diff options
Diffstat (limited to 'debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch')
-rw-r--r-- | debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch | 46 |
1 files changed, 46 insertions, 0 deletions
diff --git a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch new file mode 100644 index 000000000..522a96731 --- /dev/null +++ b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch @@ -0,0 +1,46 @@ +From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 20:53:14 -0500 +Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in + lexAlias() from xorg/lib/libXfont commit + 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc + +lexAlias() reads from a file in a loop. It does this by starting with a +64 byte buffer. If that size limit is hit, it does a realloc of the +buffer size << 1, basically doubling the needed length every time the +length limit is hit. + +Eventually, this will shift out to 0 (for a length of ~4gig), and that +length will be passed on to realloc(). A length of 0 (with a valid +pointer) causes realloc to free the buffer on most POSIX platforms, +but the caller will still have a pointer to it, leading to use after +free issues. +--- + nx-X11/lib/font/fontfile/dirfile.c | 4 ++++ + 1 file changed, 4 insertions(+) + +diff --git a/nx-X11/lib/font/fontfile/dirfile.c b/nx-X11/lib/font/fontfile/dirfile.c +index f390391..3a2fead 100644 +--- a/nx-X11/lib/font/fontfile/dirfile.c ++++ b/nx-X11/lib/font/fontfile/dirfile.c +@@ -45,6 +45,7 @@ in this Software without prior written authorization from The Open Group. + #include <sys/types.h> + #include <sys/stat.h> + #include <errno.h> ++#include <limits.h> + + static Bool AddFileNameAliases ( FontDirectoryPtr dir ); + static int ReadFontAlias ( char *directory, Bool isFile, +@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken) + int nsize; + char *nbuf; + ++ if (tokenSize >= (INT_MAX >> 2)) ++ /* Stop before we overflow */ ++ return EALLOC; + nsize = tokenSize ? (tokenSize << 1) : 64; + nbuf = (char *) xrealloc(tokenBuf, nsize); + if (!nbuf) +-- +2.1.4 + |