Skip to content

N
nx-libs
Switch branch/tag
Find file
BlameHistoryPermalink
  • Mihai Moldovan's avatar
    CVE patches were previously not included in release tarballs. · 96efadac
    Mihai Moldovan authored 
    Rename:
    - 1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-lib-X.patch =>
      1001-LZW-decompress-fix-for-CVE-2011-2895-From-xorg-.full.patch
    - 1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.-ups.patch =>
      1002-Fix-CVE-2011-4028-File-disclosure-vulnerability.full.patch
    - 1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageText-C.patch =>
      1003-Avoid-use-after-free-in-dix-dixfonts.c-doImageT.full.patch
    - 1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-buffe.patch =>
      1004-CVE-2013-6462-unlimited-sscanf-overflows-stack-.full.patch
    - 1005-CVE-2014-0209-integer-overflow-of-realloc-size-in-Fo.patch =>
      1005-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
    - 1006-CVE-2014-0209-integer-overflow-of-realloc-size-in-le.patch =>
      1006-CVE-2014-0209-integer-overflow-of-realloc-size-.full.patch
    - 1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_conn_se.patch =>
      1007-CVE-2014-0210-unvalidated-length-in-_fs_recv_co.full.patch
    - 1008-Don-t-crash-when-we-receive-an-FS_Error-from-the-fon.patch =>
      1008-Don-t-crash-when-we-receive-an-FS_Error-from-th.full.patch
    - 1009-CVE-2014-0210-unvalidated-lengths-when-reading-repli.patch =>
      1009-CVE-2014-0210-unvalidated-lengths-when-reading-.full.patch
    - 1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch =>
      1010-CVE-2014-0211-Integer-overflow-in-fs_get_reply-.full.patch
    - 1011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_q.patch =>
      1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1012-CVE-2014-0211-integer-overflow-in-fs_read_extent_inf.patch =>
      1012-CVE-2014-0211-integer-overflow-in-fs_read_exten.full.patch
    - 1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs-fr.patch =>
      1013-CVE-2014-0211-integer-overflow-in-fs_alloc_glyp.full.patch
    - 1014-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch =>
      1014-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1015-CVE-2014-0210-unvalidated-length-fields-in-fs_read_g.patch =>
      1015-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1016-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
      1016-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1017-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch =>
      1017-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch
    - 1018-unchecked-malloc-may-allow-unauthed-client-to-crash-.patch =>
      1018-unchecked-malloc-may-allow-unauthed-client-to-c.full.patch
    - 1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8092-1.patch =>
      1019-dix-integer-overflow-in-ProcPutImage-CVE-2014-8.full.patch
    - 1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-2-4.patch =>
      1020-dix-integer-overflow-in-GetHosts-CVE-2014-8092-.full.patch
    - 1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8092-3.patch =>
      1021-dix-integer-overflow-in-RegionSizeof-CVE-2014-8.full.patch
    - 1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-2014-.patch =>
      1022-dix-integer-overflow-in-REQUEST_FIXED_SIZE-CVE-.full.patch
    - 1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls-CVE-.patch =>
      1023-dbe-unvalidated-lengths-in-DbeSwapBuffers-calls.full.patch
    - 1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-2014-.patch =>
      1024-Xi-unvalidated-lengths-in-Xinput-extension-CVE-.full.patch
    - 1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDList-C.patch =>
      1025-xcmisc-unvalidated-length-in-SProcXCMiscGetXIDL.full.patch
    - 1026-Xv-unvalidated-lengths-in-XVideo-extension-swapped-p.patch =>
      1026-Xv-unvalidated-lengths-in-XVideo-extension-swap.full.patch
    - 1027-render-check-request-size-before-reading-it-CVE-2014.patch =>
      1027-render-check-request-size-before-reading-it-CVE.full.patch
    - 1028-render-unvalidated-lengths-in-Render-extn.-swapped-p.patch =>
      1028-render-unvalidated-lengths-in-Render-extn.-swap.full.patch
    - 1029-xfixes-unvalidated-length-in-SProcXFixesSelectSelect.patch =>
      1029-xfixes-unvalidated-length-in-SProcXFixesSelectS.full.patch
    - 1030-randr-unvalidated-lengths-in-RandR-extension-swapped.patch =>
      1030-randr-unvalidated-lengths-in-RandR-extension-sw.full.patch
    - 1031-glx-Be-more-paranoid-about-variable-length-requests-.patch =>
      1031-glx-Be-more-paranoid-about-variable-length-requ.full.patch
    - 1032-glx-Be-more-strict-about-rejecting-invalid-image-siz.patch =>
      1032-glx-Be-more-strict-about-rejecting-invalid-imag.full.patch
    - 1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer-__GL.patch =>
      1033-glx-Additional-paranoia-in-__glXGetAnswerBuffer.full.patch
    - 1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-v4.patch =>
      1034-glx-Add-safe_-add-mul-pad-v3-CVE-2014-8093-4-6-.full.patch
    - 1035-glx-Length-checking-for-GLXRender-requests-v2-CVE-20.patch =>
      1035-glx-Length-checking-for-GLXRender-requests-v2-C.full.patch
    - 1036-glx-Integer-overflow-protection-for-non-generated-re.patch =>
      1036-glx-Integer-overflow-protection-for-non-generat.full.patch
    - 1037-glx-Top-level-length-checking-for-swapped-VendorPriv.patch =>
      1037-glx-Top-level-length-checking-for-swapped-Vendo.full.patch
    - 1038-glx-Length-checking-for-non-generated-single-request.patch =>
      1038-glx-Length-checking-for-non-generated-single-re.full.patch
    - 1039-glx-Length-checking-for-RenderLarge-requests-v2-CVE-.patch =>
      1039-glx-Length-checking-for-RenderLarge-requests-v2.full.patch
    - 1040-glx-Pass-remaining-request-length-into-varsize-v2-CV.patch =>
      1040-glx-Pass-remaining-request-length-into-varsize-.full.patch
    - 1041-nx-X11-lib-font-fc-fserve.c-initialize-remaining-buf.patch =>
      1041-nx-X11-lib-font-fc-fserve.c-initialize-remainin.full.patch
    - 1042-Do-proper-input-validation-to-fix-for-CVE-2011-2895.patch =>
      1042-Do-proper-input-validation-to-fix-for-CVE-2011-.full.patch
    - 1101-Coverity-844-845-846-Fix-memory-leaks.patch =>
      1101-Coverity-844-845-846-Fix-memory-leaks.full.patch
    - 1102-include-introduce-byte-counting-functions.patch =>
      1102-include-introduce-byte-counting-functions.full.patch
    - 1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input-buff.patch =>
      1103-xkb-Don-t-swap-XkbSetGeometry-data-in-the-input.full.patch
    - 1104-xkb-Check-strings-length-against-request-size.patch =>
      1104-xkb-Check-strings-length-against-request-size.full.patch
    96efadac
1011-CVE-2014-0210-unvalidated-length-fields-in-fs_r.full.patch 4.33 KB
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 
From e29bbd5bf0565eaf7c02f85a57b87f66531fa6b3 Mon Sep 17 00:00:00 2001
From: Mike DePaulo <mikedep333@gmail.com>
Date: Sun, 8 Feb 2015 22:08:09 -0500
Subject: [PATCH 11/40] CVE-2014-0210: unvalidated length fields in
 fs_read_query_info() from xorg/lib/libXfont commit
 491291cabf78efdeec8f18b09e14726a9030cc8f

fs_read_query_info() parses a reply from the font server.  The reply
contains embedded length fields, none of which are validated.  This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.

v2: apply correctly on nx-libs 3.6.x (Mihai Moldovan)
---
 nx-X11/lib/font/fc/fsconvert.c | 19 ++++++++++++++-----
 nx-X11/lib/font/fc/fserve.c    | 43 +++++++++++++++++++++++++++++++++++++++---
 2 files changed, 54 insertions(+), 8 deletions(-)

diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index 9a5e194..afa2c32 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
     for (i = 0; i < nprops; i++, dprop++, is_str++) 
     {
 	memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+	if ((local_off.name.position >= pi->data_len) ||
+		(local_off.name.length >
+		 (pi->data_len - local_off.name.position)))
+	    goto bail;
 	dprop->name = MakeAtom(&pdc[local_off.name.position],
 			       local_off.name.length, 1);
 	if (local_off.type != PropTypeString) {
@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
 	    dprop->value = local_off.value.position;
 	} else {
 	    *is_str = TRUE;
+	    if ((local_off.value.position >= pi->data_len) ||
+			(local_off.value.length >
+			 (pi->data_len - local_off.value.position)))
+			goto bail;
 	    dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
 					    local_off.value.length, 1);
 	    if (dprop->value == BAD_RESOURCE)
 	    {
-		xfree (pfi->props);
-		pfi->nprops = 0;
-		pfi->props = 0;
-		pfi->isStringProp = 0;
-		return -1;
+		  bail:
+			xfree (pfi->props);
+			pfi->nprops = 0;
+			pfi->props = 0;
+			pfi->isStringProp = 0;
+			return -1;
 	    }
 	}
 	off_adr += SIZEOF(fsPropOffset);
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 9e652d2..75cabdd 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -866,6 +866,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     FSFpePtr		conn = (FSFpePtr) fpe->private;
     fsQueryXInfoReply	*rep;
     char		*buf;
+    long		bufleft = 0; /* length of reply left to use */
     fsPropInfo		*pi;
     fsPropOffset	*po;
     pointer		pd;
@@ -896,7 +897,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 
     buf = (char *) rep;
     buf += SIZEOF(fsQueryXInfoReply);
-    
+ 
+    bufleft = rep->length << 2;
+    bufleft -= SIZEOF(fsQueryXInfoReply);
+
     /* move the data over */
     fsUnpack_XFontInfoHeader(rep, pInfo);
     
@@ -904,19 +908,52 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     _fs_init_fontinfo(conn, pInfo);
 
     /* Compute offsets into the reply */
+    if (bufleft < SIZEOF(fsPropInfo))
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
+		bufleft);
+#endif
+	goto bail;
+    }
     pi = (fsPropInfo *) buf;
     buf += SIZEOF (fsPropInfo);
-    
+    bufleft -= SIZEOF (fsPropInfo);
+
+    if ((bufleft / SIZEOF (fsPropOffset)) < pi->num_offsets)
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXInfo: (bufleft / SIZEOF (fsPropOffset)) (%ld) < pi->num_offsets (%d)\n",
+		bufleft / SIZEOF (fsPropOffset), pi->num_offsets);
+#endif
+	goto bail;
+    }
     po = (fsPropOffset *) buf;
     buf += pi->num_offsets * SIZEOF(fsPropOffset);
+    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
 
+    if (bufleft < pi->data_len)
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
+		bufleft, pi->data_len);
+#endif
+	goto bail;
+    }
     pd = (pointer) buf;
     buf += pi->data_len;
+    bufleft -= pi->data_len;
     
     /* convert the properties and step over the reply */
     ret = _fs_convert_props(pi, po, pd, pInfo);
+  bail:    
     _fs_done_read (conn, rep->length << 2);
-    
+
     if (ret == -1)
     {
 	fs_cleanup_bfont (bfont);
-- 
2.1.4