Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12-SP2:GA
libXfont.1655
u_0011-CVE-2014-0210-unvalidated-length-fields-...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_0011-CVE-2014-0210-unvalidated-length-fields-in-fs_read_l.patch of Package libXfont.1655
From 70d50a17a3302f614bc3a8ee6a3f8258373e9301 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Fri, 2 May 2014 19:24:17 -0700 Subject: [PATCH:libXfont 11/12] CVE-2014-XXXB: unvalidated length fields in fs_read_list() fs_read_list() parses a reply from the font server. The reply contains a list of strings with embedded length fields, none of which are validated. This can cause out of bound reads when looping over the strings in the reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> --- src/fc/fserve.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/fc/fserve.c b/src/fc/fserve.c index 581bb1b..4dcdc04 100644 --- a/src/fc/fserve.c +++ b/src/fc/fserve.c @@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data; fsListFontsReply *rep; char *data; + long dataleft; /* length of reply left to use */ int length, i, ret; @@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec) return AllocError; } data = (char *) rep + SIZEOF (fsListFontsReply); + dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply); err = Successful; /* copy data into FontPathRecord */ for (i = 0; i < rep->nFonts; i++) { + if (dataleft < 1) + break; length = *(unsigned char *)data++; + dataleft--; /* used length byte */ + if (length > dataleft) { +#ifdef DEBUG + fprintf(stderr, + "fsListFonts: name length (%d) > dataleft (%ld)\n", + length, dataleft); +#endif + err = BadFontName; + break; + } err = AddFontNamesName(blist->names, data, length); if (err != Successful) break; data += length; + dataleft -= length; } _fs_done_read (conn, rep->length << 2); return err; -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor