diff options
Diffstat (limited to 'debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch')
| -rw-r--r-- | debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch | 112 |
1 files changed, 112 insertions, 0 deletions
diff --git a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch new file mode 100644 index 000000000..d92c4eece --- /dev/null +++ b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch @@ -0,0 +1,112 @@ +From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001 +From: Mike DePaulo <mikedep333@gmail.com> +Date: Sun, 8 Feb 2015 22:38:32 -0500 +Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in + fs_read_list_info() from xorg/lib/libXfont commit + d338f81df1e188eb16e1d6aeea7f4800f89c1218 + +fs_read_list_info() parses a reply from the font server. The reply +contains a number of additional data items with embedded length or +count fields, none of which are validated. This can cause out of +bound reads when looping over these items in the reply. +--- + nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++- + 1 file changed, 55 insertions(+), 1 deletion(-) + +diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c +index 60d9017..6ba3ad4 100644 +--- a/nx-X11/lib/font/fc/fserve.c ++++ b/nx-X11/lib/font/fc/fserve.c +@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; + fsListFontsWithXInfoReply *rep; + char *buf; ++ long bufleft; + FSFpePtr conn = (FSFpePtr) fpe->private; + fsPropInfo *pi; + fsPropOffset *po; +@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + } + + buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); +- ++ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); ++ + /* + * The original FS implementation didn't match + * the spec, version 1 was respecified to match the FS. +@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + */ + if (conn->fsMajorVersion <= 1) + { ++ if (rep->nameLength > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", ++ (int) rep->nameLength, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ + memcpy (binfo->name, buf, rep->nameLength); + buf += _fs_pad_length (rep->nameLength); ++ bufleft -= _fs_pad_length (rep->nameLength); + } + pi = (fsPropInfo *) buf; ++ if (SIZEOF (fsPropInfo) > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", ++ (int) SIZEOF (fsPropInfo), bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= SIZEOF (fsPropInfo); + buf += SIZEOF (fsPropInfo); + po = (fsPropOffset *) buf; ++ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", ++ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); + buf += pi->num_offsets * SIZEOF (fsPropOffset); + pd = (pointer) buf; ++ if (pi->data_len > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", ++ pi->data_len, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ bufleft -= pi->data_len; + buf += pi->data_len; + if (conn->fsMajorVersion > 1) + { ++ if (rep->nameLength > bufleft) { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", ++ (int) rep->nameLength, bufleft); ++#endif ++ err = AllocError; ++ goto done; ++ } ++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ + memcpy (binfo->name, buf, rep->nameLength); + buf += _fs_pad_length (rep->nameLength); ++ bufleft -= _fs_pad_length (rep->nameLength); + } + + #ifdef DEBUG +-- +2.1.4 + |