aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
blob: 339f03de75d3b02697b88917456bd80c25fdc83a (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
From ef439da38d3a4c00a4e03e7d8f83cb359cd9a230 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:35:21 -0500
Subject: [PATCH 16/40] CVE-2014-0210: unvalidated length fields in
 fs_read_list() from xorg/lib/libXfont commit
 5fa73ac18474be3032ee7af9c6e29deab163ea39

fs_read_list() parses a reply from the font server.  The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
---
 nx-X11/lib/font/fc/fserve.c | 15 +++++++++++++++
 1 file changed, 15 insertions(+)

--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2366,6 +2366,7 @@ fs_read_list(FontPathElementPtr fpe, FSB
     FSBlockedListPtr	blist = (FSBlockedListPtr) blockrec->data;
     fsListFontsReply	*rep;
     char		*data;
+    long		dataleft; /* length of reply left to use */
     int			length,
 			i,
 			ret;
@@ -2383,16 +2384,30 @@ fs_read_list(FontPathElementPtr fpe, FSB
 	return AllocError;
     }
     data = (char *) rep + SIZEOF (fsListFontsReply);
+    dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
 
     err = Successful;
     /* copy data into FontPathRecord */
     for (i = 0; i < rep->nFonts; i++) 
     {
+	if (dataleft < 1)
+	    break;
 	length = *(unsigned char *)data++;
+	dataleft--; /* used length byte */
+	if (length > dataleft) {
+#ifdef DEBUG
+	    fprintf(stderr,
+		    "fsListFonts: name length (%d) > dataleft (%ld)\n",
+		    length, dataleft);
+#endif
+	    err = BadFontName;
+	    break;
+	}
 	err = AddFontNamesName(blist->names, data, length);
 	if (err != Successful)
 	    break;
 	data += length;
+	dataleft -= length;
     }
     _fs_done_read (conn, rep->length << 2);
     return err;