diff options
Diffstat (limited to 'main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch')
| -rw-r--r-- | main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch | 52 |
1 files changed, 0 insertions, 52 deletions
diff --git a/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch b/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch deleted file mode 100644 index b093bd9a83..0000000000 --- a/main/libxfont/0007-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch +++ /dev/null @@ -1,52 +0,0 @@ -From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 25 Apr 2014 23:02:42 -0700 -Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in - fs_read_extent_info() - -fs_read_extent_info() parses a reply from the font server. -The reply contains a 32bit number of elements field which is used -to calculate a buffer length. There is an integer overflow in this -calculation which can lead to memory corruption. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Adam Jackson <ajax@redhat.com> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/fc/fserve.c | 12 +++++++++++- - 1 file changed, 11 insertions(+), 1 deletion(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index ec5336e..96abd0e 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group. - #include "fservestr.h" - #include <X11/fonts/fontutil.h> - #include <errno.h> -+#include <limits.h> - - #include <time.h> - #define Time_t time_t -@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - numInfos *= 2; - haveInk = TRUE; - } -- ci = pCI = malloc(sizeof(CharInfoRec) * numInfos); -+ if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXExtents16: numInfos (%d) >= %ld\n", -+ numInfos, (INT_MAX / sizeof(CharInfoRec))); -+#endif -+ pCI = NULL; -+ } -+ else -+ pCI = malloc(sizeof(CharInfoRec) * numInfos); - - if (!pCI) - { --- -1.7.10 - |