Skip to content

N
nx-libs
Commit 31322c2b authored by Mike DePaulo's avatar Mike DePaulo Committed by Mihai Moldovan
Browse files
Options

CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from…

CVE-2014-0210: unvalidated length in _fs_recv_conn_setup() from xorg/lib/libXfont commit 891e084b26837162b12f841060086a105edde86d The connection setup reply from the font server can include a list of alternate servers to contact if this font server stops working. The reply specifies a total size of all the font server names, and then provides a list of names. _fs_recv_conn_setup() allocated the specified total size for copying the names to, but didn't check to make sure it wasn't copying more data to that buffer than the size it had allocated. v2: use xfree() instead of free() for nx-libs 3.6.x (Mihai Moldovan)
parent c0d0e373
Show whitespace changes
Inline Side-by-side
Showing with 18 additions and 3 deletions
nx-X11/lib/font/fc/fserve.c
View file @ 31322c2b
...@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn) ...@@ -2985,7 +2985,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
int ret; int ret;
fsConnSetup *setup; fsConnSetup *setup;
FSFpeAltPtr alts; FSFpeAltPtr alts;
int i, alt_len; unsigned int i, alt_len;
int setup_len; int setup_len;
char *alt_save, *alt_names; char *alt_save, *alt_names;
...@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn) ...@@ -3012,9 +3012,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
} }
if (setup->num_alternates) if (setup->num_alternates)
{ {
size_t alt_name_len = setup->alternate_len << 2;
alts = (FSFpeAltPtr) xalloc (setup->num_alternates * alts = (FSFpeAltPtr) xalloc (setup->num_alternates *
sizeof (FSFpeAltRec) + sizeof (FSFpeAltRec) + alt_name_len);
(setup->alternate_len << 2));
if (alts) if (alts)
{ {
alt_names = (char *) (setup + 1); alt_names = (char *) (setup + 1);
...@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn) ...@@ -3023,10 +3023,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
{ {
alts[i].subset = alt_names[0]; alts[i].subset = alt_names[0];
alt_len = alt_names[1]; alt_len = alt_names[1];
if (alt_len >= alt_name_len) {
/*
* Length is longer than setup->alternate_len
* told us to allocate room for, assume entire
* alternate list is corrupted.
*/
#ifdef DEBUG
fprintf (stderr,
"invalid alt list (length %lx >= %lx)\n",
(long) alt_len, (long) alt_name_len);
#endif
xfree(alts);
return FSIO_ERROR;
}
alts[i].name = alt_save; alts[i].name = alt_save;
memcpy (alt_save, alt_names + 2, alt_len); memcpy (alt_save, alt_names + 2, alt_len);
alt_save[alt_len] = '\0'; alt_save[alt_len] = '\0';
alt_save += alt_len + 1; alt_save += alt_len + 1;
alt_name_len -= alt_len + 1;
alt_names += _fs_pad_length (alt_len + 2); alt_names += _fs_pad_length (alt_len + 2);
} }
conn->numAlts = setup->num_alternates; conn->numAlts = setup->num_alternates;
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment