diff options
Diffstat (limited to 'debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch')
-rw-r--r-- | debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch | 70 |
1 files changed, 0 insertions, 70 deletions
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch deleted file mode 100644 index c0fa2cdae..000000000 --- a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch +++ /dev/null @@ -1,70 +0,0 @@ -From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 21:03:33 -0500 -Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in - _fs_recv_conn_setup() from xorg/lib/libXfont commit - 891e084b26837162b12f841060086a105edde86d - -The connection setup reply from the font server can include a list -of alternate servers to contact if this font server stops working. - -The reply specifies a total size of all the font server names, and -then provides a list of names. _fs_recv_conn_setup() allocated the -specified total size for copying the names to, but didn't check to -make sure it wasn't copying more data to that buffer than the size -it had allocated. - -v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) ---- - nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- - 1 file changed, 18 insertions(+), 3 deletions(-) - ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn) - int ret; - fsConnSetup *setup; - FSFpeAltPtr alts; -- int i, alt_len; -+ unsigned int i, alt_len; - int setup_len; - char *alt_save, *alt_names; - -@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn) - } - if (setup->num_alternates) - { -+ size_t alt_name_len = setup->alternate_len << 2; - alts = (FSFpeAltPtr) xalloc (setup->num_alternates * -- sizeof (FSFpeAltRec) + -- (setup->alternate_len << 2)); -+ sizeof (FSFpeAltRec) + alt_name_len); - if (alts) - { - alt_names = (char *) (setup + 1); -@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn) - { - alts[i].subset = alt_names[0]; - alt_len = alt_names[1]; -+ if (alt_len >= alt_name_len) { -+ /* -+ * Length is longer than setup->alternate_len -+ * told us to allocate room for, assume entire -+ * alternate list is corrupted. -+ */ -+#ifdef DEBUG -+ fprintf (stderr, -+ "invalid alt list (length %lx >= %lx)\n", -+ (long) alt_len, (long) alt_name_len); -+#endif -+ xfree(alts); -+ return FSIO_ERROR; -+ } - alts[i].name = alt_save; - memcpy (alt_save, alt_names + 2, alt_len); - alt_save[alt_len] = '\0'; - alt_save += alt_len + 1; -+ alt_name_len -= alt_len + 1; - alt_names += _fs_pad_length (alt_len + 2); - } - conn->numAlts = setup->num_alternates; |