aboutsummaryrefslogtreecommitdiff
path: root/nx-X11
Commit message (Collapse)AuthorAgeFilesLines
* nx-X11/programs/Xserver/hw/nxagent/: Drop unused VERSION file.Mike Gabriel2015-02-161-1/+0
|
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* Revert "Do proper input validation to fix for CVE-2011-2895."Mike Gabriel2015-02-161-17/+14
| | | | This reverts commit 6acafc9334828da22446380c81af81bde14b5d86.
* Do proper input validation to fix for CVE-2011-2895.Joerg Sonnenberger2015-02-161-14/+17
| | | | | | | | | | | It ensures that all valid input can be decompressed, checks that the overflow conditions doesn't happen and generally tightens the validation of the LZW stream and doesn't pessimize the inner loop for no good reason. It's derived from a change in libarchive from 2004. v2: backports to nx-libs 3.6.x (Mihai Moldovan) Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Reviewed-by: Tomas Hoger <thoger@redhat.com>
* nx-X11/lib/font/fc/fserve.c: initialize remaining bufleft variables.Mihai Moldovan2015-02-161-2/+2
|
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-161-0/+6
| | | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) v3: human-readable version of "1 MB" (Mihai Moldovan) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* Revert "dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]"Mihai Moldovan2015-02-161-6/+0
| | | | This reverts commit d4c76981f7fddb364166464c571ed8d3de3086cd.
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-161-3/+18
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mihai Moldovan2015-02-161-18/+3
| | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-162-8/+54
| | | | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply. v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
* Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() ↵Mihai Moldovan2015-02-162-52/+7
| | | | | | from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7.
* glx: Pass remaining request length into ->varsize (v2) [CVE-2014-8098 8/8] (V3)Adam Jackson2015-02-144-107/+121
| | | | | | | | | | | | | | | | v2: Handle more multiplies in indirect_reqsize.c (Julien Cristau) v3: RHEL5 backport v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for RenderLarge requests (v2) [CVE-2014-8098 3/8] (v3)Adam Jackson2015-02-142-46/+71
| | | | | | | | | | | | | | | | | | | | | This is a half-measure until we start passing request length into the varsize function, but it's better than the nothing we had before. v2: Verify that there's at least a large render header's worth of dataBytes (Julien Cristau) v3: backport to RHEL5 v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swap
* glx: Length checking for non-generated single requests (v2) [CVE-2014-8098 7/8]Adam Jackson2015-02-144-20/+52
| | | | | | | | | | | | | | | | | | | | | | v2: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v3: Fix single versus vendor-private length checking for ARB_imaging subset extensions. (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fix safe_Add
* glx: Top-level length checking for swapped VendorPrivate requests ↵Adam Jackson2015-02-141-0/+4
| | | | | | | | | | | | | | | [CVE-2014-8098 4/8] v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Integer overflow protection for non-generated render requests (v3) ↵Adam Jackson2015-02-141-31/+37
| | | | | | | | | | | | | | | | | | | | | [CVE-2014-8093 5/6] v2: Fix constants in __glXMap2fReqSize (Michal Srb) Validate w/h/d for proxy targets too (Keith Packard) v3: Fix Map[12]Size to correctly reject order == 0 (Julien Cristau) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Length checking for GLXRender requests (v2) [CVE-2014-8098 2/8] (v3)Julien Cristau2015-02-142-20/+20
| | | | | | | | | | | | | | | | | v2: Remove can't-happen comparison for cmdlen < 0 (Michal Srb) v3: backport to RHEL5 hit old paths v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Julien Cristau <jcristau@debian.org> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Add safe_{add,mul,pad} (v3) [CVE-2014-8093 4/6] (v4)Adam Jackson2015-02-141-0/+41
| | | | | | | | | | | | | | | | | | | | | | | | | | | These are paranoid about integer overflow, and will return -1 if their operation would overflow a (signed) integer or if either argument is negative. Note that RenderLarge requests are sized with a uint32_t so in principle this could be sketchy there, but dix limits bigreqs to 128M so you shouldn't ever notice, and honestly if you're sending more than 2G of rendering commands you're already doing something very wrong. v2: Use INT_MAX for consistency with the rest of the server (jcristau) v3: Reject negative arguments (anholt) v4: RHEL5: add limits.h, use inline v5: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Additional paranoia in __glXGetAnswerBuffer / __GLX_GET_ANSWER_BUFFER ↵Adam Jackson2015-02-141-1/+2
| | | | | | | | | | | | | | | | | | | (v2) [CVE-2014-8093 3/6] If the computed reply size is negative, something went wrong, treat it as an error. v2: Be more careful about size_t being unsigned (Matthieu Herrb) v3: SIZE_MAX not SIZE_T_MAX (Alan Coopersmith) v4: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Be more strict about rejecting invalid image sizes [CVE-2014-8093 2/6]Adam Jackson2015-02-142-14/+14
| | | | | | | | | | | | | | | | | | Before this we'd just clamp the image size to 0, which was just hideously stupid; if the parameters were such that they'd overflow an integer, you'd allocate a small buffer, then pass huge values into (say) ReadPixels, and now you're scribbling over arbitrary server memory. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com>
* glx: Be more paranoid about variable-length requests [CVE-2014-8093 1/6] (v2)Adam Jackson2015-02-142-4/+4
| | | | | | | | | | | | | | | | | | | | | If the size computation routine returns -1 we should just reject the request outright. Clamping it to zero could give an attacker the opportunity to also mangle cmdlen in such a way that the subsequent length check passes, and the request would get executed, thus passing data we wanted to reject to the renderer. v3: backport to nx-libs 3.6.x (Mike DePaulo) v2: backport to RHEL5 - fix swap paths Reviewed-by: Keith Packard <keithp@keithp.com> Reviewed-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Michal Srb <msrb@suse.com> Reviewed-by: Andy Ritger <aritger@nvidia.com> Signed-off-by: Adam Jackson <ajax@redhat.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Fedora X Ninjas <x@fedoraproject.org> Signed-off-by: Dave Airlie <airlied@redhat.com> fixup swaps
* randr: unvalidated lengths in RandR extension swapped procs [CVE-2014-8101]Alan Coopersmith2015-02-141-0/+3
| | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
* xfixes: unvalidated length in SProcXFixesSelectSelectionInput [CVE-2014-8102]Alan Coopersmith2015-02-141-0/+1
| | | | | | | | | | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> v2: backport to nx-libs 3.6.x (Mike DePaulo) Conflicts: xfixes/select.c
* render: unvalidated lengths in Render extn. swapped procs [CVE-2014-8100 2/2]Alan Coopersmith2015-02-141-1/+16
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: render/render.c
* render: check request size before reading it [CVE-2014-8100 1/2]Julien Cristau2015-02-141-1/+2
| | | | | | | | | | | | | Otherwise we may be reading outside of the client request. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Julien Cristau <jcristau@debian.org> Reviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Conflicts: render/render.c
* Xv: unvalidated lengths in XVideo extension swapped procs [CVE-2014-8099]Alan Coopersmith2015-02-141-0/+20
| | | | | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xext/xvdisp.c
* xcmisc: unvalidated length in SProcXCMiscGetXIDList() [CVE-2014-8096]Alan Coopersmith2015-02-141-0/+1
| | | | | | | v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
* Xi: unvalidated lengths in Xinput extension [CVE-2014-8095]Alan Coopersmith2015-02-144-2/+11
| | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | | Multiple functions in the Xinput extension handling of requests from clients failed to check that the length of the request sent by the client was large enough to perform all the required operations and thus could read or write to memory outside the bounds of the request buffer. This commit includes the creation of a new REQUEST_AT_LEAST_EXTRA_SIZE macro in include/dix.h for the common case of needing to ensure a request is large enough to include both the request itself and a minimum amount of extra data following the request header. v2: backport to nx-libs 3.6.x (Mike DePaulo) Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: Xi/chgdctl.c Xi/chgfctl.c Xi/xiallowev.c Xi/xichangecursor.c Xi/xichangehierarchy.c Xi/xigetclientpointer.c Xi/xigrabdev.c Xi/xipassivegrab.c Xi/xiproperty.c Xi/xiquerydevice.c Xi/xiquerypointer.c Xi/xiselectev.c Xi/xisetclientpointer.c Xi/xisetdevfocus.c Xi/xiwarppointer.c [RHEL5: Xi/xi* files are XI2 ]
* dbe: unvalidated lengths in DbeSwapBuffers calls [CVE-2014-8097]Alan Coopersmith2015-02-141-3/+8
| | | | | | | | | | | | | | | | | | | | | | ProcDbeSwapBuffers() has a 32bit (n) length value that it uses to read from a buffer. The length is never validated, which can lead to out of bound reads, and possibly returning the data read from out of bounds to the misbehaving client via an X Error packet. SProcDbeSwapBuffers() swaps data (for correct endianness) before handing it off to the real proc. While doing the swapping, the length field is not validated, which can cause memory corruption. v2: reorder checks to avoid compilers optimizing out checks for overflow that happen after we'd already have done the overflowing multiplications. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dbe/dbe.c
* dix: integer overflow in REQUEST_FIXED_SIZE() [CVE-2014-8092 4/4]Alan Coopersmith2015-02-141-1/+4
| | | | | | | | | | | | | Force use of 64-bit integers when evaluating data provided by clients in 32-bit fields which can overflow when added or multiplied during checks. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> RHEL5: add #include <stdint.h> for uint64_t v3: backport to nx-libs 3.6.x (Mike DePaulo)
* dix: integer overflow in RegionSizeof() [CVE-2014-8092 3/4]Alan Coopersmith2015-02-142-15/+34
| | | | | | | | | | | | | | | | | | RegionSizeof contains several integer overflows if a large length value is passed in. Once we fix it to return 0 on overflow, we also have to fix the callers to handle this error condition v2: Fixed limit calculation in RegionSizeof as pointed out by jcristau. v3: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Reviewed-by: Julien Cristau <jcristau@debian.org> Conflicts: dix/region.c include/regionstr.h
* dix: integer overflow in GetHosts() [CVE-2014-8092 2/4]Alan Coopersmith2015-02-141-0/+6
| | | | | | | | | | | | | | | | | | | | GetHosts() iterates over all the hosts it has in memory, and copies them to a buffer. The buffer length is calculated by iterating over all the hosts and adding up all of their combined length. There is a potential integer overflow, if there are lots and lots of hosts (with a combined length of > ~4 gig). This should be possible by repeatedly calling ProcChangeHosts() on 64bit machines with enough memory. This patch caps the list at 1mb, because multi-megabyte hostname lists for X access control are insane. v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/access.c
* dix: integer overflow in ProcPutImage() [CVE-2014-8092 1/4]Alan Coopersmith2015-02-141-1/+3
| | | | | | | | | | | | | | | | | ProcPutImage() calculates a length field from a width, left pad and depth specified by the client (if the specified format is XYPixmap). The calculations for the total amount of memory the server needs for the pixmap can overflow a 32-bit number, causing out-of-bounds memory writes on 32-bit systems (since the length is stored in a long int variable). v2: backport to nx-libs 3.6.x (Mike DePaulo) Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: dix/dispatch.c
* unchecked malloc may allow unauthed client to crash Xserver [CVE-2014-8091]Alan Coopersmith2015-02-141-0/+4
| | | | | | | | | | | | | | | | | | authdes_ezdecode() calls malloc() using a length provided by the connection handshake sent by a newly connected client in order to authenticate to the server, so should be treated as untrusted. It didn't check if malloc() failed before writing to the newly allocated buffer, so could lead to a server crash if the server fails to allocate memory (up to UINT16_MAX bytes, since the len field is a CARD16 in the X protocol). Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net> Conflicts: os/rpcauth.c
* CVE-2014-0210: unvalidated length fields in fs_read_list_info() from ↵Mike DePaulo2015-02-141-1/+55
| | | | | | | | | xorg/lib/libXfont commit d338f81df1e188eb16e1d6aeea7f4800f89c1218 fs_read_list_info() parses a reply from the font server. The reply contains a number of additional data items with embedded length or count fields, none of which are validated. This can cause out of bound reads when looping over these items in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_list() from ↵Mike DePaulo2015-02-141-0/+15
| | | | | | | | | xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39 fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from ↵Mike DePaulo2015-02-141-1/+28
| | | | | | | | | xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565 fs_read_glyphs() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads when looping over the glyph bitmaps in the reply.
* CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from ↵Mike DePaulo2015-02-141-0/+10
| | | | | | | | xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length.
* CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont ↵Mike DePaulo2015-02-141-1/+6
| | | | | | | | commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33 fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption.
* CVE-2014-0211: integer overflow in fs_read_extent_info() from ↵Mike DePaulo2015-02-141-1/+11
| | | | | | | | | xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1 fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption.
* CVE-2014-0210: unvalidated length fields in fs_read_query_info() from ↵Mike DePaulo2015-02-142-7/+52
| | | | | | | | | xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f fs_read_query_info() parses a reply from the font server. The reply contains embedded length fields, none of which are validated. This can cause out of bound reads in either fs_read_query_info() or in _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
* CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from ↵Mike DePaulo2015-02-141-0/+18
| | | | | | | | | | | | | | | | | | | | xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply.
* CVE-2014-0210: unvalidated lengths when reading replies from font server ↵Mike DePaulo2015-02-141-6/+38
| | | | | | | | from xorg/lib/libXfont commit cbb64aef35960b2882be721f4b8fbaa0fb649d12 Functions to handle replies to font server requests were casting replies from the generic form to reply specific structs without first checking that the reply was at least as long as the struct being cast to.
* Don't crash when we receive an FS_Error from the font server (Guillem ↵Mike DePaulo2015-02-141-1/+1
| | | | Jover). from xorg/lib/libXfont commit bfb8a71f4f7e5c5ed4278cb3ee271bf9990d276d
* CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from ↵Mike DePaulo2015-02-141-3/+18
| | | | | | | | | | | | | xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated.
* CVE-2014-0209: integer overflow of realloc() size in lexAlias() from ↵Mike DePaulo2015-02-141-0/+4
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc lexAlias() reads from a file in a loop. It does this by starting with a 64 byte buffer. If that size limit is hit, it does a realloc of the buffer size << 1, basically doubling the needed length every time the length limit is hit. Eventually, this will shift out to 0 (for a length of ~4gig), and that length will be passed on to realloc(). A length of 0 (with a valid pointer) causes realloc to free the buffer on most POSIX platforms, but the caller will still have a pointer to it, leading to use after free issues.
* CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from ↵Mike DePaulo2015-02-141-0/+5
| | | | | | | | | | | | | | | xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size.
* CVE-2013-6462: unlimited sscanf overflows stack buffer in ↵Mike DePaulo2015-02-141-1/+1
| | | | | | | | bdfReadCharacters() from xorg/lib/libXfont http://lists.x.org/archives/xorg-announce/2014-January/002389.html Fixes cppcheck warning: [lib/libXfont/src/bitmap/bdfread.c:341]: (warning) scanf without field width limits can crash with huge input data.
* Avoid use-after-free in dix/dixfonts.c: doImageText() [CVE-2013-4396] from ↵Mike DePaulo2015-02-141-0/+5
| | | | | | | | | | | | | | | | | | | | | xorg/Xserver http://lists.x.org/archives/xorg-announce/2013-October/002332.html Save a pointer to the passed in closure structure before copying it and overwriting the *c pointer to point to our copy instead of the original. If we hit an error, once we free(c), reset c to point to the original structure before jumping to the cleanup code that references *c. Since one of the errors being checked for is whether the server was able to malloc(c->nChars * itemSize), the client can potentially pass a number of characters chosen to cause the malloc to fail and the error path to be taken, resulting in the read from freed memory. Since the memory is accessed almost immediately afterwards, and the X server is mostly single threaded, the odds of the free memory having invalid contents are low with most malloc implementations when not using memory debugging features, but some allocators will definitely overwrite the memory there, leading to a likely crash.
* Fix CVE-2011-4028: File disclosure vulnerability. upstream xorg/xserver ↵Mike DePaulo2015-02-141-1/+1
| | | | | | | | commit 6ba44b91e37622ef8c146d8f2ac92d708a18ed34 use O_NOFOLLOW to open the existing lock file, so symbolic links aren't followed, thus avoid revealing if it point to an existing file.