aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch
blob: 63ba2b9ff2fd599646b2e337dee5c1ea8a36dcb1 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
From a0bed4d9fce8ffc96f13ca13b95d2a7913d20719 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:23:51 -0500
Subject: [PATCH 13/40] CVE-2014-0211: integer overflow in fs_alloc_glyphs()
 from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33

fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
---
 nx-X11/lib/font/fc/fsconvert.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index d41e0b8..afa2c32 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
     FSGlyphPtr	glyphs;
     FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
 
-    glyphs = xalloc (sizeof (FSGlyphRec) + size);
+    if (size < (INT_MAX - sizeof (FSGlyphRec)))
+	glyphs = xalloc (sizeof (FSGlyphRec) + size);
+    else
+	glyphs = NULL;
+    if (glyphs == NULL)
+	return NULL;
     glyphs->next = fsfont->glyphs;
     fsfont->glyphs = glyphs;
     return (pointer) (glyphs + 1);
-- 
2.1.4