CVE-2014-0211: integer overflow in fs_read_extent_info() from xorg/lib/libXfont…

CVE-2014-0211: integer overflow in fs_read_extent_info() from xorg/lib/libXfont commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1 fs_read_extent_info() parses a reply from the font server. The reply contains a 32bit number of elements field which is used to calculate a buffer length. There is an integer overflow in this calculation which can lead to memory corruption.

CVE-2014-0211: integer overflow in fs_read_extent_info() from xorg/lib/libXfont…
bb7abd9d · Mike DePaulo · Mike Gabriel · c6aebf92 · bb7abd9d
Commit bb7abd9d authored Feb 08, 2015 by Mike DePaulo Committed by Mike Gabriel Feb 14, 2015
Show whitespace changes
Inline Side-by-side

Showing with 11 additions and 1 deletion

fserve.c nx-X11/lib/font/fc/fserve.c +11 -1

No files found.
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -73,6 +73,7 @@ in this Software without prior written authorization from The Open Group.
 #include	"fservestr.h"
 #include	<X11/fonts/fontutil.h>
 #include	<errno.h>
+#include	<limits.h>

 #include	<time.h>
 #define Time_t time_t
@@ -1060,7 +1061,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 	numInfos *= 2;
 	haveInk = TRUE;
    }
-    ci = pCI = (CharInfoPtr) xalloc(sizeof(CharInfoRec) * numInfos);
+    if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numInfos (%d) >= %ld\n",
+		numInfos, (INT_MAX / sizeof(CharInfoRec)));
+#endif
+	pCI = NULL;
+    }
+    else
+	pCI = malloc(sizeof(CharInfoRec) * numInfos);

    if (!pCI) 
    {