diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 22:35:21 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 (patch) | |
tree | 0e9f5f815230d07bff74d5e26a193e6a52fd61ed /nx-X11/lib | |
parent | ece51493f1d970f45e53588e33a700464a42fbab (diff) | |
download | nx-libs-ef439da38d3a4c00a4e03e7d8f83cb359cd9a230.tar.gz nx-libs-ef439da38d3a4c00a4e03e7d8f83cb359cd9a230.tar.bz2 nx-libs-ef439da38d3a4c00a4e03e7d8f83cb359cd9a230.zip |
CVE-2014-0210: unvalidated length fields in fs_read_list() from xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
Diffstat (limited to 'nx-X11/lib')
-rw-r--r-- | nx-X11/lib/font/fc/fserve.c | 15 |
1 files changed, 15 insertions, 0 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 26218e568..60d901798 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; fsListFontsReply *rep; char *data; + long dataleft; /* length of reply left to use */ int length, i, ret; @@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) return AllocError; } data = (char *) rep + SIZEOF (fsListFontsReply); + dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); err = Successful; /* copy data into FontPathRecord */ for (i = 0; i < rep->nFonts; i++) { + if (dataleft < 1) + break; length = *(unsigned char *)data++; + dataleft--; /* used length byte */ + if (length > dataleft) { +#ifdef DEBUG + fprintf(stderr, + "fsListFonts: name length (%d) > dataleft (%ld)\n", + length, dataleft); +#endif + err = BadFontName; + break; + } err = AddFontNamesName(blist->names, data, length); if (err != Successful) break; data += length; + dataleft -= length; } _fs_done_read (conn, rep->length << 2); return err; |