Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from…

Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f" This reverts commit c6aebf92.

Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from…
5fc2f57f · Mihai Moldovan · 1ea1cd8c · 5fc2f57f · 5fc2f57f
Commit 5fc2f57f authored Feb 16, 2015 by Mihai Moldovan
Show whitespace changes
Inline Side-by-side

Showing with 0 additions and 45 deletions

fsconvert.c nx-X11/lib/font/fc/fsconvert.c +0 -9

fserve.c nx-X11/lib/font/fc/fserve.c +0 -36

No files found.
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,10 +123,6 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
    for (i = 0; i < nprops; i++, dprop++, is_str++) 
    {
 	memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
-	if ((local_off.name.position >= pi->data_len) ||
-		(local_off.name.length >
-		 (pi->data_len - local_off.name.position)))
-	    goto bail;
 	dprop->name = MakeAtom(&pdc[local_off.name.position],
 			       local_off.name.length, 1);
 	if (local_off.type != PropTypeString) {
@@ -134,15 +130,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
 	    dprop->value = local_off.value.position;
 	} else {
 	    *is_str = TRUE;
-	    if ((local_off.value.position >= pi->data_len) ||
-			(local_off.value.length >
-			 (pi->data_len - local_off.value.position)))
-			goto bail;
 	    dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
 					    local_off.value.length, 1);
 	    if (dprop->value == BAD_RESOURCE)
 	    {
-		  bail:
 		xfree (pfi->props);
 		pfi->nprops = 0;
 		pfi->props = 0;

--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -866,7 +866,6 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
    FSFpePtr		conn = (FSFpePtr) fpe->private;
    fsQueryXInfoReply	*rep;
    char		*buf;
-    long		bufleft; /* length of reply left to use */
    fsPropInfo		*pi;
    fsPropOffset	*po;
    pointer		pd;
@@ -898,9 +897,6 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
    buf = (char *) rep;
    buf += SIZEOF(fsQueryXInfoReply);
    
-    bufleft = rep->length << 2;
-    bufleft -= SIZEOF(fsQueryXInfoReply);
-
    /* move the data over */
    fsUnpack_XFontInfoHeader(rep, pInfo);
    
@@ -908,49 +904,17 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
    _fs_init_fontinfo(conn, pInfo);

    /* Compute offsets into the reply */
-    if (bufleft < SIZEOF(fsPropInfo))
-    {
-	ret = -1;
-#ifdef DEBUG
-	fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
-		bufleft);
-#endif
-	goto bail;
-    }
    pi = (fsPropInfo *) buf;
    buf += SIZEOF (fsPropInfo);
-    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
    
-    if (bufleft < pi->data_len)
-    {
-	ret = -1;
-#ifdef DEBUG
-	fprintf(stderr,
-		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-		bufleft, pi->data_len);
-#endif
-	goto bail;
-    }
    po = (fsPropOffset *) buf;
    buf += pi->num_offsets * SIZEOF(fsPropOffset);
-    bufleft -= pi->data_len;

-    {
-	ret = -1;
-#ifdef DEBUG
-	fprintf(stderr,
-		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
-		bufleft, pi->data_len);
-#endif
-	goto bail;
-    }
    pd = (pointer) buf;
    buf += pi->data_len;
-    bufleft -= pi->data_len;
    
    /* convert the properties and step over the reply */
    ret = _fs_convert_props(pi, po, pd, pInfo);
-  bail:    
    _fs_done_read (conn, rep->length << 2);
    
    if (ret == -1)