From 1729558907ffa075d870eaa70e982406bc6c64c1 Mon Sep 17 00:00:00 2001 From: Mike DePaulo Date: Sun, 25 May 2014 16:18:49 -0400 Subject: Fix CVE-2014-0209, CVE-2014-0210 and CVE-2014-0211 by taking the 12 patch files from Debian Wheezy libxfont 1.4.5-4, and applying with patch --ignore-whitespace --- libXfont/src/fontfile/dirfile.c | 4 ++++ libXfont/src/fontfile/fontdir.c | 5 +++++ 2 files changed, 9 insertions(+) (limited to 'libXfont/src/fontfile') diff --git a/libXfont/src/fontfile/dirfile.c b/libXfont/src/fontfile/dirfile.c index c8aff6f4f..789fde5ff 100644 --- a/libXfont/src/fontfile/dirfile.c +++ b/libXfont/src/fontfile/dirfile.c @@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group. #include #include #include +#include static Bool AddFileNameAliases ( FontDirectoryPtr dir ); static int ReadFontAlias ( char *directory, Bool isFile, @@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken) int nsize; char *nbuf; + if (tokenSize >= (INT_MAX >> 2)) + /* Stop before we overflow */ + return EALLOC; nsize = tokenSize ? (tokenSize << 1) : 64; nbuf = realloc(tokenBuf, nsize); if (!nbuf) diff --git a/libXfont/src/fontfile/fontdir.c b/libXfont/src/fontfile/fontdir.c index 97b2ba3b1..ce1595c8b 100644 --- a/libXfont/src/fontfile/fontdir.c +++ b/libXfont/src/fontfile/fontdir.c @@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) if (table->sorted) return (FontEntryPtr) 0; /* "cannot" happen */ if (table->used == table->size) { + if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) + /* If we've read so many entries we're going to ask for 2gb + or more of memory, something is so wrong with this font + directory that we should just give up before we overflow. */ + return NULL; newsize = table->size + 100; entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); if (!entry) -- cgit v1.2.3