diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 22:23:51 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 (patch) | |
tree | 6510959e422b3b29b6f761e8b583a68cc9eb2548 | |
parent | bb7abd9da9badc6cb825c636867cbef827141f36 (diff) | |
download | nx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.tar.gz nx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.tar.bz2 nx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.zip |
CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
-rw-r--r-- | nx-X11/lib/font/fc/fsconvert.c | 7 |
1 files changed, 6 insertions, 1 deletions
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index d41e0b83e..afa2c3284 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) FSGlyphPtr glyphs; FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - glyphs = xalloc (sizeof (FSGlyphRec) + size); + if (size < (INT_MAX - sizeof (FSGlyphRec))) + glyphs = xalloc (sizeof (FSGlyphRec) + size); + else + glyphs = NULL; + if (glyphs == NULL) + return NULL; glyphs->next = fsfont->glyphs; fsfont->glyphs = glyphs; return (pointer) (glyphs + 1); |