[X2Go-Commits] [vcxsrv] 06/17: bdfReadProperties: property count needs range check [CVE-2015-1802]

git-admin at x2go.org git-admin at x2go.org
Sun Mar 29 16:07:24 CEST 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch release/1.15.2.x
in repository vcxsrv.

commit e195099b83a23182925f20028de3e9ea4fe64845
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date:   Fri Feb 6 15:50:45 2015 -0800

    bdfReadProperties: property count needs range check [CVE-2015-1802]
    
    Avoid integer overflow or underflow when allocating memory arrays
    by multiplying the number of properties reported for a BDF font.
    
    Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
    Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
    Reviewed-by: Julien Cristau <jcristau at debian.org>
    (cherry picked from commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e)
---
 libXfont/src/bitmap/bdfread.c |    4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/libXfont/src/bitmap/bdfread.c b/libXfont/src/bitmap/bdfread.c
index 914a024..6387908 100644
--- a/libXfont/src/bitmap/bdfread.c
+++ b/libXfont/src/bitmap/bdfread.c
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
 	bdfError("missing 'STARTPROPERTIES'\n");
 	return (FALSE);
     }
-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+	(nProps <= 0) ||
+	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
 	bdfError("bad 'STARTPROPERTIES'\n");
 	return (FALSE);
     }

--
Alioth's /srv/git/code.x2go.org/vcxsrv.git//..//_hooks_/post-receive-email on /srv/git/code.x2go.org/vcxsrv.git


More information about the x2go-commits mailing list