[X2Go-Commits] [nx-libs] 01/06: Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f"
git-admin at x2go.org
git-admin at x2go.org
Mon Feb 16 05:58:38 CET 2015
This is an automated email from the git hooks/post-receive script.
x2go pushed a commit to branch 3.6.x
in repository nx-libs.
commit 5fc2f57fb5520bb61e2c1f8b6fd2522b203b3b9d
Author: Mihai Moldovan <ionic at ionic.de>
Date: Mon Feb 16 05:26:40 2015 +0100
Revert "CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f"
This reverts commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7.
---
nx-X11/lib/font/fc/fsconvert.c | 19 +++++--------------
nx-X11/lib/font/fc/fserve.c | 40 ++--------------------------------------
2 files changed, 7 insertions(+), 52 deletions(-)
diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index afa2c32..9a5e194 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,10 +123,6 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
for (i = 0; i < nprops; i++, dprop++, is_str++)
{
memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
- if ((local_off.name.position >= pi->data_len) ||
- (local_off.name.length >
- (pi->data_len - local_off.name.position)))
- goto bail;
dprop->name = MakeAtom(&pdc[local_off.name.position],
local_off.name.length, 1);
if (local_off.type != PropTypeString) {
@@ -134,20 +130,15 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
dprop->value = local_off.value.position;
} else {
*is_str = TRUE;
- if ((local_off.value.position >= pi->data_len) ||
- (local_off.value.length >
- (pi->data_len - local_off.value.position)))
- goto bail;
dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
local_off.value.length, 1);
if (dprop->value == BAD_RESOURCE)
{
- bail:
- xfree (pfi->props);
- pfi->nprops = 0;
- pfi->props = 0;
- pfi->isStringProp = 0;
- return -1;
+ xfree (pfi->props);
+ pfi->nprops = 0;
+ pfi->props = 0;
+ pfi->isStringProp = 0;
+ return -1;
}
}
off_adr += SIZEOF(fsPropOffset);
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 6ba3ad4..9e652d2 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -866,7 +866,6 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSFpePtr conn = (FSFpePtr) fpe->private;
fsQueryXInfoReply *rep;
char *buf;
- long bufleft; /* length of reply left to use */
fsPropInfo *pi;
fsPropOffset *po;
pointer pd;
@@ -897,10 +896,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
buf = (char *) rep;
buf += SIZEOF(fsQueryXInfoReply);
-
- bufleft = rep->length << 2;
- bufleft -= SIZEOF(fsQueryXInfoReply);
-
+
/* move the data over */
fsUnpack_XFontInfoHeader(rep, pInfo);
@@ -908,51 +904,19 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
_fs_init_fontinfo(conn, pInfo);
/* Compute offsets into the reply */
- if (bufleft < SIZEOF(fsPropInfo))
- {
- ret = -1;
-#ifdef DEBUG
- fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
- bufleft);
-#endif
- goto bail;
- }
pi = (fsPropInfo *) buf;
buf += SIZEOF (fsPropInfo);
- bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
- if (bufleft < pi->data_len)
- {
- ret = -1;
-#ifdef DEBUG
- fprintf(stderr,
- "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
- bufleft, pi->data_len);
-#endif
- goto bail;
- }
po = (fsPropOffset *) buf;
buf += pi->num_offsets * SIZEOF(fsPropOffset);
- bufleft -= pi->data_len;
- {
- ret = -1;
-#ifdef DEBUG
- fprintf(stderr,
- "fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
- bufleft, pi->data_len);
-#endif
- goto bail;
- }
pd = (pointer) buf;
buf += pi->data_len;
- bufleft -= pi->data_len;
/* convert the properties and step over the reply */
ret = _fs_convert_props(pi, po, pd, pInfo);
- bail:
_fs_done_read (conn, rep->length << 2);
-
+
if (ret == -1)
{
fs_cleanup_bfont (bfont);
--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git
More information about the x2go-commits
mailing list