diff options
Diffstat (limited to 'debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch')
| -rw-r--r-- | debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch | 73 |
1 files changed, 73 insertions, 0 deletions
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch new file mode 100644 index 000000000..b71627214 --- /dev/null +++ b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch @@ -0,0 +1,73 @@ +From 94c6de0649cd295044b1e4ff7265949c9c787519 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 21:03:33 -0500 +Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in + _fs_recv_conn_setup() from xorg/lib/libXfont commit + 891e084b26837162b12f841060086a105edde86d + +The connection setup reply from the font server can include a list +of alternate servers to contact if this font server stops working. + +The reply specifies a total size of all the font server names, and +then provides a list of names. _fs_recv_conn_setup() allocated the +specified total size for copying the names to, but didn't check to +make sure it wasn't copying more data to that buffer than the size +it had allocated. +--- + nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- + 1 file changed, 18 insertions(+), 3 deletions(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index bac0b8e..0fdcc1d 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn) + int ret; + fsConnSetup *setup; + FSFpeAltPtr alts; +- int i, alt_len; ++ unsigned int i, alt_len; + int setup_len; + char *alt_save, *alt_names; + +@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn) + } + if (setup->num_alternates) + { ++ size_t alt_name_len = setup->alternate_len << 2; + alts = (FSFpeAltPtr) xalloc (setup->num_alternates * +- sizeof (FSFpeAltRec) + +- (setup->alternate_len << 2)); ++ sizeof (FSFpeAltRec) + alt_name_len); + if (alts) + { + alt_names = (char *) (setup + 1); +@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn) + { + alts[i].subset = alt_names[0]; + alt_len = alt_names[1]; ++ if (alt_len >= alt_name_len) { ++ /* ++ * Length is longer than setup->alternate_len ++ * told us to allocate room for, assume entire ++ * alternate list is corrupted. ++ */ ++#ifdef DEBUG ++ fprintf (stderr, ++ "invalid alt list (length %lx >= %lx)\n", ++ (long) alt_len, (long) alt_name_len); ++#endif ++ free(alts); ++ return FSIO_ERROR; ++ } + alts[i].name = alt_save; + memcpy (alt_save, alt_names + 2, alt_len); + alt_save[alt_len] = '\0'; + alt_save += alt_len + 1; ++ alt_name_len -= alt_len + 1; + alt_names += _fs_pad_length (alt_len + 2); + } + conn->numAlts = setup->num_alternates; +-- +2.1.4 + |