aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-02-08 21:03:33 -0500
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:31 +0100
commit94c6de0649cd295044b1e4ff7265949c9c787519 (patch)
treea9a795efb5f4c84e078fd594c2535e914f5762e5
parent36f1dae749acb065eaefca56d42d19ef6822a001 (diff)
downloadnx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.tar.gz
nx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.tar.bz2
nx-libs-94c6de0649cd295044b1e4ff7265949c9c787519.zip
CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated.
-rw-r--r--nx-X11/lib/font/fc/fserve.c21
1 files changed, 18 insertions, 3 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index bac0b8ee6..0fdcc1d84 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret;
fsConnSetup *setup;
FSFpeAltPtr alts;
- int i, alt_len;
+ unsigned int i, alt_len;
int setup_len;
char *alt_save, *alt_names;
@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
}
if (setup->num_alternates)
{
+ size_t alt_name_len = setup->alternate_len << 2;
alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
- sizeof (FSFpeAltRec) +
- (setup->alternate_len << 2));
+ sizeof (FSFpeAltRec) + alt_name_len);
if (alts)
{
alt_names = (char *) (setup + 1);
@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
{
alts[i].subset = alt_names[0];
alt_len = alt_names[1];
+ if (alt_len >= alt_name_len) {
+ /*
+ * Length is longer than setup->alternate_len
+ * told us to allocate room for, assume entire
+ * alternate list is corrupted.
+ */
+#ifdef DEBUG
+ fprintf (stderr,
+ "invalid alt list (length %lx >= %lx)\n",
+ (long) alt_len, (long) alt_name_len);
+#endif
+ free(alts);
+ return FSIO_ERROR;
+ }
alts[i].name = alt_save;
memcpy (alt_save, alt_names + 2, alt_len);
alt_save[alt_len] = '\0';
alt_save += alt_len + 1;
+ alt_name_len -= alt_len + 1;
alt_names += _fs_pad_length (alt_len + 2);
}
conn->numAlts = setup->num_alternates;