aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
diff options
context:
space:
mode:
Diffstat (limited to 'debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch')
-rw-r--r--debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch112
1 files changed, 112 insertions, 0 deletions
diff --git a/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
new file mode 100644
index 000000000..d92c4eece
--- /dev/null
+++ b/debian/patches/1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch
@@ -0,0 +1,112 @@
+From b65259bf3bcca15b5069cb7a6c06f95a40f79813 Mon Sep 17 00:00:00 2001
+From: Mike DePaulo <mikedep333@gmail.com>
+Date: Sun, 8 Feb 2015 22:38:32 -0500
+Subject: [PATCH 17/40] CVE-2014-0210: unvalidated length fields in
+ fs_read_list_info() from xorg/lib/libXfont commit
+ d338f81df1e188eb16e1d6aeea7f4800f89c1218
+
+fs_read_list_info() parses a reply from the font server. The reply
+contains a number of additional data items with embedded length or
+count fields, none of which are validated. This can cause out of
+bound reads when looping over these items in the reply.
+---
+ nx-X11/lib/font/fc/fserve.c | 56 ++++++++++++++++++++++++++++++++++++++++++++-
+ 1 file changed, 55 insertions(+), 1 deletion(-)
+
+diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
+index 60d9017..6ba3ad4 100644
+--- a/nx-X11/lib/font/fc/fserve.c
++++ b/nx-X11/lib/font/fc/fserve.c
+@@ -2500,6 +2500,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data;
+ fsListFontsWithXInfoReply *rep;
+ char *buf;
++ long bufleft;
+ FSFpePtr conn = (FSFpePtr) fpe->private;
+ fsPropInfo *pi;
+ fsPropOffset *po;
+@@ -2536,7 +2537,8 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ }
+
+ buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply);
+-
++ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply);
++
+ /*
+ * The original FS implementation didn't match
+ * the spec, version 1 was respecified to match the FS.
+@@ -2544,19 +2546,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ */
+ if (conn->fsMajorVersion <= 1)
+ {
++ if (rep->nameLength > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
++ (int) rep->nameLength, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
+ memcpy (binfo->name, buf, rep->nameLength);
+ buf += _fs_pad_length (rep->nameLength);
++ bufleft -= _fs_pad_length (rep->nameLength);
+ }
+ pi = (fsPropInfo *) buf;
++ if (SIZEOF (fsPropInfo) > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n",
++ (int) SIZEOF (fsPropInfo), bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= SIZEOF (fsPropInfo);
+ buf += SIZEOF (fsPropInfo);
+ po = (fsPropOffset *) buf;
++ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n",
++ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset);
+ buf += pi->num_offsets * SIZEOF (fsPropOffset);
+ pd = (pointer) buf;
++ if (pi->data_len > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n",
++ pi->data_len, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ bufleft -= pi->data_len;
+ buf += pi->data_len;
+ if (conn->fsMajorVersion > 1)
+ {
++ if (rep->nameLength > bufleft) {
++#ifdef DEBUG
++ fprintf(stderr,
++ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n",
++ (int) rep->nameLength, bufleft);
++#endif
++ err = AllocError;
++ goto done;
++ }
++ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */
+ memcpy (binfo->name, buf, rep->nameLength);
+ buf += _fs_pad_length (rep->nameLength);
++ bufleft -= _fs_pad_length (rep->nameLength);
+ }
+
+ #ifdef DEBUG
+--
+2.1.4
+