[X2Go-Commits] [nx-libs] 17/52: CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e

git-admin at x2go.org git-admin at x2go.org
Sat Feb 14 17:47:07 CET 2015 

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit f53f2474d5d33cca04c4c7744ecc50cec41ba94f
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sun Feb 8 20:28:30 2015 -0500

    CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry() from xorg/lib/libXfont commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e
    
    FontFileReadDirectory() opens a fonts.dir file, and reads over every
    line in an fscanf loop.  For each successful entry read (font name,
    file name) a call is made to FontFileAddFontFile().
    
    FontFileAddFontFile() will add a font file entry (for the font name
    and file) each time it’s called, by calling FontFileAddEntry().
    FontFileAddEntry() will do the actual adding.  If the table it has
    to add to is full, it will do a realloc, adding 100 more entries
    to the table size without checking to see if that will overflow the
    int used to store the size.
---
 nx-X11/lib/font/fontfile/fontdir.c |    5 +++++
 1 file changed, 5 insertions(+)

diff --git a/nx-X11/lib/font/fontfile/fontdir.c b/nx-X11/lib/font/fontfile/fontdir.c
index 8f75d8b..899ff05 100644
--- a/nx-X11/lib/font/fontfile/fontdir.c
+++ b/nx-X11/lib/font/fontfile/fontdir.c
@@ -185,6 +185,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
     if (table->sorted)
 	return (FontEntryPtr) 0;    /* "cannot" happen */
     if (table->used == table->size) {
+	if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
+	    /* If we've read so many entries we're going to ask for 2gb
+	       or more of memory, something is so wrong with this font
+	       directory that we should just give up before we overflow. */
+	    return NULL;
 	newsize = table->size + 100;
 	entry = (FontEntryPtr) xrealloc(table->entries,
 					   newsize * sizeof(FontEntryRec));

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git

More information about the x2go-commits mailing list