Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
libXfont.1655
u_0009-CVE-2014-0210-unvalidated-length-fields-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch of Package libXfont.1655
From 97c27af9e2dcb6127f7030f0bd35e9034e464f0f Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Fri, 25 Apr 2014 23:03:05 -0700 Subject: [PATCH:libXfont 09/12] CVE-2014-XXXB: unvalidated length fields in fs_read_extent_info() Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> --- src/fc/fserve.c | 10 ++++++++++ 1 file changed, 10 insertions(+) diff --git a/src/fc/fserve.c b/src/fc/fserve.c index 96abd0e..232e969 100644 --- a/src/fc/fserve.c +++ b/src/fc/fserve.c @@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec) #endif pCI = NULL; } + else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply)) + / LENGTHOF(fsXCharInfo))) { +#ifdef DEBUG + fprintf(stderr, + "fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n", + numExtents, rep->length, + LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo)); +#endif + pCI = NULL; + } else pCI = malloc(sizeof(CharInfoRec) * numInfos); -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor