nx-X11/lib · 36f1dae749acb065eaefca56d42d19ef6822a001 · dimbor / nx-libs

CVE-2014-0209: integer overflow of realloc() size in lexAlias() from… · 36f1dae7

authored Feb 08, 2015

CVE-2014-0209: integer overflow of realloc() size in lexAlias() from xorg/lib/libXfont commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc

lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.

Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.

36f1dae7

Name	Last commit	Last update
..
GL		Loading commit data...
X11		Loading commit data...
XRes		Loading commit data...
Xau		Loading commit data...
Xcomposite		Loading commit data...
Xcursor		Loading commit data...
Xdamage		Loading commit data...
Xdmcp		Loading commit data...
Xext		Loading commit data...
Xfixes		Loading commit data...
Xinerama		Loading commit data...
Xpm		Loading commit data...
Xrandr		Loading commit data...
Xrender		Loading commit data...
Xtst		Loading commit data...
Xxf86dga		Loading commit data...
Xxf86misc		Loading commit data...
Xxf86rush		Loading commit data...
Xxf86vm		Loading commit data...
font		Loading commit data...
misc		Loading commit data...
oldX		Loading commit data...
xkbfile		Loading commit data...
xkbui		Loading commit data...
xtrans		Loading commit data...
Imakefile		Loading commit data...