Sign Up
Log In
Log In
or
Sign Up
Places
All Projects
Status Monitor
Collapse sidebar
SUSE:SLE-12:Update
libXfont
u_0005-CVE-2014-0211-Integer-overflow-in-fs_get...
Overview
Repositories
Revisions
Requests
Users
Attributes
Meta
File u_0005-CVE-2014-0211-Integer-overflow-in-fs_get_reply-_fs_s.patch of Package libXfont
From 55e664ab0bafb35c67e5dfe5351209e792e7bafe Mon Sep 17 00:00:00 2001 From: Alan Coopersmith <alan.coopersmith@oracle.com> Date: Fri, 25 Apr 2014 23:02:25 -0700 Subject: [PATCH:libXfont 05/12] CVE-2014-XXXC: Integer overflow in fs_get_reply/_fs_start_read fs_get_reply() would take any reply size, multiply it by 4 and pass to _fs_start_read. If that size was bigger than the current reply buffer size, _fs_start_read would add it to the existing buffer size plus the buffer size increment constant and realloc the buffer to that result. This math could overflow, causing the code to allocate a smaller buffer than the amount it was about to read into that buffer from the network. It could also succeed, allowing the remote font server to cause massive allocations in the X server, possibly using up all the address space in a 32-bit X server, allowing the triggering of other bugs in code that fails to handle malloc failure properly. This patch protects against both problems, by disconnecting any font server trying to feed us more than (the somewhat arbitrary) 64 mb in a single reply. Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu> --- src/fc/fserve.c | 18 ++++++++++++++++++ 1 file changed, 18 insertions(+) diff --git a/src/fc/fserve.c b/src/fc/fserve.c index f08028f..3abbacf 100644 --- a/src/fc/fserve.c +++ b/src/fc/fserve.c @@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group. */ #define LENGTHOF(r) (SIZEOF(r) >> 2) +/* Somewhat arbitrary limit on maximum reply size we'll try to read. */ +#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2) + extern void ErrorF(const char *f, ...); static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec ); @@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error) rep = (fsGenericReply *) buf; + /* + * Refuse to accept replies longer than a maximum reasonable length, + * before we pass to _fs_start_read, since it will try to resize the + * incoming connection buffer to this size. Also avoids integer overflow + * on 32-bit systems. + */ + if (rep->length > MAX_REPLY_LENGTH) + { + ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting" + " from font server\n", rep->length); + _fs_connection_died (conn); + *error = FSIO_ERROR; + return 0; + } + ret = _fs_start_read (conn, rep->length << 2, &buf); if (ret != FSIO_READY) { -- 1.7.9.2
Locations
Projects
Search
Status Monitor
Help
OpenBuildService.org
Documentation
API Documentation
Code of Conduct
Contact
Support
@OBShq
Terms
openSUSE Build Service is sponsored by
The Open Build Service is an
openSUSE project
.
Sign Up
Log In
Places
Places
All Projects
Status Monitor