aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch')
-rw-r--r--debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch43
1 files changed, 43 insertions, 0 deletions
diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
new file mode 100644
index 000000000..8097e3050
--- /dev/null
+++ b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
@@ -0,0 +1,43 @@
+From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333@gmail.com>
+Date: Sun, 8 Feb 2015 20:28:30 -0500
+Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in
+ FontFileAddEntry() from xorg/lib/libXfont commit
+ 2f5e57317339c526e6eaee1010b0e2ab8089c42e
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+FontFileReadDirectory() opens a fonts.dir file, and reads over every
+line in an fscanf loop. For each successful entry read (font name,
+file name) a call is made to FontFileAddFontFile().
+
+FontFileAddFontFile() will add a font file entry (for the font name
+and file) each time it’s called, by calling FontFileAddEntry().
+FontFileAddEntry() will do the actual adding. If the table it has
+to add to is full, it will do a realloc, adding 100 more entries
+to the table size without checking to see if that will overflow the
+int used to store the size.
+---
+ nx-X11/lib/font/fontfile/fontdir.c | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c
+index 8f75d8b..899ff05 100644
+--- a/nx-X11/lib/font/fontfile/fontdir.c
++++ b/nx-X11/lib/font/fontfile/fontdir.c
+@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
+ if (table->sorted)
+ return (FontEntryPtr) 0; /* "cannot" happen */
+ if (table->used == table->size) {
++ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
++ /* If we've read so many entries we're going to ask for 2gb
++ or more of memory, something is so wrong with this font
++ directory that we should just give up before we overflow. */
++ return NULL;
+ newsize = table->size + 100;
+ entry = (FontEntryPtr) xrealloc(table->entries,
+ newsize * sizeof(FontEntryRec));
+--
+2.1.4
+