[X2Go-Commits] [nx-libs] 22/52: CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b

git-admin at x2go.org git-admin at x2go.org
Sat Feb 14 17:47:09 CET 2015 

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit 2d724c1a0416895dd39bf33678f42cbb4c51b1ae
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sun Feb 8 21:43:42 2015 -0500

    CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read from xorg/lib/libXfont commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b
    
    fs_get_reply() would take any reply size, multiply it by 4 and pass to
    _fs_start_read.  If that size was bigger than the current reply buffer
    size, _fs_start_read would add it to the existing buffer size plus the
    buffer size increment constant and realloc the buffer to that result.
    
    This math could overflow, causing the code to allocate a smaller
    buffer than the amount it was about to read into that buffer from
    the network.  It could also succeed, allowing the remote font server
    to cause massive allocations in the X server, possibly using up all
    the address space in a 32-bit X server, allowing the triggering of
    other bugs in code that fails to handle malloc failure properly.
    
    This patch protects against both problems, by disconnecting any
    font server trying to feed us more than (the somewhat arbitrary)
    64 mb in a single reply.
---
 nx-X11/lib/font/fc/fserve.c |   18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index ca10aa4..7762653 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -100,6 +100,9 @@ in this Software without prior written authorization from The Open Group.
  */
 #define LENGTHOF(r)	(SIZEOF(r) >> 2)
 
+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
+#define MAX_REPLY_LENGTH	((64 * 1024 * 1024) >> 2)
+
 extern void ErrorF(const char *f, ...);
 
 static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
@@ -630,6 +633,21 @@ fs_get_reply (FSFpePtr conn, int *error)
     
     rep = (fsGenericReply *) buf;
 
+    /*
+     * Refuse to accept replies longer than a maximum reasonable length,
+     * before we pass to _fs_start_read, since it will try to resize the
+     * incoming connection buffer to this size.  Also avoids integer overflow
+     * on 32-bit systems.
+     */
+    if (rep->length > MAX_REPLY_LENGTH)
+    {
+	ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
+	       " from font server\n", rep->length);
+	_fs_connection_died (conn);
+	*error = FSIO_ERROR;
+	return 0;
+    }
+
     ret = _fs_start_read (conn, rep->length << 2, &buf);
     if (ret != FSIO_READY)
     {

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git

More information about the x2go-commits mailing list