diff options
Diffstat (limited to 'debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch')
| -rw-r--r-- | debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch | 75 |
1 files changed, 75 insertions, 0 deletions
diff --git a/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch new file mode 100644 index 000000000..93e7d32da --- /dev/null +++ b/debian/patches/1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch @@ -0,0 +1,75 @@ +From ece51493f1d970f45e53588e33a700464a42fbab Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 22:27:47 -0500 +Subject: [PATCH 15/40] CVE-2014-0210: unvalidated length fields in + fs_read_glyphs() from xorg/lib/libXfont commit + 520683652564c2a4e42328ae23eef9bb63271565 + +fs_read_glyphs() parses a reply from the font server. The reply +contains embedded length fields, none of which are validated. +This can cause out of bound reads when looping over the glyph +bitmaps in the reply. +--- + nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 79de4f3..26218e5 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FontInfoPtr pfi = &pfont->info; + fsQueryXBitmaps16Reply *rep; + char *buf; ++ long bufleft; /* length of reply left to use */ + fsOffset32 *ppbits; + fsOffset32 local_off; + char *off_adr; +@@ -1947,9 +1948,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + buf = (char *) rep; + buf += SIZEOF (fsQueryXBitmaps16Reply); + ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); ++ ++ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", ++ rep->num_chars, bufleft, SIZEOF (fsOffset32)); ++#endif ++ err = AllocError; ++ goto bail; ++ } + ppbits = (fsOffset32 *) buf; + buf += SIZEOF (fsOffset32) * (rep->num_chars); ++ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); + ++ if (bufleft < rep->nbytes) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", ++ rep->nbytes, bufleft); ++#endif ++ err = AllocError; ++ goto bail; ++ } + pbitmaps = (pointer ) buf; + + if (blockrec->type == FS_LOAD_GLYPHS) +@@ -2007,7 +2032,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + */ + if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) + { +- if (local_off.length) ++ if (local_off.length && ++ (local_off.position < rep->nbytes) && ++ (local_off.length <= (rep->nbytes - local_off.position))) + { + bits = allbits; + allbits += local_off.length; +-- +2.1.4 + |