diff options
Diffstat (limited to 'debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch')
| -rw-r--r-- | debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch deleted file mode 100644 index 66b8cd68d..000000000 --- a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch +++ /dev/null @@ -1,38 +0,0 @@ -From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 20:28:30 -0500 -Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in - FontFileAddEntry() from xorg/lib/libXfont commit - 2f5e57317339c526e6eaee1010b0e2ab8089c42e -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FontFileReadDirectory() opens a fonts.dir file, and reads over every -line in an fscanf loop. For each successful entry read (font name, -file name) a call is made to FontFileAddFontFile(). - -FontFileAddFontFile() will add a font file entry (for the font name -and file) each time it’s called, by calling FontFileAddEntry(). -FontFileAddEntry() will do the actual adding. If the table it has -to add to is full, it will do a realloc, adding 100 more entries -to the table size without checking to see if that will overflow the -int used to store the size. ---- - nx-X11/lib/font/fontfile/fontdir.c | 5 +++++ - 1 file changed, 5 insertions(+) - ---- a/nx-X11/lib/font/fontfile/fontdir.c -+++ b/nx-X11/lib/font/fontfile/fontdir.c -@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, Fon - if (table->sorted) - return (FontEntryPtr) 0; /* "cannot" happen */ - if (table->used == table->size) { -+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) -+ /* If we've read so many entries we're going to ask for 2gb -+ or more of memory, something is so wrong with this font -+ directory that we should just give up before we overflow. */ -+ return NULL; - newsize = table->size + 100; - entry = (FontEntryPtr) xrealloc(table->entries, - newsize * sizeof(FontEntryRec)); |