main/libxfont: security fixes for CVE-2014-0209, CVE-2014-0210, CVE-2014-0211

fixes #2885
author: Natanael Copa <ncopa@alpinelinux.org> 2014-05-14 08:49:55 +0000
committer: Natanael Copa <ncopa@alpinelinux.org> 2014-05-14 08:55:23 +0000
commit: 1476a4f2f4f84290a60b64a79123454f8227f80a (patch)
tree: 6178121c2e9ee894b105807fbfd428531f44af9f /main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
parent: a6a8146d0f61ea71a7c3745d813f72fad268cc10 (diff)
download: aports-1476a4f2f4f84290a60b64a79123454f8227f80a.tar.bz2
aports-1476a4f2f4f84290a60b64a79123454f8227f80a.tar.xz
1 files changed, 52 insertions, 0 deletions
diff --git a/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
new file mode 100644
index 0000000000..b093bd9a83
--- /dev/null
+++ b/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
@@ -0,0 +1,52 @@
+From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 25 Apr 2014 23:02:42 -0700
+Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in
+ fs_read_extent_info()
+
+fs_read_extent_info() parses a reply from the font server.
+The reply contains a 32bit number of elements field which is used
+to calculate a buffer length. There is an integer overflow in this
+calculation which can lead to memory corruption.
+
+Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Adam Jackson <ajax@redhat.com>
+Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
+---
+ src/fc/fserve.c |   12 +++++++++++-
+ 1 file changed, 11 insertions(+), 1 deletion(-)
+
+diff --git a/src/fc/fserve.c b/src/fc/fserve.c
+index ec5336e..96abd0e 100644
+--- a/src/fc/fserve.c
++++ b/src/fc/fserve.c
+@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.
+ #include	"fservestr.h"
+ #include	<X11/fonts/fontutil.h>
+ #include	<errno.h>
++#include	<limits.h>
+ 
+ #include	<time.h>
+ #define Time_t time_t
+@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
+ 	numInfos *= 2;
+ 	haveInk = TRUE;
+     }
+-    ci = pCI = malloc(sizeof(CharInfoRec) * numInfos);
++    if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
++#ifdef DEBUG
++	fprintf(stderr,
++		"fsQueryXExtents16: numInfos (%d) >= %ld\n",
++		numInfos, (INT_MAX / sizeof(CharInfoRec)));
++#endif
++	pCI = NULL;
++    }
++    else
++	pCI = malloc(sizeof(CharInfoRec) * numInfos);
+ 
+     if (!pCI)
+     {
+-- 
+1.7.10
+
author	Natanael Copa <ncopa@alpinelinux.org>	2014-05-14 08:49:55 +0000
committer	Natanael Copa <ncopa@alpinelinux.org>	2014-05-14 08:55:23 +0000
commit	1476a4f2f4f84290a60b64a79123454f8227f80a (patch)
tree	6178121c2e9ee894b105807fbfd428531f44af9f /main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch
parent	a6a8146d0f61ea71a7c3745d813f72fad268cc10 (diff)
download	aports-1476a4f2f4f84290a60b64a79123454f8227f80a.tar.bz2 aports-1476a4f2f4f84290a60b64a79123454f8227f80a.tar.xz