a67b
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Aug 3 13:45:54 2019 -0700

    Add some unit testing utilities
    
    The test/utils directory contains some standalone test programs for testing
    libXfont funtionality without needing a full X server session.  They could
    be used to generate automated unit testing in the future, but that work has
    not yet been done.
    
    [v2: updated original work from libXfont 1.5 to 2.0 API & makefiles]
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 77ae4048564eff2e96b80cedfac013877e46d506
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Jan 4 12:13:04 2017 -0500

    fontfile: Remove unused 'bc' slot from _FontEntry
    
    Whatever this is, we're not using it. On my machine we allocate about
    1100 of these structs, and this change reduces the struct from 152 to 48
    bytes, so this saves about 100k of memory.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 6624b5e705da8333a3bc63d1ddeea6b11e831e24
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Sat Mar 16 12:40:03 2019 -0700

    Update configure.ac bug URL for gitlab migration
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 66a26687b2b86b53c315544483b740deb6f01c1e
Author: Alan Coopersmith <alan.coopersmith@oracle.com>
Date:   Mon Nov 19 22:05:10 2018 -0800

    Update README for gitlab migration
    
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit 099ed6fa9f293d283163b138830d43bbd47c5df1
Author: Rin Okuyama <rin@NetBSD.org>
Date:   Tue Feb 21 06:18:37 2017 +0000

    avoid -Wformat errors from clang when building with -DDEBUG
    
    https://bugs.freedesktop.org/show_bug.cgi?id=99882
    
    Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

commit cdb2f990348c3bd1407022f7e0e5fcba552d539f
Author: Matthieu Herrb <matthieu@herrb.eu>
Date:   Sat Nov 25 12:01:16 2017 +0100

    libXfont2 2.0.3
    
    Signed-off-by: Matthieu Herrb <matthieu@herrb.eu>

commit 7b377456f95d2ec3ead40f4fb74ea620191f88c8
Author: Michal Srb <msrb@suse.com>
Date:   Thu Oct 26 09:48:13 2017 +0200

    Open files with O_NOFOLLOW. (CVE-2017-16611)
    
    A non-privileged X client can instruct X server running under root to open any
    file by creating own directory with "fonts.dir", "fonts.alias" or any font file
    being a symbolic link to any other file in the system. X server will then open
    it. This can be issue with special files such as /dev/watchdog.
    
    Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

commit d82dfe25491c599f650b2ad868772c3b8e6ba7bc
Author: Adam Jackson <ajax@redhat.com>
Date:   Wed Oct 11 11:33:29 2017 -0400

    libXfont 2.0.2
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>

commit 672bb944311392e2415b39c0d63b1e1902905bcd
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 20 17:05:23 2017 +0200

    pcfGetProperties: Check string boundaries (CVE-2017-13722)
    
    Without the checks a malformed PCF file can cause the library to make
    atom from random heap memory that was behind the `strings` buffer.
    This may crash the process or leak information.
    
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit d1e670a4a8704b8708e493ab6155589bcd570608
Author: Michal Srb <msrb@suse.com>
Date:   Thu Jul 20 13:38:53 2017 +0200

    Check for end of string in PatternMatch (CVE-2017-13720)
    
    If a pattern contains '?' character, any character in the string is skipped,
    even if it is '\0'. The rest of the matching then reads invalid memory.
    
    Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
    Signed-off-by: Julien Cristau <jcristau@debian.org>

commit 9112a6846b9d8ff18f7568c58e06d0a450e25814
Author: Adam Jackson <ajax@redhat.com>
Date:   Thu Apr 13 12:10:05 2017 -0400

    readme: Update for libXfont 2.0 interface change
    
    While xfs can be more or less trivially ported to 2.0, bcftopcf cannot
    because the font file I/O API is no longer externally visible. This is
    intentional, because bdftopcf is literally the only consumer of that
    API, and is itself only used in the build process for the classic core
    fonts themselves. The plan for bdftopcf is to import a copy of libXfont
    1.5 and link against that statically instead.
    
    Signed-off-by: Adam Jackson <ajax@redhat.com>
    Acked-by: Peter Hutterer <peter.hutterer@who-t.net>

commit f8ff8d5f7442b3cbac57d5fe343aabd8f54a030f
Author: Emil Velikov <emil.l.velikov@gmail.com>
Date:   Mon Mar 9 12:00:52 2015 +0000

    autogen.sh: use quoted string variables
    
    Place quotes around the $srcdir, $ORIGDIR and $0 variables to prevent
    fall-outs, when they contain space.
