diff options
Diffstat (limited to 'debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch')
| -rw-r--r-- | debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch | 43 |
1 files changed, 43 insertions, 0 deletions
diff --git a/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch new file mode 100644 index 000000000..8097e3050 --- /dev/null +++ b/debian/patches/1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch @@ -0,0 +1,43 @@ +From f53f2474d5d33cca04c4c7744ecc50cec41ba94f Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 20:28:30 -0500 +Subject: [PATCH 05/40] CVE-2014-0209: integer overflow of realloc() size in + FontFileAddEntry() from xorg/lib/libXfont commit + 2f5e57317339c526e6eaee1010b0e2ab8089c42e +MIME-Version: 1.0 +Content-Type: text/plain; charset=UTF-8 +Content-Transfer-Encoding: 8bit + +FontFileReadDirectory() opens a fonts.dir file, and reads over every +line in an fscanf loop. For each successful entry read (font name, +file name) a call is made to FontFileAddFontFile(). + +FontFileAddFontFile() will add a font file entry (for the font name +and file) each time it’s called, by calling FontFileAddEntry(). +FontFileAddEntry() will do the actual adding. If the table it has +to add to is full, it will do a realloc, adding 100 more entries +to the table size without checking to see if that will overflow the +int used to store the size. +--- + nx-X11/lib/font/fontfile/fontdir.c | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c +index 8f75d8b..899ff05 100644 +--- a/nx-X11/lib/font/fontfile/fontdir.c ++++ b/nx-X11/lib/font/fontfile/fontdir.c +@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) + if (table->sorted) + return (FontEntryPtr) 0; /* "cannot" happen */ + if (table->used == table->size) { ++ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) ++ /* If we've read so many entries we're going to ask for 2gb ++ or more of memory, something is so wrong with this font ++ directory that we should just give up before we overflow. */ ++ return NULL; + newsize = table->size + 100; + entry = (FontEntryPtr) xrealloc(table->entries, + newsize * sizeof(FontEntryRec)); +-- +2.1.4 + |