CVE-2014-0210: unvalidated length fields in fs_read_list() from…

CVE-2014-0210: unvalidated length fields in fs_read_list() from xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39 fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply.

CVE-2014-0210: unvalidated length fields in fs_read_list() from…
ef439da3 · Mike DePaulo · Mike Gabriel · ece51493 · ef439da3
Commit ef439da3 authored Feb 08, 2015 by Mike DePaulo Committed by Mike Gabriel Feb 14, 2015
Show whitespace changes
Inline Side-by-side

Showing with 15 additions and 0 deletions

fserve.c nx-X11/lib/font/fc/fserve.c +15 -0

No files found.
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
    FSBlockedListPtr	blist = (FSBlockedListPtr) blockrec->data;
    fsListFontsReply	*rep;
    char		*data;
+    long		dataleft; /* length of reply left to use */
    int			length,
 			i,
 			ret;
@@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 	return AllocError;
    }
    data = (char *) rep + SIZEOF (fsListFontsReply);
+    dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
    err = Successful;
    /* copy data into FontPathRecord */
    for (i = 0; i < rep->nFonts; i++) 
    {
+	if (dataleft < 1)
+	    break;
 	length = *(unsigned char *)data++;
+	dataleft--; /* used length byte */
+	if (length > dataleft) {
+#ifdef DEBUG
+	    fprintf(stderr,
+		    "fsListFonts: name length (%d) > dataleft (%ld)\n",
+		    length, dataleft);
+#endif
+	    err = BadFontName;
+	    break;
+	}
 	err = AddFontNamesName(blist->names, data, length);
 	if (err != Successful)
 	    break;
 	data += length;
+	dataleft -= length;
    }
    _fs_done_read (conn, rep->length << 2);
    return err;