CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont…

CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33 fs_alloc_glyphs() is a malloc wrapper used by the font code. It contains a classic integer overflow in the malloc() call, which can cause memory corruption.

CVE-2014-0211: integer overflow in fs_alloc_glyphs() from xorg/lib/libXfont…
a0bed4d9 · Mike DePaulo · Mike Gabriel · bb7abd9d · a0bed4d9
Commit a0bed4d9 authored Feb 08, 2015 by Mike DePaulo Committed by Mike Gabriel Feb 14, 2015
Hide whitespace changes
Inline Side-by-side

Showing with 6 additions and 1 deletion

fsconvert.c nx-X11/lib/font/fc/fsconvert.c +6 -1

No files found.
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -762,7 +762,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
    FSGlyphPtr	glyphs;
    FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
-    glyphs = xalloc (sizeof (FSGlyphRec) + size);
+    if (size < (INT_MAX - sizeof (FSGlyphRec)))
+	glyphs = xalloc (sizeof (FSGlyphRec) + size);
+    else
+	glyphs = NULL;
+    if (glyphs == NULL)
+	return NULL;
    glyphs->next = fsfont->glyphs;
    fsfont->glyphs = glyphs;
    return (pointer) (glyphs + 1);