CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from…

CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e FontFileReadDirectory() opens a fonts.dir file, and reads over every line in an fscanf loop. For each successful entry read (font name, file name) a call is made to FontFileAddFontFile(). FontFileAddFontFile() will add a font file entry (for the font name and file) each time it’s called, by calling FontFileAddEntry(). FontFileAddEntry() will do the actual adding. If the table it has to add to is full, it will do a realloc, adding 100 more entries to the table size without checking to see if that will overflow the int used to store the size.

CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from…
f53f2474 · Mike DePaulo · Mike Gabriel · ac669437 · f53f2474
Commit f53f2474 authored Feb 08, 2015 by Mike DePaulo Committed by Mike Gabriel Feb 14, 2015
Show whitespace changes
Inline Side-by-side

Showing with 5 additions and 0 deletions

fontdir.c nx-X11/lib/font/fontfile/fontdir.c +5 -0

No files found.
--- a/nx-X11/lib/font/fontfile/fontdir.c
+++ b/nx-X11/lib/font/fontfile/fontdir.c
@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
    if (table->sorted)
 	return (FontEntryPtr) 0;    /* "cannot" happen */
    if (table->used == table->size) {
+	if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
+	    /* If we've read so many entries we're going to ask for 2gb
+	       or more of memory, something is so wrong with this font
+	       directory that we should just give up before we overflow. */
+	    return NULL;
 	newsize = table->size + 100;
 	entry = (FontEntryPtr) xrealloc(table->entries,
 					   newsize * sizeof(FontEntryRec));