From 5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Mon, 16 Feb 2015 05:26:40 +0100 Subject: Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7. --- nx-X11/lib/font/fc/fsconvert.c | 19 +++++-------------- nx-X11/lib/font/fc/fserve.c | 40 ++-------------------------------------- 2 files changed, 7 insertions(+), 52 deletions(-) diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c index afa2c3284..9a5e194d1 100644 --- a/nx-X11/lib/font/fc/fsconvert.c +++ b/nx-X11/lib/font/fc/fsconvert.c @@ -123,10 +123,6 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, for (i = 0; i < nprops; i++, dprop++, is_str++) { memcpy(&local_off, off_adr, SIZEOF(fsPropOffset)); - if ((local_off.name.position >= pi->data_len) || - (local_off.name.length > - (pi->data_len - local_off.name.position))) - goto bail; dprop->name = MakeAtom(&pdc[local_off.name.position], local_off.name.length, 1); if (local_off.type != PropTypeString) { @@ -134,20 +130,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd, dprop->value = local_off.value.position; } else { *is_str = TRUE; - if ((local_off.value.position >= pi->data_len) || - (local_off.value.length > - (pi->data_len - local_off.value.position))) - goto bail; dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position], local_off.value.length, 1); if (dprop->value == BAD_RESOURCE) { - bail: - xfree (pfi->props); - pfi->nprops = 0; - pfi->props = 0; - pfi->isStringProp = 0; - return -1; + xfree (pfi->props); + pfi->nprops = 0; + pfi->props = 0; + pfi->isStringProp = 0; + return -1; } } off_adr += SIZEOF(fsPropOffset); diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 6ba3ad49f..9e652d206 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -866,7 +866,6 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSFpePtr conn = (FSFpePtr) fpe->private; fsQueryXInfoReply *rep; char *buf; - long bufleft; /* length of reply left to use */ fsPropInfo *pi; fsPropOffset *po; pointer pd; @@ -897,10 +896,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) buf = (char *) rep; buf += SIZEOF(fsQueryXInfoReply); - - bufleft = rep->length << 2; - bufleft -= SIZEOF(fsQueryXInfoReply); - + /* move the data over */ fsUnpack_XFontInfoHeader(rep, pInfo); @@ -908,51 +904,19 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) _fs_init_fontinfo(conn, pInfo); /* Compute offsets into the reply */ - if (bufleft < SIZEOF(fsPropInfo)) - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n", - bufleft); -#endif - goto bail; - } pi = (fsPropInfo *) buf; buf += SIZEOF (fsPropInfo); - bufleft -= pi->num_offsets * SIZEOF(fsPropOffset); - if (bufleft < pi->data_len) - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, - "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", - bufleft, pi->data_len); -#endif - goto bail; - } po = (fsPropOffset *) buf; buf += pi->num_offsets * SIZEOF(fsPropOffset); - bufleft -= pi->data_len; - { - ret = -1; -#ifdef DEBUG - fprintf(stderr, - "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n", - bufleft, pi->data_len); -#endif - goto bail; - } pd = (pointer) buf; buf += pi->data_len; - bufleft -= pi->data_len; /* convert the properties and step over the reply */ ret = _fs_convert_props(pi, po, pd, pInfo); - bail: _fs_done_read (conn, rep->length << 2); - + if (ret == -1) { fs_cleanup_bfont (bfont); -- cgit v1.2.3