aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorMihai Moldovan <ionic@ionic.de>2015-02-16 05:52:09 +0100
committerMihai Moldovan <ionic@ionic.de>2015-02-16 05:52:09 +0100
commitc0d0e373d4c42c7813b1955fc18f5c9f63c725e0 (patch)
tree24ed8bd84d4c25d11c6fcd1b6a333bc116a9cf81
parente29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 (diff)
downloadnx-libs-c0d0e373d4c42c7813b1955fc18f5c9f63c725e0.tar.gz
nx-libs-c0d0e373d4c42c7813b1955fc18f5c9f63c725e0.tar.bz2
nx-libs-c0d0e373d4c42c7813b1955fc18f5c9f63c725e0.zip
Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d"
This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519.
-rw-r--r--nx-X11/lib/font/fc/fserve.c21
1 files changed, 3 insertions, 18 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 75cabdd9e..0d792c7e3 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret;
fsConnSetup *setup;
FSFpeAltPtr alts;
- unsigned int i, alt_len;
+ int i, alt_len;
int setup_len;
char *alt_save, *alt_names;
@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
}
if (setup->num_alternates)
{
- size_t alt_name_len = setup->alternate_len << 2;
alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
- sizeof (FSFpeAltRec) + alt_name_len);
+ sizeof (FSFpeAltRec) +
+ (setup->alternate_len << 2));
if (alts)
{
alt_names = (char *) (setup + 1);
@@ -3023,25 +3023,10 @@ _fs_recv_conn_setup (FSFpePtr conn)
{
alts[i].subset = alt_names[0];
alt_len = alt_names[1];
- if (alt_len >= alt_name_len) {
- /*
- * Length is longer than setup->alternate_len
- * told us to allocate room for, assume entire
- * alternate list is corrupted.
- */
-#ifdef DEBUG
- fprintf (stderr,
- "invalid alt list (length %lx >= %lx)\n",
- (long) alt_len, (long) alt_name_len);
-#endif
- free(alts);
- return FSIO_ERROR;
- }
alts[i].name = alt_save;
memcpy (alt_save, alt_names + 2, alt_len);
alt_save[alt_len] = '\0';
alt_save += alt_len + 1;
- alt_name_len -= alt_len + 1;
alt_names += _fs_pad_length (alt_len + 2);
}
conn->numAlts = setup->num_alternates;