1 files changed, 48 insertions, 0 deletions

diff --git a/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
new file mode 100644
index 000000000..fc1dea6e3
--- /dev/null
+++ b/debian/patches/1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
@@ -0,0 +1,48 @@
+From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333@gmail.com>
+Date: Sun, 8 Feb 2015 22:19:01 -0500
+Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in
+ fs_read_extent_info() from xorg/lib/libXfont commit
+ c578408c1fd4db09e4e3173f8a9e65c81cc187c1
+
+fs_read_extent_info() parses a reply from the font server.
+The reply contains a 32bit number of elements field which is used
+to calculate a buffer length. There is an integer overflow in this
+calculation which can lead to memory corruption.
+---
+ nx-X11/lib/font/fc/fserve.c | 12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 2a6f6c9..639964c 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group.
+ #include	"fservestr.h"
+ #include	<X11/fonts/fontutil.h>
+ #include	<errno.h>
++#include	<limits.h>
+ 
+ #include	<time.h>
+ #define Time_t time_t
+@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ 	numInfos *= 2;
+ 	haveInk = TRUE;
+     }
+-    ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos);
++    if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
++#ifdef DEBUG
++	fprintf(stderr,
++		"fsQueryXExtents16: numInfos (%d) >= %ld\n",
++		numInfos, (INT_MAX / sizeof(CharInfoRec)));
++#endif
++	pCI = NULL;
++    }
++    else
++	pCI = malloc(sizeof(CharInfoRec) * numInfos);
+ 
+     if (!pCI) 
+     {
+-- 
+2.1.4
+