diff options
Diffstat (limited to 'debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch')
-rw-r--r-- | debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch | 41 |
1 files changed, 0 insertions, 41 deletions
diff --git a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch b/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch deleted file mode 100644 index 2539859bf..000000000 --- a/debian/patches/1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch +++ /dev/null @@ -1,41 +0,0 @@ -From 36f1dae749acb065eaefca56d42d19ef6822a001 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 20:53:14 -0500 -Subject: [PATCH 06/40] CVE-2014-0209: integer overflow of realloc() size in - lexAlias() from xorg/lib/libXfont commit - 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc - -lexAlias() reads from a file in a loop. It does this by starting with a -64 byte buffer. If that size limit is hit, it does a realloc of the -buffer size << 1, basically doubling the needed length every time the -length limit is hit. - -Eventually, this will shift out to 0 (for a length of ~4gig), and that -length will be passed on to realloc(). A length of 0 (with a valid -pointer) causes realloc to free the buffer on most POSIX platforms, -but the caller will still have a pointer to it, leading to use after -free issues. ---- - nx-X11/lib/font/fontfile/dirfile.c | 4 ++++ - 1 file changed, 4 insertions(+) - ---- a/nx-X11/lib/font/fontfile/dirfile.c -+++ b/nx-X11/lib/font/fontfile/dirfile.c -@@ -45,6 +45,7 @@ in this Software without prior written a - #include <sys/types.h> - #include <sys/stat.h> - #include <errno.h> -+#include <limits.h> - - static Bool AddFileNameAliases ( FontDirectoryPtr dir ); - static int ReadFontAlias ( char *directory, Bool isFile, -@@ -373,6 +374,9 @@ lexAlias(FILE *file, char **lexToken) - int nsize; - char *nbuf; - -+ if (tokenSize >= (INT_MAX >> 2)) -+ /* Stop before we overflow */ -+ return EALLOC; - nsize = tokenSize ? (tokenSize << 1) : 64; - nbuf = (char *) xrealloc(tokenBuf, nsize); - if (!nbuf) |