| Commit message (Collapse) | Author | Age | Files | Lines |
|
|
|
| |
Github summary page).
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Ensure that the given strings length in an XkbSetGeometry request remain
within the limits of the size of the request.
v3: backport to nx-libs 3.6.x because this is
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 20079c36cf7d377938ca5478447d8b9045cb7d43)
(cherry picked from commit f160e722672dbb2b5215870b47bcc51461d96ff1)
Signed-off-by: Julien Cristau <jcristau@debian.org>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
The XkbSetGeometry request embeds data which needs to be swapped when the
server and the client have different endianess.
_XkbSetGeometry() invokes functions that swap these data directly in the
input buffer.
However, ProcXkbSetGeometry() may call _XkbSetGeometry() more than once
(if there is more than one keyboard), thus causing on swapped clients the
same data to be swapped twice in memory, further causing a server crash
because the strings lengths on the second time are way off bounds.
To allow _XkbSetGeometry() to run reliably more than once with swapped
clients, do not swap the data in the buffer, use variables instead.
v3: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Olivier Fourdan <ofourdan@redhat.com>
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
(cherry picked from commit 81c90dc8f0aae3b65730409b1b615b5fa7280ebd)
(cherry picked from commit 29be310c303914090298ddda93a5bd5d00a94945)
Signed-off-by: Julien Cristau <jcristau@debian.org>
index 2405090..7db0959 100644
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This patch adds the following three functions:
bits_to_bytes(bits) - the number of bytes needed to hold 'bits'
bytes_to_int32(bytes) - the number of 4-byte units to hold 'bytes'
pad_to_int32(bytes) - the closest multiple of 4 equal to or larger than
'bytes'.
All three operations are common in protocol processing and currently the
server has ((foo + 7)/8 + 3)/4 operations all over the place. A common set
of functions reduce the error rate of these (albeit simple) calculations and
improve readability of the code.
The functions do not check for overflow.
v2: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x as a prereq for
the CVE-2015-0255 fix (Mike DePaulo)
|
|\
| |
| | |
Make nxagent aware of its NX'ish version string (and number).
|
| |
| |
| |
| |
| |
| |
| |
| |
| |
| |
| | |
This feature copies the way how X.Org version string and number
are propagated at build time.
First use case: if people start nxagent, it reports its version number
on stderr. This is about being human-friendly.
Second use case: None, so far. But it will now be easy to use
the NXAGENT_VERSION_STRING in later feature add-ons.
|
|/ |
|
|
|
|
|
|
|
|
|
|
|
|
| |
It ensures that all valid input can be decompressed, checks that the
overflow conditions doesn't happen and generally tightens the
validation of the LZW stream and doesn't pessimize the inner loop for
no good reason. It's derived from a change in libarchive from 2004.
v2: backports to nx-libs 3.6.x (Mihai Moldovan)
v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel)
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Tomas Hoger <thoger@redhat.com>
|
|
|
|
| |
This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
|
| |
|
| |
|
|
|
|
| |
uninstallation has to be in uninstall-lite, not in uninstall-full.
|
|
|
|
| |
nxproxy/Makefile.in.
|
| |
|
| |
|
|
|
|
|
|
|
| |
/usr/lib/nx/bin/nx
Conflicts (resolved by Mike Gabriel):
debian/changelog
|
|
|
|
|
|
|
|
|
|
|
| |
It ensures that all valid input can be decompressed, checks that the
overflow conditions doesn't happen and generally tightens the
validation of the LZW stream and doesn't pessimize the inner loop for
no good reason. It's derived from a change in libarchive from 2004.
v2: backports to nx-libs 3.6.x (Mihai Moldovan)
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Tomas Hoger <thoger@redhat.com>
|
| |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
v3: human-readable version of "1 MB" (Mihai Moldovan)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
|
|
|
|
| |
This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d"
This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519.
|
|
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
|
|
|
|
|
|
| |
from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f"
This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7.
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau)
v3: RHEL5 backport
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
This is a half-measure until we start passing request length into the
varsize function, but it's better than the nothing we had before.
v2: Verify that there's at least a large render header's worth of
dataBytes (Julien Cristau)
v3: backport to RHEL5
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fixup swap
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v3:
Fix single versus vendor-private length checking for ARB_imaging subset
extensions. (Julien Cristau)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fix safe_Add
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[CVE-2014-8098 4/8]
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
[CVE-2014-8093 5/6]
v2:
Fix constants in __glXMap2fReqSize (Michal Srb)
Validate w/h/d for proxy targets too (Keith Packard)
v3:
Fix Map[12]Size to correctly reject order == 0 (Julien Cristau)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
v2:
Remove can't-happen comparison for cmdlen < 0 (Michal Srb)
v3: backport to RHEL5 hit old paths
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Julien Cristau <jcristau@debian.org>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
These are paranoid about integer overflow, and will return -1 if their
operation would overflow a (signed) integer or if either argument is
negative.
Note that RenderLarge requests are sized with a uint32_t so in principle
this could be sketchy there, but dix limits bigreqs to 128M so you
shouldn't ever notice, and honestly if you're sending more than 2G of
rendering commands you're already doing something very wrong.
v2: Use INT_MAX for consistency with the rest of the server (jcristau)
v3: Reject negative arguments (anholt)
v4: RHEL5: add limits.h, use inline
v5: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
(v2) [CVE-2014-8093 3/6]
If the computed reply size is negative, something went wrong, treat it
as an error.
v2: Be more careful about size_t being unsigned (Matthieu Herrb)
v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith)
v4: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Before this we'd just clamp the image size to 0, which was just
hideously stupid; if the parameters were such that they'd overflow an
integer, you'd allocate a small buffer, then pass huge values into (say)
ReadPixels, and now you're scribbling over arbitrary server memory.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
If the size computation routine returns -1 we should just reject the
request outright. Clamping it to zero could give an attacker the
opportunity to also mangle cmdlen in such a way that the subsequent
length check passes, and the request would get executed, thus passing
data we wanted to reject to the renderer.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
v2: backport to RHEL5 - fix swap paths
Reviewed-by: Keith Packard <keithp@keithp.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Michal Srb <msrb@suse.com>
Reviewed-by: Andy Ritger <aritger@nvidia.com>
Signed-off-by: Adam Jackson <ajax@redhat.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Fedora X Ninjas <x@fedoraproject.org>
Signed-off-by: Dave Airlie <airlied@redhat.com>
fixup swaps
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
| |
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Conflicts:
xfixes/select.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Otherwise we may be reading outside of the client request.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Julien Cristau <jcristau@debian.org>
Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Conflicts:
render/render.c
|
|
|
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xext/xvdisp.c
|
|
|
|
|
|
|
| |
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Multiple functions in the Xinput extension handling of requests from
clients failed to check that the length of the request sent by the
client was large enough to perform all the required operations and
thus could read or write to memory outside the bounds of the request
buffer.
This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE
macro in include/dix.h for the common case of needing to ensure a
request is large enough to include both the request itself and a
minimum amount of extra data following the request header.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
Xi/chgdctl.c
Xi/chgfctl.c
Xi/xiallowev.c
Xi/xichangecursor.c
Xi/xichangehierarchy.c
Xi/xigetclientpointer.c
Xi/xigrabdev.c
Xi/xipassivegrab.c
Xi/xiproperty.c
Xi/xiquerydevice.c
Xi/xiquerypointer.c
Xi/xiselectev.c
Xi/xisetclientpointer.c
Xi/xisetdevfocus.c
Xi/xiwarppointer.c
[RHEL5: Xi/xi* files are XI2 ]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read
from a buffer. The length is never validated, which can lead to out of
bound reads, and possibly returning the data read from out of bounds to
the misbehaving client via an X Error packet.
SProcDbeSwapBuffers() swaps data (for correct endianness) before
handing it off to the real proc. While doing the swapping, the
length field is not validated, which can cause memory corruption.
v2: reorder checks to avoid compilers optimizing out checks for overflow
that happen after we'd already have done the overflowing multiplications.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dbe/dbe.c
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
Force use of 64-bit integers when evaluating data provided by clients
in 32-bit fields which can overflow when added or multiplied during
checks.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
RHEL5: add #include <stdint.h> for uint64_t
v3: backport to nx-libs 3.6.x (Mike DePaulo)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
RegionSizeof contains several integer overflows if a large length
value is passed in. Once we fix it to return 0 on overflow, we
also have to fix the callers to handle this error condition
v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau.
v3: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Conflicts:
dix/region.c
include/regionstr.h
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
GetHosts() iterates over all the hosts it has in memory, and copies
them to a buffer. The buffer length is calculated by iterating over
all the hosts and adding up all of their combined length. There is a
potential integer overflow, if there are lots and lots of hosts (with
a combined length of > ~4 gig). This should be possible by repeatedly
calling ProcChangeHosts() on 64bit machines with enough memory.
This patch caps the list at 1mb, because multi-megabyte hostname
lists for X access control are insane.
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/access.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
ProcPutImage() calculates a length field from a width, left pad and depth
specified by the client (if the specified format is XYPixmap).
The calculations for the total amount of memory the server needs for the
pixmap can overflow a 32-bit number, causing out-of-bounds memory writes
on 32-bit systems (since the length is stored in a long int variable).
v2: backport to nx-libs 3.6.x (Mike DePaulo)
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
dix/dispatch.c
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
| |
authdes_ezdecode() calls malloc() using a length provided by the
connection handshake sent by a newly connected client in order
to authenticate to the server, so should be treated as untrusted.
It didn't check if malloc() failed before writing to the newly
allocated buffer, so could lead to a server crash if the server
fails to allocate memory (up to UINT16_MAX bytes, since the len
field is a CARD16 in the X protocol).
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Conflicts:
os/rpcauth.c
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit d338f81df1e188eb16e1d6aeea7f4800f89c1218
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
|
|
|
|
|
|
|
|
|
| |
xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
|