aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/font/fc/fserve.c
diff options
context:
space:
mode:
authorMike DePaulo <mikedep333@gmail.com>2015-02-08 22:26:16 -0500
committerMike Gabriel <mike.gabriel@das-netzwerkteam.de>2015-02-14 16:14:31 +0100
commitd2b96c5d59766f96181de95da1906fd6e32785ba (patch)
treed1061d852276d10d5413da80dce1deada27873d8 /nx-X11/lib/font/fc/fserve.c
parenta0bed4d9fce8ffc96f13ca13b95d2a7913d20719 (diff)
downloadnx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.gz
nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.bz2
nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.zip
CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length.
Diffstat (limited to 'nx-X11/lib/font/fc/fserve.c')
-rw-r--r--nx-X11/lib/font/fc/fserve.c10
1 files changed, 10 insertions, 0 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 639964c55..79de4f352 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
#endif
pCI = NULL;
}
+ else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+ / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+ numExtents, rep->length,
+ LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+ pCI = NULL;
+ }
else
pCI = malloc(sizeof(CharInfoRec) * numInfos);
generated by cgit v1.2.3 (git 2.25.1) at 2024-06-25 06:32:27 +0000