diff options
author | Mihai Moldovan <ionic@ionic.de> | 2017-12-15 12:55:17 +0100 |
---|---|---|
committer | Mihai Moldovan <ionic@ionic.de> | 2017-12-15 12:55:17 +0100 |
commit | 1dad092caf01d733990648e6df64cbf964df5143 (patch) | |
tree | 39de0e643e76754a3e23ca9dd0350b8ba4f76250 /debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch | |
parent | 6d70b9e3c47f27a166f4aacb522c5c1e49092dd9 (diff) | |
parent | 2b9025f797ee322e21077e100c2ee27c2e7fa0e0 (diff) | |
download | nx-libs-1dad092caf01d733990648e6df64cbf964df5143.tar.gz nx-libs-1dad092caf01d733990648e6df64cbf964df5143.tar.bz2 nx-libs-1dad092caf01d733990648e6df64cbf964df5143.zip |
Merge branch '3.6.x'
Diffstat (limited to 'debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch')
-rw-r--r-- | debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch | 56 |
1 files changed, 0 insertions, 56 deletions
diff --git a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch deleted file mode 100644 index 339f03de7..000000000 --- a/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch +++ /dev/null @@ -1,56 +0,0 @@ -From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 22:35:21 -0500 -Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in - fs_read_list() from xorg/lib/libXfont commit - 5fa73ac18474be3032ee7af9c6e29deab163ea39 - -fs_read_list() parses a reply from the font server. The reply -contains a list of strings with embedded length fields, none of -which are validated. This can cause out of bound reads when looping -over the strings in the reply. ---- - nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++ - 1 file changed, 15 insertions(+) - ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2366,6 +2366,7 @@ fs_read_list(FontPathElementPtr fpe, FSB - FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; - fsListFontsReply *rep; - char *data; -+ long dataleft; /* length of reply left to use */ - int length, - i, - ret; -@@ -2383,16 +2384,30 @@ fs_read_list(FontPathElementPtr fpe, FSB - return AllocError; - } - data = (char *) rep + SIZEOF (fsListFontsReply); -+ dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); - - err = Successful; - /* copy data into FontPathRecord */ - for (i = 0; i < rep->nFonts; i++) - { -+ if (dataleft < 1) -+ break; - length = *(unsigned char *)data++; -+ dataleft--; /* used length byte */ -+ if (length > dataleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFonts: name length (%d) > dataleft (%ld)\n", -+ length, dataleft); -+#endif -+ err = BadFontName; -+ break; -+ } - err = AddFontNamesName(blist->names, data, length); - if (err != Successful) - break; - data += length; -+ dataleft -= length; - } - _fs_done_read (conn, rep->length << 2); - return err; |