aboutsummaryrefslogtreecommitdiff
path: root/debian/patches/1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch
blob: 9ea330101b8173d3fb3da3163703ad5a68703b80 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
From 36368e658a2b83753230af5296978ce27f468d8b Mon Sep 17 00:00:00 2001
From: Joerg Sonnenberger <joerg@britannica.bec.de>
Date: Sun, 21 Aug 2011 18:51:53 +0200
Subject: [PATCH 02/02] Do proper input validation to fix for CVE-2011-2895.

It ensures that all valid input can be decompressed, checks that the
overflow conditions doesn't happen and generally tightens the
validation of the LZW stream and doesn't pessimize the inner loop for
no good reason. It's derived from a change in libarchive from 2004.

v2: backports to nx-libs 3.6.x (Mihai Moldovan)
v3: fix comment lines starting with "+" + whitespace fixes (Mike Gabriel)
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Reviewed-by: Tomas Hoger <thoger@redhat.com>
---
 nx-X11/lib/font/fontfile/decompress.c | 31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
index 553b315..c7e649f 100644
--- a/nx-X11/lib/font/fontfile/decompress.c
+++ b/nx-X11/lib/font/fontfile/decompress.c
@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" };	/* 1F 9D */
 #define FIRST	257	/* first free entry */
 #define	CLEAR	256	/* table clear output code */
 
-#define STACK_SIZE  8192
+#define STACK_SIZE  65300
 
 typedef struct _compressedFILE {
     BufFilePtr	    file;
@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f)
 	file->tab_suffix[code] = (char_type) code;
     }
     file->free_ent = ((file->block_compress) ? FIRST : 256 );
+    file->oldcode = -1;
     file->clear_flg = 0;
     file->offset = 0;
     file->size = 0;
     file->stackp = file->de_stack;
     bzero(file->buf, BITS);
-    file->finchar = file->oldcode = getcode (file);
-    if (file->oldcode != -1)
-	*file->stackp++ = file->finchar;
     return BufFileCreate ((char *) file,
 			  BufCompressedFill,
 			  0,
@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f)
 	if (buf == bufend)
 	    break;
 
-	if (oldcode == -1)
-	    break;
-
 	code = getcode (file);
 	if (code == -1)
 	    break;
@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f)
 	    for ( code = 255; code >= 0; code-- )
 	    	file->tab_prefix[code] = 0;
 	    file->clear_flg = 1;
-	    file->free_ent = FIRST - 1;
-	    if ( (code = getcode (file)) == -1 )	/* O, untimely death! */
-	    	break;
+	    file->free_ent = FIRST;
+	    oldcode = -1;
+	    continue;
     	}
     	incode = code;
     	/*
      	 * Special case for KwKwK string.
      	 */
     	if ( code >= file->free_ent ) {
+	    if ( code > file->free_ent || oldcode == -1 ) {
+		/* Bad stream. */
+		return BUFFILEEOF;
+	    }
 	    *stackp++ = finchar;
 	    code = oldcode;
     	}
-    
+	/*
+	 * The above condition ensures that code < free_ent.
+	 * The construction of tab_prefixof in turn guarantees that
+	 * each iteration decreases code and therefore stack usage is
+	 * bound by 1 << BITS - 256.
+	 */
+
     	/*
      	 * Generate output characters in reverse order
      	 */
     	while ( code >= 256 )
     	{
-	    if (stackp - de_stack >= STACK_SIZE - 1)
-		return BUFFILEEOF;
 	    *stackp++ = file->tab_suffix[code];
 	    code = file->tab_prefix[code];
     	}
@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f)
     	/*
      	 * Generate the new entry.
      	 */
-    	if ( (code=file->free_ent) < file->maxmaxcode ) {
+	if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) {
 	    file->tab_prefix[code] = (unsigned short)oldcode;
 	    file->tab_suffix[code] = finchar;
 	    file->free_ent = code+1;
-- 
2.1.4