diff options
Diffstat (limited to 'main/libxfont/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch')
| -rw-r--r-- | main/libxfont/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch | 47 |
1 files changed, 0 insertions, 47 deletions
diff --git a/main/libxfont/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch b/main/libxfont/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch deleted file mode 100644 index 1f57476558..0000000000 --- a/main/libxfont/0001-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch +++ /dev/null @@ -1,47 +0,0 @@ -From 2f5e57317339c526e6eaee1010b0e2ab8089c42e Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 25 Apr 2014 23:01:11 -0700 -Subject: [PATCH 01/12] CVE-2014-0209: integer overflow of realloc() size in - FontFileAddEntry() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -FontFileReadDirectory() opens a fonts.dir file, and reads over every -line in an fscanf loop. For each successful entry read (font name, -file name) a call is made to FontFileAddFontFile(). - -FontFileAddFontFile() will add a font file entry (for the font name -and file) each time it’s called, by calling FontFileAddEntry(). -FontFileAddEntry() will do the actual adding. If the table it has -to add to is full, it will do a realloc, adding 100 more entries -to the table size without checking to see if that will overflow the -int used to store the size. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Adam Jackson <ajax@redhat.com> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/fontfile/fontdir.c | 5 +++++ - 1 file changed, 5 insertions(+) - -diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c -index ef7ffa5..7271603 100644 ---- a/src/fontfile/fontdir.c -+++ b/src/fontfile/fontdir.c -@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype) - if (table->sorted) - return (FontEntryPtr) 0; /* "cannot" happen */ - if (table->used == table->size) { -+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100)) -+ /* If we've read so many entries we're going to ask for 2gb -+ or more of memory, something is so wrong with this font -+ directory that we should just give up before we overflow. */ -+ return NULL; - newsize = table->size + 100; - entry = realloc(table->entries, newsize * sizeof(FontEntryRec)); - if (!entry) --- -1.7.10 - |