diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 22:08:09 -0500 |
---|---|---|
committer | Mihai Moldovan <ionic@ionic.de> | 2015-02-16 05:47:25 +0100 |
commit | e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 (patch) | |
tree | 3c598bba4ffeb3b41b927d4cae846d4c190f9108 | |
parent | 5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d (diff) | |
download | nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.tar.gz nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.tar.bz2 nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.zip |
CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
-rw-r--r-- | nx-X11/lib/font/fc/fsconvert.c | 19 | ||||
-rw-r--r-- | nx-X11/lib/font/fc/fserve.c | 43 |
2 files changed, 54 insertions, 8 deletions
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index 9a5e194d1..afa2c3284 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position >= pi->data_len) || + (local_off.name.length > + (pi->data_len - local_off.name.position))) + goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, dprop->value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.value.position >= pi->data_len) || + (local_off.value.length > + (pi->data_len - local_off.value.position))) + goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { - xfree (pfi->props); - pfi->nprops = 0; - pfi->props = 0; - pfi->isStringProp = 0; - return -1; + bail: + xfree (pfi->props); + pfi->nprops = 0; + pfi->props = 0; + pfi->isStringProp = 0; + return -1; } } off_adr += SIZEOF(fsPropOffset); diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 9e652d206..75cabdd9e 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSFpePtr conn = (FSFpePtr) fpe->private; fsQueryXInfoReply *rep; char *buf; + long bufleft = 0; /* length of reply left to use */ fsPropInfo *pi; fsPropOffset *po; pointer pd; @@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) buf = (char *) rep; buf += SIZEOF(fsQueryXInfoReply); - + + bufleft = rep->length << 2; + bufleft -= SIZEOF(fsQueryXInfoReply); + /* move the data over */ fsUnpack_XFontInfoHeader(rep, pInfo); @@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) _fs_init_fontinfo(conn, pInfo); /* Compute offsets into the reply */ + if (bufleft < SIZEOF(fsPropInfo)) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", + bufleft); +#endif + goto bail; + } pi = (fsPropInfo *) buf; buf += SIZEOF (fsPropInfo); - + bufleft -= SIZEOF (fsPropInfo); + + if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, + "fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n", + bufleft / SIZEOF (fsPropOffset), pi->num_offsets); +#endif + goto bail; + } po = (fsPropOffset *) buf; buf += pi->num_offsets * SIZEOF(fsPropOffset); + bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); + if (bufleft < pi->data_len) + { + ret = -1; +#ifdef DEBUG + fprintf(stderr, + "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", + bufleft, pi->data_len); +#endif + goto bail; + } pd = (pointer) buf; buf += pi->data_len; + bufleft -= pi->data_len; /* convert the properties and step over the reply */ ret = _fs_convert_props(pi, po, pd, pInfo); + bail: _fs_done_read (conn, rep->length << 2); - + if (ret == -1) { fs_cleanup_bfont (bfont); |