1 files changed, 34 insertions, 0 deletions

diff --git a/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
new file mode 100644
index 000000000..63ba2b9ff
--- /dev/null
+++ b/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch
@@ -0,0 +1,34 @@
+From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333@gmail.com>
+Date: Sun, 8 Feb 2015 22:23:51 -0500
+Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
+ from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33
+
+fs_alloc_glyphs() is a malloc wrapper used by the font code.
+It contains a classic integer overflow in the malloc() call,
+which can cause memory corruption.
+---
+ nx-X11/lib/font/fc/fsconvert.c | 7 ++++++-
+ 1 file changed, 6 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
+index d41e0b8..afa2c32 100644
+--- a/nx-X11/lib/font/fc/fsconvert.c
++++ b/nx-X11/lib/font/fc/fsconvert.c
+@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
+     FSGlyphPtr	glyphs;
+     FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
+ 
+-    glyphs = xalloc (sizeof (FSGlyphRec) + size);
++    if (size < (INT_MAX - sizeof (FSGlyphRec)))
++	glyphs = xalloc (sizeof (FSGlyphRec) + size);
++    else
++	glyphs = NULL;
++    if (glyphs == NULL)
++	return NULL;
+     glyphs->next = fsfont->glyphs;
+     fsfont->glyphs = glyphs;
+     return (pointer) (glyphs + 1);
+-- 
+2.1.4
+