aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch')
-rw-r--r--debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch70
1 files changed, 0 insertions, 70 deletions
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
deleted file mode 100644
index c0fa2cdae..000000000
--- a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
+++ /dev/null
@@ -1,70 +0,0 @@
-From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001
-From: Mike DePaulo <mikedep333@gmail.com>
-Date: Sun, 8 Feb 2015 21:03:33 -0500
-Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in
- _fs_recv_conn_setup() from xorg/lib/libXfont commit
- 891e084b26837162b12f841060086a105edde86d
-
-The connection setup reply from the font server can include a list
-of alternate servers to contact if this font server stops working.
-
-The reply specifies a total size of all the font server names, and
-then provides a list of names. _fs_recv_conn_setup() allocated the
-specified total size for copying the names to, but didn't check to
-make sure it wasn't copying more data to that buffer than the size
-it had allocated.
-
-v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
----
- nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++---
- 1 file changed, 18 insertions(+), 3 deletions(-)
-
---- a/nx-X11/lib/font/fc/fserve.c
-+++ b/nx-X11/lib/font/fc/fserve.c
-@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
- int ret;
- fsConnSetup *setup;
- FSFpeAltPtr alts;
-- int i, alt_len;
-+ unsigned int i, alt_len;
- int setup_len;
- char *alt_save, *alt_names;
-
-@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
- }
- if (setup->num_alternates)
- {
-+ size_t alt_name_len = setup->alternate_len << 2;
- alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
-- sizeof (FSFpeAltRec) +
-- (setup->alternate_len << 2));
-+ sizeof (FSFpeAltRec) + alt_name_len);
- if (alts)
- {
- alt_names = (char *) (setup + 1);
-@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
- {
- alts[i].subset = alt_names[0];
- alt_len = alt_names[1];
-+ if (alt_len >= alt_name_len) {
-+ /*
-+ * Length is longer than setup->alternate_len
-+ * told us to allocate room for, assume entire
-+ * alternate list is corrupted.
-+ */
-+#ifdef DEBUG
-+ fprintf (stderr,
-+ "invalid alt list (length %lx >= %lx)\n",
-+ (long) alt_len, (long) alt_name_len);
-+#endif
-+ xfree(alts);
-+ return FSIO_ERROR;
-+ }
- alts[i].name = alt_save;
- memcpy (alt_save, alt_names + 2, alt_len);
- alt_save[alt_len] = '\0';
- alt_save += alt_len + 1;
-+ alt_name_len -= alt_len + 1;
- alt_names += _fs_pad_length (alt_len + 2);
- }
- conn->numAlts = setup->num_alternates;