diff options
Diffstat (limited to 'debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch')
| -rw-r--r-- | debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch | 109 |
1 files changed, 109 insertions, 0 deletions
diff --git a/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch new file mode 100644 index 000000000..9e5d00e98 --- /dev/null +++ b/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch @@ -0,0 +1,109 @@ +From 6acafc9334828da22446380c81af81bde14b5d86 Mon Sep 17 00:00:00 2001 +From: Joerg Sonnenberger <joerg@britannica.bec.de> +Date: Sun, 21 Aug 2011 18:51:53 +0200 +Subject: [PATCH 08/15] Do proper input validation to fix for CVE-2011-2895. + +It ensures that all valid input can be decompressed, checks that the +overflow conditions doesn't happen and generally tightens the +validation of the LZW stream and doesn't pessimize the inner loop for +no good reason. It's derived from a change in libarchive from 2004. + +v2: backports to nx-libs 3.6.x (Mihai Moldovan) +Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> +Reviewed-by: Tomas Hoger <thoger@redhat.com> +--- + nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++-------------- + 1 file changed, 17 insertions(+), 14 deletions(-) + +diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c +index 553b315..12b9f0a 100644 +--- a/nx-X11/lib/font/fontfile/decompress.c ++++ b/nx-X11/lib/font/fontfile/decompress.c +@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" }; /* 1F 9D */ + #define FIRST 257 /* first free entry */ + #define CLEAR 256 /* table clear output code */ + +-#define STACK_SIZE 8192 ++#define STACK_SIZE 65300 + + typedef struct _compressedFILE { + BufFilePtr file; +@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f) + file->tab_suffix[code] = (char_type) code; + } + file->free_ent = ((file->block_compress) ? FIRST : 256 ); ++ file->oldcode = -1; + file->clear_flg = 0; + file->offset = 0; + file->size = 0; + file->stackp = file->de_stack; + bzero(file->buf, BITS); +- file->finchar = file->oldcode = getcode (file); +- if (file->oldcode != -1) +- *file->stackp++ = file->finchar; + return BufFileCreate ((char *) file, + BufCompressedFill, + 0, +@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f) + if (buf == bufend) + break; + +- if (oldcode == -1) +- break; +- + code = getcode (file); + if (code == -1) + break; +@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f) + for ( code = 255; code >= 0; code-- ) + file->tab_prefix[code] = 0; + file->clear_flg = 1; +- file->free_ent = FIRST - 1; +- if ( (code = getcode (file)) == -1 ) /* O, untimely death! */ +- break; ++ file->free_ent = FIRST; ++ oldcode = -1; ++ continue; + } + incode = code; + /* + * Special case for KwKwK string. + */ + if ( code >= file->free_ent ) { ++ if ( code > file->free_ent || oldcode == -1 ) { ++ /* Bad stream. */ ++ return BUFFILEEOF; ++ } + *stackp++ = finchar; + code = oldcode; + } +- +++ /* +++ * The above condition ensures that code < free_ent. +++ * The construction of tab_prefixof in turn guarantees that +++ * each iteration decreases code and therefore stack usage is +++ * bound by 1 << BITS - 256. +++ */ ++ + /* + * Generate output characters in reverse order + */ + while ( code >= 256 ) + { +- if (stackp - de_stack >= STACK_SIZE - 1) +- return BUFFILEEOF; + *stackp++ = file->tab_suffix[code]; + code = file->tab_prefix[code]; + } +@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f) + /* + * Generate the new entry. + */ +- if ( (code=file->free_ent) < file->maxmaxcode ) { ++ if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) { + file->tab_prefix[code] = (unsigned short)oldcode; + file->tab_suffix[code] = finchar; + file->free_ent = code+1; +-- +2.1.4 + |