aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/font/fc/fserve.c
Commit message (Collapse)AuthorAgeFilesLines
* CVE-2014-0211: integer overflow in fs_read_extent_info() from ↵Mike DePaulo2015-02-141-1/+11
| | | | | | | | | xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1 fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-141-2/+38
| | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
* CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from ↵Mike DePaulo2015-02-141-0/+18
| | | | | | | | | | | | | | | | | | | | xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply.
* CVE-2014-0210: unvalidated lengths when reading replies from font server ↵Mike DePaulo2015-02-141-6/+38
| | | | | | | | from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12 Functions to handle replies to font server requests were casting replies from the generic form to reply specific structs without first checking that the reply was at least as long as the struct being cast to.
* Don't crash when we receive an FS_Error from the font server (Guillem ↵Mike DePaulo2015-02-141-1/+1
| | | | Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-141-3/+18
| | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated.
* Imported nx-X11-3.1.0-1.tar.gznx-X11/3.1.0-1Reinhard Tartler2011-10-101-0/+3262
Summary: Imported nx-X11-3.1.0-1.tar.gz Keywords: Imported nx-X11-3.1.0-1.tar.gz into Git repository
generated by cgit v1.2.3 (git 2.25.1) at 2024-08-04 14:09:58 +0000