aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
blob: d1a4f1ecc12e8f3043bdb71c83c8d036873eea0c (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
From d2b96c5d59766f96181de95da1906fd6e32785ba Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:26:16 -0500
Subject: [PATCH 14/40] CVE-2014-0210: unvalidated length fields in
 fs_read_extent_info() from xorg/lib/libXfont commit
 a3f21421537620fc4e1f844a594a4bcd9f7e2bd8

Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
---
 nx-X11/lib/font/fc/fserve.c | 10 ++++++++++
 1 file changed, 10 insertions(+)

--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1070,6 +1070,16 @@ fs_read_extent_info(FontPathElementPtr f
 #endif
 	pCI = NULL;
     }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
     else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);