diff options
Diffstat (limited to 'debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch')
-rw-r--r-- | debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch | 48 |
1 files changed, 0 insertions, 48 deletions
diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch deleted file mode 100644 index fc1dea6e3..000000000 --- a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch +++ /dev/null @@ -1,48 +0,0 @@ -From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001 -From: Mike DePaulo <mikedep333@gmail.com> -Date: Sun, 8 Feb 2015 22:19:01 -0500 -Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in - fs_read_extent_info() from xorg/lib/libXfont commit - c578408c1fd4db09e4e3173f8a9e65c81cc187c1 - -fs_read_extent_info() parses a reply from the font server. -The reply contains a 32bit number of elements field which is used -to calculate a buffer length. There is an integer overflow in this -calculation which can lead to memory corruption. ---- - nx-X11/lib/font/fc/fserve.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c -index 2a6f6c9..639964c 100644 ---- a/nx-X11/lib/font/fc/fserve.c -+++ b/nx-X11/lib/font/fc/fserve.c -@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group. - #include "fservestr.h" - #include <X11/fonts/fontutil.h> - #include <errno.h> -+#include <limits.h> - - #include <time.h> - #define Time_t time_t -@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { --- -2.1.4 - |