blob: be0dded235c8aa6c14eaf4c0ea2a188dce7c7a66 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
|
From bb7abd9da9badc6cb825c636867cbef827141f36 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:19:01 -0500
Subject: [PATCH 12/40] CVE-2014-0211: integer overflow in
fs_read_extent_info() from xorg/lib/libXfont commit
c578408c1fd4db09e4e3173f8a9e65c81cc187c1
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
---
nx-X11/lib/font/fc/fserve.c | 12 +++++++++++-
1 file changed, 11 insertions(+), 1 deletion(-)
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -73,6 +73,7 @@ in this Software without prior written a
#include "fservestr.h"
#include <X11/fonts/fontutil.h>
#include <errno.h>
+#include <limits.h>
#include <time.h>
#define Time_t time_t
@@ -1061,7 +1062,16 @@ fs_read_extent_info(FontPathElementPtr f
numInfos *= 2;
haveInk = TRUE;
}
- ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos);
+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
+#ifdef DEBUG
+ fprintf(stderr,
+ "fsQueryXExtents16: numInfos (%d) >= %ld\n",
+ numInfos, (INT_MAX / sizeof(CharInfoRec)));
+#endif
+ pCI = NULL;
+ }
+ else
+ pCI = malloc(sizeof(CharInfoRec) * numInfos);
if (!pCI)
{
|
