diff options
Diffstat (limited to 'main/libxfont/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch')
-rw-r--r-- | main/libxfont/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch | 38 |
1 files changed, 0 insertions, 38 deletions
diff --git a/main/libxfont/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch b/main/libxfont/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch deleted file mode 100644 index 4de103cabd..0000000000 --- a/main/libxfont/0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch +++ /dev/null @@ -1,38 +0,0 @@ -From a42f707f8a62973f5e8bbcd08afb10a79e9cee33 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 25 Apr 2014 23:02:54 -0700 -Subject: [PATCH 08/12] CVE-2014-0211: integer overflow in fs_alloc_glyphs() - -fs_alloc_glyphs() is a malloc wrapper used by the font code. -It contains a classic integer overflow in the malloc() call, -which can cause memory corruption. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Adam Jackson <ajax@redhat.com> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/fc/fsconvert.c | 7 ++++++- - 1 file changed, 6 insertions(+), 1 deletion(-) - -diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c -index dfa1317..18b0c0d 100644 ---- a/src/fc/fsconvert.c -+++ b/src/fc/fsconvert.c -@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size) - FSGlyphPtr glyphs; - FSFontPtr fsfont = (FSFontPtr) pFont->fontPrivate; - -- glyphs = malloc (sizeof (FSGlyphRec) + size); -+ if (size < (INT_MAX - sizeof (FSGlyphRec))) -+ glyphs = malloc (sizeof (FSGlyphRec) + size); -+ else -+ glyphs = NULL; -+ if (glyphs == NULL) -+ return NULL; - glyphs->next = fsfont->glyphs; - fsfont->glyphs = glyphs; - return (pointer) (glyphs + 1); --- -1.7.10 - |