CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8

Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length.
author: Mike DePaulo <mikedep333@gmail.com> 2015-02-08 22:26:16 -0500
committer: Mike Gabriel <mike.gabriel@das-netzwerkteam.de> 2015-02-14 16:14:31 +0100
commit: d2b96c5d59766f96181de95da1906fd6e32785ba (patch)
tree: d1061d852276d10d5413da80dce1deada27873d8 /nx-X11
parent: a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 (diff)
download: nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.gz
nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.bz2
nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.zip
1 files changed, 10 insertions, 0 deletions
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 639964c55..79de4f352 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 #endif
 	pCI = NULL;
     }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
     else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
author	Mike DePaulo <mikedep333@gmail.com>	2015-02-08 22:26:16 -0500
committer	Mike Gabriel <mike.gabriel@das-netzwerkteam.de>	2015-02-14 16:14:31 +0100
commit	d2b96c5d59766f96181de95da1906fd6e32785ba (patch)
tree	d1061d852276d10d5413da80dce1deada27873d8 /nx-X11
parent	a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 (diff)
download	nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.gz nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.tar.bz2 nx-libs-d2b96c5d59766f96181de95da1906fd6e32785ba.zip