diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2015-02-08 21:43:42 -0500 |
---|---|---|
committer | Mike Gabriel <mike.gabriel@das-netzwerkteam.de> | 2015-02-14 16:14:31 +0100 |
commit | 2d724c1a0416895dd39bf33678f42cbb4c51b1ae (patch) | |
tree | 55ed271a8448a548d39b4c62ffc14e33d2b93a17 /nxcomp/RenderCreatePicture.h | |
parent | 50e80a06c84375e39af02b24f01a949cb565a49d (diff) | |
download | nx-libs-2d724c1a0416895dd39bf33678f42cbb4c51b1ae.tar.gz nx-libs-2d724c1a0416895dd39bf33678f42cbb4c51b1ae.tar.bz2 nx-libs-2d724c1a0416895dd39bf33678f42cbb4c51b1ae.zip |
CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
Diffstat (limited to 'nxcomp/RenderCreatePicture.h')
0 files changed, 0 insertions, 0 deletions