aboutsummaryrefslogtreecommitdiff
path: root/nx-X11/lib/font/fontfile
Commit message (Collapse)AuthorAgeFilesLines
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* Revert "Do proper input validation to fix for CVE-2011-2895."Mike Gabriel2015-02-161-17/+14
| | | | This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* CVE-2014-0209: integer overflow of realloc() size in lexAlias() from ↵Mike DePaulo2015-02-141-0/+4
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues.
* CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from ↵Mike DePaulo2015-02-141-0/+5
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size.
* LZW decompress: fix for CVE-2011-2895 From xorg/lib/Xfont commit ↵Mike DePaulo2015-02-141-0/+2
| | | | | | | | d11ee5886e9d9ec610051a206b135a4cdc1e09a0 Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited
* drop .original files from the current code baseMike Gabriel2015-02-022-1929/+0
|
* Imported nx-X11-3.3.0-7.tar.gznx-X11/3.3.0-7Reinhard Tartler2011-10-103-1/+1933
| | | | | | | | Summary: Imported nx-X11-3.3.0-7.tar.gz Keywords: Imported nx-X11-3.3.0-7.tar.gz into Git repository
* Imported nx-X11-3.1.0-1.tar.gznx-X11/3.1.0-1Reinhard Tartler2011-10-1021-0/+6884
Summary: Imported nx-X11-3.1.0-1.tar.gz Keywords: Imported nx-X11-3.1.0-1.tar.gz into Git repository