diff options
| author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 22:08:09 -0500 |
|---|---|---|
| committer | Mihai Moldovan <ionic@ionic.de> | 2015-02-16 05:47:25 +0100 |
| commit | e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 (patch) | |
| tree | 3c598bba4ffeb3b41b927d4cae846d4c190f9108 /nx-X11/lib/font/fc/fsconvert.c | |
| parent | 5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d (diff) | |
| download | nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.tar.gz nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.tar.bz2 nx-libs-e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3.zip | |
CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
Diffstat (limited to 'nx-X11/lib/font/fc/fsconvert.c')
| -rw-r--r-- | nx-X11/lib/font/fc/fsconvert.c | 19 |
1 files changed, 14 insertions, 5 deletions
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index 9a5e194d1..afa2c3284 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); + if ((local_off.name.position >= pi->data_len) || + (local_off.name.length > + (pi->data_len - local_off.name.position))) + goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, dprop->value = local_off.value.position; } else { *is_str = TRUE; + if ((local_off.value.position >= pi->data_len) || + (local_off.value.length > + (pi->data_len - local_off.value.position))) + goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { - xfree (pfi->props); - pfi->nprops = 0; - pfi->props = 0; - pfi->isStringProp = 0; - return -1; + bail: + xfree (pfi->props); + pfi->nprops = 0; + pfi->props = 0; + pfi->isStringProp = 0; + return -1; } } off_adr += SIZEOF(fsPropOffset); |