diff options
Diffstat (limited to 'main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch')
| -rw-r--r-- | main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch | 79 |
1 files changed, 0 insertions, 79 deletions
diff --git a/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch deleted file mode 100644 index 4d40c5cf54..0000000000 --- a/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch +++ /dev/null @@ -1,79 +0,0 @@ -From 520683652564c2a4e42328ae23eef9bb63271565 Mon Sep 17 00:00:00 2001 -From: Alan Coopersmith <alan.coopersmith@oracle.com> -Date: Fri, 25 Apr 2014 23:03:24 -0700 -Subject: [PATCH 10/12] CVE-2014-0210: unvalidated length fields in - fs_read_glyphs() - -fs_read_glyphs() parses a reply from the font server. The reply -contains embedded length fields, none of which are validated. -This can cause out of bound reads when looping over the glyph -bitmaps in the reply. - -Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> -Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> -Reviewed-by: Adam Jackson <ajax@redhat.com> -Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> ---- - src/fc/fserve.c | 29 ++++++++++++++++++++++++++++- - 1 file changed, 28 insertions(+), 1 deletion(-) - -diff --git a/src/fc/fserve.c b/src/fc/fserve.c -index 232e969..581bb1b 100644 ---- a/src/fc/fserve.c -+++ b/src/fc/fserve.c -@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - FontInfoPtr pfi = &pfont->info; - fsQueryXBitmaps16Reply *rep; - char *buf; -+ long bufleft; /* length of reply left to use */ - fsOffset32 *ppbits; - fsOffset32 local_off; - char *off_adr; -@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - buf = (char *) rep; - buf += SIZEOF (fsQueryXBitmaps16Reply); - -+ bufleft = rep->length << 2; -+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); -+ -+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", -+ rep->num_chars, bufleft, SIZEOF (fsOffset32)); -+#endif -+ err = AllocError; -+ goto bail; -+ } - ppbits = (fsOffset32 *) buf; - buf += SIZEOF (fsOffset32) * (rep->num_chars); -+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); - -+ if (bufleft < rep->nbytes) -+ { -+#ifdef DEBUG -+ fprintf(stderr, -+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", -+ rep->nbytes, bufleft); -+#endif -+ err = AllocError; -+ goto bail; -+ } - pbitmaps = (pointer ) buf; - - if (blockrec->type == FS_LOAD_GLYPHS) -@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) - */ - if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) - { -- if (local_off.length) -+ if (local_off.length && -+ (local_off.position < rep->nbytes) && -+ (local_off.length <= (rep->nbytes - local_off.position))) - { - bits = allbits; - allbits += local_off.length; --- -1.7.10 - |