diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 22:19:01 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | bb7abd9da9badc6cb825c636867cbef827141f36 (patch) | |
tree | a14541b68c461db7093750c424b2254a88948c6c | |
parent | c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7 (diff) | |
download | nx-libs-bb7abd9da9badc6cb825c636867cbef827141f36.tar.gz nx-libs-bb7abd9da9badc6cb825c636867cbef827141f36.tar.bz2 nx-libs-bb7abd9da9badc6cb825c636867cbef827141f36.zip |
CVE-2014-0211: integer overflow in fs_read_extent_info() from xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
-rw-r--r-- | nx-X11/lib/font/fc/fserve.c | 12 |
1 files changed, 11 insertions, 1 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 2a6f6c97b..639964c55 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group. #include "fservestr.h" #include <X11/fonts/fontutil.h> #include <errno.h> +#include <limits.h> #include <time.h> #define Time_t time_t @@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) numInfos *= 2; haveInk = TRUE; } - ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos); + if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { +#ifdef DEBUG + fprintf(stderr, + "fsQueryXExtents16: numInfos (%d) >= %ld\n", + numInfos, (INT_MAX / sizeof(CharInfoRec))); +#endif + pCI = NULL; + } + else + pCI = malloc(sizeof(CharInfoRec) * numInfos); if (!pCI) { |