1 files changed, 38 insertions, 0 deletions

diff --git a/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
new file mode 100644
index 000000000..9d65f8a45
--- /dev/null
+++ b/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch
@@ -0,0 +1,38 @@
+From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333@gmail.com>
+Date: Sun, 8 Feb 2015 22:26:16 -0500
+Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_extent_info() from xorg/lib/libXfont commit
+ a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
+
+Looping over the extents in the reply could go past the end of the
+reply buffer if the reply indicated more extents than could fit in
+the specified reply length.
+---
+ nx-X11/lib/font/fc/fserve.c | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 639964c..79de4f3 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ #endif
+ 	pCI = NULL;
+     }
++    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
++			    / LENGTHOF(fsXCharInfo))) {
++#ifdef DEBUG
++	fprintf(stderr,
++		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
++		numExtents, rep->length,
++		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
++#endif
++	pCI = NULL;
++    }
+     else
+ 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
+ 
+-- 
+2.1.4
+