--- a/open-src/lib/libXfont/upstream-backports.patch	Sat Mar 14 12:06:11 2015 -0700
+++ b/open-src/lib/libXfont/upstream-backports.patch	Tue Mar 17 21:23:44 2015 -0700
@@ -476,3 +476,220 @@
 -- 
 1.7.9.2
 
+From 8ca608bdb5a5af7ee705ae4c3725ac774a69018b Mon Sep 17 00:00:00 2001
+From: Christos Zoulas <[email protected]>
+Date: Wed, 25 Feb 2015 21:39:30 +0100
+Subject: [PATCH:libXfont 1/4] Set close-on-exec for font file I/O.
+
+Reviewed-by: Alan Coopersmith <[email protected]>
+Signed-off-by: Thomas Klausner <[email protected]>
+(cherry picked from commit d9fda3d247942292a5f24694c22337c547006e11)
+---
+ src/fontfile/fileio.c |    5 ++++-
+ src/fontfile/filewr.c |   12 +++++++-----
+ 2 files changed, 11 insertions(+), 6 deletions(-)
+
+diff --git a/src/fontfile/fileio.c b/src/fontfile/fileio.c
+index 80af511..d44cecd 100644
+--- a/src/fontfile/fileio.c
++++ b/src/fontfile/fileio.c
+@@ -36,6 +36,9 @@ in this Software without prior written authorization from The Open Group.
+ #ifndef O_BINARY
+ #define O_BINARY O_RDONLY
+ #endif
++#ifndef O_CLOEXEC
++#define O_CLOEXEC 0
++#endif
+ 
+ FontFilePtr
+ FontFileOpen (const char *name)
+@@ -44,7 +47,7 @@ FontFileOpen (const char *name)
+     int		len;
+     BufFilePtr	raw, cooked;
+ 
+-    fd = open (name, O_BINARY);
++    fd = open (name, O_BINARY|O_CLOEXEC);
+     if (fd < 0)
+ 	return 0;
+     raw = BufFileOpenRead (fd);
+diff --git a/src/fontfile/filewr.c b/src/fontfile/filewr.c
+index bcc7b1e..859a0be 100644
+--- a/src/fontfile/filewr.c
++++ b/src/fontfile/filewr.c
+@@ -33,17 +33,19 @@ in this Software without prior written authorization from The Open Group.
+ #endif
+ #include <X11/fonts/fntfilio.h>
+ #include <X11/Xos.h>
++#ifndef O_BINARY
++#define O_BINARY	0
++#endif
++#ifndef O_CLOEXEC
++#define O_CLOEXEC	0
++#endif
+ 
+ FontFilePtr
+ FontFileOpenWrite (const char *name)
+ {
+     int	fd;
+ 
+-#if defined(WIN32) || defined(__CYGWIN__)
+-    fd = open (name, O_CREAT|O_TRUNC|O_RDWR|O_BINARY, 0666);
+-#else
+-    fd = creat (name, 0666);
+-#endif
++    fd = open (name, O_CREAT|O_TRUNC|O_RDWR|O_BINARY|O_CLOEXEC, 0666);
+     if (fd < 0)
+ 	return 0;
+     return (FontFilePtr) BufFileOpenWrite (fd);
+-- 
+1.7.9.2
+
+From 1cf5752474dd3959cdd992d8f4f40fffe10291d5 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Fri, 6 Feb 2015 15:50:45 -0800
+Subject: [PATCH:libXfont 2/4] bdfReadProperties: property count needs range
+ check [CVE-2015-1802]
+
+Avoid integer overflow or underflow when allocating memory arrays
+by multiplying the number of properties reported for a BDF font.
+
+Reported-by: Ilja Van Sprundel <[email protected]>
+Signed-off-by: Alan Coopersmith <[email protected]>
+Reviewed-by: Julien Cristau <[email protected]>
+(cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
+---
+ src/bitmap/bdfread.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 914a024..6387908 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
+ 	bdfError("missing 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
++    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
++	(nProps <= 0) ||
++	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ 	bdfError("bad 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-- 
+1.7.9.2
+
+From 3b8dba7b48863d860a040cb6516f6f53028a9426 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Fri, 6 Feb 2015 15:54:00 -0800
+Subject: [PATCH:libXfont 3/4] bdfReadCharacters: bailout if a char's bitmap
+ cannot be read [CVE-2015-1803]
+
+Previously would charge on ahead with a NULL pointer in ci->bits, and
+then crash later in FontCharInkMetrics() trying to access the bits.
+
+Found with afl-1.23b.
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+Reviewed-by: Julien Cristau <[email protected]>
+(cherry picked from commit 78c2e3d70d29698244f70164428bd2868c0ab34c)
+---
+ src/bitmap/bdfread.c |    5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 6387908..1b29b81 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 	    ci->metrics.descent = -bb;
+ 	    ci->metrics.characterWidth = wx;
+ 	    ci->bits = NULL;
+-	    bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
++	    if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
++		bdfError("could not read bitmap for character '%s'\n", charName);
++		goto BAILOUT;
++	    }
+ 	    ci++;
+ 	    ndx++;
+ 	} else
+-- 
+1.7.9.2
+
+From 6c60e85998252b641a50048a555de88bdaacd3c7 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <[email protected]>
+Date: Fri, 6 Mar 2015 22:54:58 -0800
+Subject: [PATCH:libXfont 4/4] bdfReadCharacters: ensure metrics fit into
+ xCharInfo struct [CVE-2015-1804]
+
+We use 32-bit ints to read from the bdf file, but then try to stick
+into a 16-bit int in the xCharInfo struct, so make sure they won't
+overflow that range.
+
+Found by afl-1.24b.
+
+v2: Verify that additions won't overflow 32-bit int range either.
+v3: As Julien correctly observes, the previous check for bh & bw not
+    being < 0 reduces the number of cases we need to check for overflow.
+
+Signed-off-by: Alan Coopersmith <[email protected]>
+Reviewed-by: Julien Cristau <[email protected]>
+(cherry picked from commit 2351c83a77a478b49cba6beb2ad386835e264744)
+---
+ src/bitmap/bdfread.c |   26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 1b29b81..a0ace8f 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -62,8 +62,16 @@ from The Open Group.
+ 
+ #if HAVE_STDINT_H
+ #include <stdint.h>
+-#elif !defined(INT32_MAX)
+-#define INT32_MAX 0x7fffffff
++#else
++# ifndef INT32_MAX
++#  define INT32_MAX 0x7fffffff
++# endif
++# ifndef INT16_MAX
++#  define INT16_MAX 0x7fff
++# endif
++# ifndef INT16_MIN
++#  define INT16_MIN (0 - 0x8000)
++# endif
+ #endif
+ 
+ #define INDICES 256
+@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 	    bdfError("DWIDTH y value must be zero\n");
+ 	    goto BAILOUT;
+ 	}
++	/* xCharInfo metrics are stored as INT16 */
++	if ((wx < 0) || (wx > INT16_MAX)) {
++	    bdfError("character '%s' has out of range width, %d\n",
++		     charName, wx);
++	    goto BAILOUT;
++	}
+ 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ 	if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
+ 	    bdfError("bad 'BBX'\n");
+@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ 		     charName, bw, bh);
+ 	    goto BAILOUT;
+ 	}
++	/* xCharInfo metrics are read as int, but stored as INT16 */
++	if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
++	    (bb > INT16_MAX) || (bb < INT16_MIN) ||
++	    (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
++	    bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
++		     charName, bl, (bl+bw), (bh+bb), -bb);
++	    goto BAILOUT;
++	}
+ 	line = bdfGetLine(file, lineBuf, BDFLINELEN);
+ 	if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
+ 	    for (p = line + strlen("ATTRIBUTES ");
+-- 
+1.7.9.2
+