CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from…

CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length.

CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from…
d2b96c5d · Mike DePaulo · Mike Gabriel · a0bed4d9 · d2b96c5d
Commit d2b96c5d authored Feb 08, 2015 by Mike DePaulo Committed by Mike Gabriel Feb 14, 2015
Show whitespace changes
Inline Side-by-side

Showing with 10 additions and 0 deletions

fserve.c nx-X11/lib/font/fc/fserve.c +10 -0

No files found.
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 #endif
 	pCI = NULL;
    }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
    else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);