diff options
Diffstat (limited to 'main/libxfont/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch')
| -rw-r--r-- | main/libxfont/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch | 50 |
1 files changed, 0 insertions, 50 deletions
diff --git a/main/libxfont/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch b/main/libxfont/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch deleted file mode 100644 index 2cd080581a..0000000000 --- a/main/libxfont/0002-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch +++ /dev/null @@ -1,50 +0,0 @@ -From 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 25 Apr 2014 23:01:48 -0700 -Subject: [PATCH 02/12] CVE-2014-0209: integer overflow of realloc() size in - lexAlias() - -lexAlias() reads from a file in a loop. It does this by starting with a -64 byte buffer. If that size limit is hit, it does a realloc of the -buffer size << 1, basically doubling the needed length every time the -length limit is hit. - -Eventually, this will shift out to 0 (for a length of ~4gig), and that -length will be passed on to realloc(). A length of 0 (with a valid -pointer) causes realloc to free the buffer on most POSIX platforms, -but the caller will still have a pointer to it, leading to use after -free issues. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Adam Jackson <ajax@redhat.com> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/fontfile/dirfile.c | 4 ++++ - 1 file changed, 4 insertions(+) - -diff --git a/src/fontfile/dirfile.c b/src/fontfile/dirfile.c -index cb28333..38ced75 100644 ---- a/src/fontfile/dirfile.c -+++ b/src/fontfile/dirfile.c -@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group. - #include <sys/types.h> - #include <sys/stat.h> - #include <errno.h> -+#include <limits.h> - - static Bool AddFileNameAliases ( FontDirectoryPtr dir ); - static int ReadFontAlias ( char *directory, Bool isFile, -@@ -376,6 +377,9 @@ lexAlias(FILE *file, char **lexToken) - int nsize; - char *nbuf; - -+ if (tokenSize >= (INT_MAX >> 2)) -+ /* Stop before we overflow */ -+ return EALLOC; - nsize = tokenSize ? (tokenSize << 1) : 64; - nbuf = realloc(tokenBuf, nsize); - if (!nbuf) --- -1.7.10 - |