File u_0008-CVE-2014-0211-integer-overflow-in-fs_all... of Package libXfont.1655

Overview Repositories Revisions Requests Users Attributes Meta

File u_0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch of Package libXfont.1655

From df45b2104dca6457eece772fe6171c9215ca5a09 Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 25 Apr 2014 23:02:54 -0700
Subject: [PATCH:libXfont 08/12] CVE-2014-XXXC: integer overflow in
 fs_alloc_glyphs()

fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
 src/fc/fsconvert.c |    7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/fc/fsconvert.c b/src/fc/fsconvert.c
index dfa1317..18b0c0d 100644
--- a/src/fc/fsconvert.c
+++ b/src/fc/fsconvert.c
@@ -721,7 +721,12 @@ fs_alloc_glyphs (FontPtr pFont, int size)
     FSGlyphPtr	glyphs;
     FSFontPtr	fsfont = (FSFontPtr) pFont->fontPrivate;
 
-    glyphs = malloc (sizeof (FSGlyphRec) + size);
+    if (size < (INT_MAX - sizeof (FSGlyphRec)))
+	glyphs = malloc (sizeof (FSGlyphRec) + size);
+    else
+	glyphs = NULL;
+    if (glyphs == NULL)
+	return NULL;
     glyphs->next = fsfont->glyphs;
     fsfont->glyphs = glyphs;
     return (pointer) (glyphs + 1);
-- 
1.7.9.2

Places

File u_0008-CVE-2014-0211-integer-overflow-in-fs_alloc_glyphs.patch of Package libXfont.1655

Places