diff options
Diffstat (limited to 'main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch')
-rw-r--r-- | main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch | 79 |
1 files changed, 79 insertions, 0 deletions
diff --git a/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch b/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch new file mode 100644 index 0000000000..4d40c5cf54 --- /dev/null +++ b/main/libxfont/0010-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch @@ -0,0 +1,79 @@ +From 520683652564c2a4e42328ae23eef9bb63271565 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 25 Apr 2014 23:03:24 -0700 +Subject: [PATCH 10/12] CVE-2014-0210: unvalidated length fields in + fs_read_glyphs() + +fs_read_glyphs() parses a reply from the font server. The reply +contains embedded length fields, none of which are validated. +This can cause out of bound reads when looping over the glyph +bitmaps in the reply. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Adam Jackson <ajax@redhat.com> +Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> +--- + src/fc/fserve.c | 29 ++++++++++++++++++++++++++++- + 1 file changed, 28 insertions(+), 1 deletion(-) + +diff --git a/src/fc/fserve.c b/src/fc/fserve.c +index 232e969..581bb1b 100644 +--- a/src/fc/fserve.c ++++ b/src/fc/fserve.c +@@ -1907,6 +1907,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + FontInfoPtr pfi = &pfont->info; + fsQueryXBitmaps16Reply *rep; + char *buf; ++ long bufleft; /* length of reply left to use */ + fsOffset32 *ppbits; + fsOffset32 local_off; + char *off_adr; +@@ -1938,9 +1939,33 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + buf = (char *) rep; + buf += SIZEOF (fsQueryXBitmaps16Reply); + ++ bufleft = rep->length << 2; ++ bufleft -= SIZEOF (fsQueryXBitmaps16Reply); ++ ++ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n", ++ rep->num_chars, bufleft, SIZEOF (fsOffset32)); ++#endif ++ err = AllocError; ++ goto bail; ++ } + ppbits = (fsOffset32 *) buf; + buf += SIZEOF (fsOffset32) * (rep->num_chars); ++ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars); + ++ if (bufleft < rep->nbytes) ++ { ++#ifdef DEBUG ++ fprintf(stderr, ++ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n", ++ rep->nbytes, bufleft); ++#endif ++ err = AllocError; ++ goto bail; ++ } + pbitmaps = (pointer ) buf; + + if (blockrec->type == FS_LOAD_GLYPHS) +@@ -1998,7 +2023,9 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec) + */ + if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics)) + { +- if (local_off.length) ++ if (local_off.length && ++ (local_off.position < rep->nbytes) && ++ (local_off.length <= (rep->nbytes - local_off.position))) + { + bits = allbits; + allbits += local_off.length; +-- +1.7.10 + |