diff options
Diffstat (limited to 'debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch')
-rw-r--r-- | debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch | 43 |
1 files changed, 0 insertions, 43 deletions
diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch deleted file mode 100644 index be0dded23..000000000 --- a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch +++ /dev/null @@ -1,43 +0,0 @@ -From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 22:19:01 -0500 -Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in - fs_read_extent_info() from xorg/lib/libXfont commit - c578408c1fd4db09e4e3173f8a9e65c81cc187c1 - -fs_read_extent_info() parses a reply from the font server. -The reply contains a 32bit number of elements field which is used -to calculate a buffer length. There is an integer overflow in this -calculation which can lead to memory corruption. ---- - nx-X11/lib/font/fc/fserve.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -73,6 +73,7 @@ in this Software without prior written a - #include "fservestr.h" - #include <X11/fonts/fontutil.h> - #include <errno.h> -+#include <limits.h> - - #include <time.h> - #define Time_t time_t -@@ -1061,7 +1062,16 @@ fs_read_extent_info(FontPathElementPtr f - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { |