diff options
Diffstat (limited to 'debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch')
| -rw-r--r-- | debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch | 14 |
1 files changed, 8 insertions, 6 deletions
diff --git a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch index b71627214..2b2fa76c8 100644 --- a/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch +++ b/debian/patches/1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch @@ -1,4 +1,4 @@ -From 94c6de0649cd295044b1e4ff7265949c9c787519 Mon Sep 17 00:00:00 2001 +From 31322c2bd9be76493a5a04a23ea68e063fe3b7e6 Mon Sep 17 00:00:00 2001 From: Mike DePaulo <mikedep333@gmail.com> Date: Sun, 8 Feb 2015 21:03:33 -0500 Subject: [PATCH 07/40] CVE-2014-0210: unvalidated length in @@ -13,15 +13,17 @@ then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. + +v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan) --- nx-X11/lib/font/fc/fserve.c | 21 ++++++++++++++++++--- 1 file changed, 18 insertions(+), 3 deletions(-) diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index bac0b8e..0fdcc1d 100644 +index 0d792c7..86b5753 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c -@@ -2782,7 +2782,7 @@ _fs_recv_conn_setup (FSFpePtr conn) +@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) int ret; fsConnSetup *setup; FSFpeAltPtr alts; @@ -30,7 +32,7 @@ index bac0b8e..0fdcc1d 100644 int setup_len; char *alt_save, *alt_names; -@@ -2809,9 +2809,9 @@ _fs_recv_conn_setup (FSFpePtr conn) +@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) } if (setup->num_alternates) { @@ -42,7 +44,7 @@ index bac0b8e..0fdcc1d 100644 if (alts) { alt_names = (char *) (setup + 1); -@@ -2820,10 +2820,25 @@ _fs_recv_conn_setup (FSFpePtr conn) +@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn) { alts[i].subset = alt_names[0]; alt_len = alt_names[1]; @@ -57,7 +59,7 @@ index bac0b8e..0fdcc1d 100644 + "invalid alt list (length %lx >= %lx)\n", + (long) alt_len, (long) alt_name_len); +#endif -+ free(alts); ++ xfree(alts); + return FSIO_ERROR; + } alts[i].name = alt_save; |