aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-02-08 22:23:51 -0500
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:31 +0100
commita0bed4d9fce8ffc96f13ca13b95d2a7913d20719 (patch)
tree6510959e422b3b29b6f761e8b583a68cc9eb2548
parentbb7abd9da9badc6cb825c636867cbef827141f36 (diff)
downloadnx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.tar.gz
nx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.tar.bz2
nx-libs-a0bed4d9fce8ffc96f13ca13b95d2a7913d20719.zip
CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption.
-rw-r--r--nx-X11/lib/font/fc/fsconvert.c7
1 files changed, 6 insertions, 1 deletions
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index d41e0b83e..afa2c3284 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
FSGlyphPtr glyphs;
FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate;
- glyphs = xalloc (sizeof (FSGlyphRec) + size);
+ if (size < (INT_MAX - sizeof (FSGlyphRec)))
+ glyphs = xalloc (sizeof (FSGlyphRec) + size);
+ else
+ glyphs = NULL;
+ if (glyphs == NULL)
+ return NULL;
glyphs->next = fsfont->glyphs;
fsfont->glyphs = glyphs;
return (pointer) (glyphs + 1);