diff options
Diffstat (limited to 'nx-X11/lib')
| -rw-r--r-- | nx-X11/lib/font/fc/fserve.c | 18 | 
1 files changed, 18 insertions, 0 deletions
| diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index ca10aa4ad..7762653d4 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group.   */  #define LENGTHOF(r)	(SIZEOF(r) >> 2) +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH	((64 * 1024 * 1024) >> 2) +  extern void ErrorF(const char *f, ...);  static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error)      rep = (fsGenericReply *) buf; +    /* +     * Refuse to accept replies longer than a maximum reasonable length, +     * before we pass to _fs_start_read, since it will try to resize the +     * incoming connection buffer to this size.  Also avoids integer overflow +     * on 32-bit systems. +     */ +    if (rep->length > MAX_REPLY_LENGTH) +    { +	ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" +	       " from font server\n", rep->length); +	_fs_connection_died (conn); +	*error = FSIO_ERROR; +	return 0; +    } +      ret = _fs_start_read (conn, rep->length << 2, &buf);      if (ret != FSIO_READY)      { | 
