diff options
Diffstat (limited to 'debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch')
| -rw-r--r-- | debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch | 60 |
1 files changed, 0 insertions, 60 deletions
diff --git a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch b/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch deleted file mode 100644 index d37836fc2..000000000 --- a/debian/patches/1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch +++ /dev/null @@ -1,60 +0,0 @@ -From 2d724c1a0416895dd39bf33678f42cbb4c51b1ae Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 21:43:42 -0500 -Subject: [PATCH 10/40] CVE-2014-0211: Integer overflow in - fs_get_reply/_fs_start_read from xorg/lib/libXfont commit - 0f1a5d372c143f91a602bdf10c917d7eabaee09b - -fs_get_reply() would take any reply size, multiply it by 4 and pass to -_fs_start_read. If that size was bigger than the current reply buffer -size, _fs_start_read would add it to the existing buffer size plus the -buffer size increment constant and realloc the buffer to that result. - -This math could overflow, causing the code to allocate a smaller -buffer than the amount it was about to read into that buffer from -the network. It could also succeed, allowing the remote font server -to cause massive allocations in the X server, possibly using up all -the address space in a 32-bit X server, allowing the triggering of -other bugs in code that fails to handle malloc failure properly. - -This patch protects against both problems, by disconnecting any -font server trying to feed us more than (the somewhat arbitrary) -64 mb in a single reply. ---- - nx-X11/lib/font/fc/fserve.c | 18 ++++++++++++++++++ - 1 file changed, 18 insertions(+) - ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -100,6 +100,9 @@ in this Software without prior written a - */ - #define LENGTHOF(r) (SIZEOF(r) >> 2) - -+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ -+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) -+ - extern void ErrorF(const char *f, ...); - - static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); -@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error) - - rep = (fsGenericReply *) buf; - -+ /* -+ * Refuse to accept replies longer than a maximum reasonable length, -+ * before we pass to _fs_start_read, since it will try to resize the -+ * incoming connection buffer to this size. Also avoids integer overflow -+ * on 32-bit systems. -+ */ -+ if (rep->length > MAX_REPLY_LENGTH) -+ { -+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" -+ " from font server\n", rep->length); -+ _fs_connection_died (conn); -+ *error = FSIO_ERROR; -+ return 0; -+ } -+ - ret = _fs_start_read (conn, rep->length << 2, &buf); - if (ret != FSIO_READY) - { |