diff options
author | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-05 06:49:48 +0000 |
---|---|---|
committer | Natanael Copa <ncopa@alpinelinux.org> | 2015-05-05 07:00:33 +0000 |
commit | c5f1ff545ff87ffa10bd27c349f185fe902a2844 (patch) | |
tree | f4568b17d7d4b62fc3142159189bc6d5b6eae903 /main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch | |
parent | 87d2e400facc8da0681a7872a67de56bccd50c6c (diff) | |
download | aports-c5f1ff545ff87ffa10bd27c349f185fe902a2844.tar.bz2 aports-c5f1ff545ff87ffa10bd27c349f185fe902a2844.tar.xz |
main/libxfont: security upgrade to 1.4.9
Diffstat (limited to 'main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch')
-rw-r--r-- | main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch | 111 |
1 files changed, 0 insertions, 111 deletions
diff --git a/main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch b/main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch deleted file mode 100644 index 15971fbb41..0000000000 --- a/main/libxfont/0012-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch +++ /dev/null @@ -1,111 +0,0 @@ -From d338f81df1e188eb16e1d6aeea7f4800f89c1218 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 2 May 2014 19:24:17 -0700 -Subject: [PATCH 12/12] CVE-2014-0210: unvalidated length fields in - fs_read_list_info() - -fs_read_list_info() parses a reply from the font server. The reply -contains a number of additional data items with embedded length or -count fields, none of which are validated. This can cause out of -bound reads when looping over these items in the reply. - -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> ---- - src/fc/fserve.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ - 1 file changed, 54 insertions(+) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 4dcdc04..c1cf9d6 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -2491,6 +2491,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FSBlockedListInfoPtr binfo = (FSBlockedListInfoPtr) blockrec->data; - fsListFontsWithXInfoReply *rep; - char *buf; -+ long bufleft; - FSFpePtr conn = (FSFpePtr) fpe->private; - fsPropInfo *pi; - fsPropOffset *po; -@@ -2527,6 +2528,7 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - } - - buf = (char *) rep + SIZEOF (fsListFontsWithXInfoReply); -+ bufleft = (rep->length << 2) - SIZEOF (fsListFontsWithXInfoReply); - - /* - * The original FS implementation didn't match -@@ -2535,19 +2537,71 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (conn->fsMajorVersion <= 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - pi = (fsPropInfo *) buf; -+ if (SIZEOF (fsPropInfo) > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: PropInfo length (%d) > bufleft (%ld)\n", -+ (int) SIZEOF (fsPropInfo), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= SIZEOF (fsPropInfo); - buf += SIZEOF (fsPropInfo); - po = (fsPropOffset *) buf; -+ if (pi->num_offsets > (bufleft / SIZEOF (fsPropOffset))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: offset length (%d * %d) > bufleft (%ld)\n", -+ pi->num_offsets, (int) SIZEOF (fsPropOffset), bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->num_offsets * SIZEOF (fsPropOffset); - buf += pi->num_offsets * SIZEOF (fsPropOffset); - pd = (pointer) buf; -+ if (pi->data_len > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: data length (%d) > bufleft (%ld)\n", -+ pi->data_len, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ bufleft -= pi->data_len; - buf += pi->data_len; - if (conn->fsMajorVersion > 1) - { -+ if (rep->nameLength > bufleft) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsListFontsWithXInfo: name length (%d) > bufleft (%ld)\n", -+ (int) rep->nameLength, bufleft); -+#endif -+ err = AllocError; -+ goto done; -+ } -+ /* binfo->name is a 256 char array, rep->nameLength is a CARD8 */ - memcpy (binfo->name, buf, rep->nameLength); - buf += _fs_pad_length (rep->nameLength); -+ bufleft -= _fs_pad_length (rep->nameLength); - } - - #ifdef DEBUG --- -1.7.10 - |