diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 21:03:33 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | 94c6de0649cd295044b1e4ff7265949c9c787519 (patch) | |
tree | a9a795efb5f4c84e078fd594c2535e914f5762e5 | |
parent | 36f1dae749acb065eaefca56d42d19ef6822a001 (diff) | |
download | nx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.tar.gz nx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.tar.bz2 nx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.zip |
CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
-rw-r--r-- | nx-X11/lib/font/fc/fserve.c | 21 |
1 files changed, 18 insertions, 3 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index bac0b8ee6..0fdcc1d84 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn) int ret; fsConnSetup *setup; FSFpeAltPtr alts; - int i, alt_len; + unsigned int i, alt_len; int setup_len; char *alt_save, *alt_names; @@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn) } if (setup->num_alternates) { + size_t alt_name_len = setup->alternate_len << 2; alts = (FSFpeAltPtr) xalloc (setup->num_alternates * - sizeof (FSFpeAltRec) + - (setup->alternate_len << 2)); + sizeof (FSFpeAltRec) + alt_name_len); if (alts) { alt_names = (char *) (setup + 1); @@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn) { alts[i].subset = alt_names[0]; alt_len = alt_names[1]; + if (alt_len >= alt_name_len) { + /* + * Length is longer than setup->alternate_len + * told us to allocate room for, assume entire + * alternate list is corrupted. + */ +#ifdef DEBUG + fprintf (stderr, + "invalid alt list (length %lx >= %lx)\n", + (long) alt_len, (long) alt_name_len); +#endif + free(alts); + return FSIO_ERROR; + } alts[i].name = alt_save; memcpy (alt_save, alt_names + 2, alt_len); alt_save[alt_len] = '\0'; alt_save += alt_len + 1; + alt_name_len -= alt_len + 1; alt_names += _fs_pad_length (alt_len + 2); } conn->numAlts = setup->num_alternates; |