From c0d0e373d4c42c7813b1955fc18f5c9f63c725e0 Mon Sep 17 00:00:00 2001 From: Mihai Moldovan Date: Mon, 16 Feb 2015 05:52:09 +0100 Subject: Revert "CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d" This reverts commit 94c6de0649cd295044b1e4ff7265949c9c787519. --- nx-X11/lib/font/fc/fserve.c | 21 +++------------------ 1 file changed, 3 insertions(+), 18 deletions(-) (limited to 'nx-X11/lib/font/fc/fserve.c') diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c index 75cabdd9e..0d792c7e3 100644 --- a/nx-X11/lib/font/fc/fserve.c +++ b/nx-X11/lib/font/fc/fserve.c @@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) int ret; fsConnSetup *setup; FSFpeAltPtr alts; - unsigned int i, alt_len; + int i, alt_len; int setup_len; char *alt_save, *alt_names; @@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) } if (setup->num_alternates) { - size_t alt_name_len = setup->alternate_len << 2; alts = (FSFpeAltPtr) xalloc (setup->num_alternates * - sizeof (FSFpeAltRec) + alt_name_len); + sizeof (FSFpeAltRec) + + (setup->alternate_len << 2)); if (alts) { alt_names = (char *) (setup + 1); @@ -3023,25 +3023,10 @@ _fs_recv_conn_setup (FSFpePtr conn) { alts[i].subset = alt_names[0]; alt_len = alt_names[1]; - if (alt_len >= alt_name_len) { - /* - * Length is longer than setup->alternate_len - * told us to allocate room for, assume entire - * alternate list is corrupted. - */ -#ifdef DEBUG - fprintf (stderr, - "invalid alt list (length %lx >= %lx)\n", - (long) alt_len, (long) alt_name_len); -#endif - free(alts); - return FSIO_ERROR; - } alts[i].name = alt_save; memcpy (alt_save, alt_names + 2, alt_len); alt_save[alt_len] = '\0'; alt_save += alt_len + 1; - alt_name_len -= alt_len + 1; alt_names += _fs_pad_length (alt_len + 2); } conn->numAlts = setup->num_alternates; -- cgit v1.2.3