diff options
author | Mike DePaulo <mikedep333@gmail.com> | 2014-05-25 16:18:49 -0400 |
---|---|---|
committer | Mike DePaulo <mikedep333@gmail.com> | 2014-05-25 16:18:49 -0400 |
commit | 1729558907ffa075d870eaa70e982406bc6c64c1 (patch) | |
tree | 1a62919f8aec434e0ab3b4fefb8f0708955053ed /libXfont/src/fontfile | |
parent | 1b493f424497599931b2abaca7c43925d6019558 (diff) | |
download | vcxsrv-1729558907ffa075d870eaa70e982406bc6c64c1.tar.gz vcxsrv-1729558907ffa075d870eaa70e982406bc6c64c1.tar.bz2 vcxsrv-1729558907ffa075d870eaa70e982406bc6c64c1.zip |
Fix CVE-2014-0209, CVE-2014-0210 and CVE-2014-0211 by taking the 12 patch files from Debian Wheezy libxfont 1.4.5-4, and applying with patch --ignore-whitespace
Diffstat (limited to 'libXfont/src/fontfile')
-rw-r--r-- | libXfont/src/fontfile/dirfile.c | 4 | ||||
-rw-r--r-- | libXfont/src/fontfile/fontdir.c | 5 |
2 files changed, 9 insertions, 0 deletions
diff --git a/libXfont/src/fontfile/dirfile.c b/libXfont/src/fontfile/dirfile.c index c8aff6f4f..789fde5ff 100644 --- a/libXfont/src/fontfile/dirfile.c +++ b/libXfont/src/fontfile/dirfile.c @@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group. #include <sys/types.h> #include <sys/stat.h> #include <errno.h> +#include <limits.h> static Bool AddFileNameAliases ( FontDirectoryPtr dir ); static int ReadFontAlias ( char *directory, Bool isFile, @@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken) int nsize; char *nbuf; + if (tokenSize >= (INT_MAX >> 2)) + /* Stop before we overflow */ + return EALLOC; nsize = tokenSize ? (tokenSize << 1) : 64; nbuf = realloc(tokenBuf, nsize); if (!nbuf) diff --git a/libXfont/src/fontfile/fontdir.c b/libXfont/src/fontfile/fontdir.c index 97b2ba3b1..ce1595c8b 100644 --- a/libXfont/src/fontfile/fontdir.c +++ b/libXfont/src/fontfile/fontdir.c @@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) if (table->sorted) return (FontEntryPtr) 0; /* "cannot" happen */ if (table->used == table->size) { + if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) + /* If we've read so many entries we're going to ask for 2gb + or more of memory, something is so wrong with this font + directory that we should just give up before we overflow. */ + return NULL; newsize = table->size + 100; entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); if (!entry) |