[X2Go-Dev] [X2Go-Commits] [nx-libs] 27/52: CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565
Mihai Moldovan
ionic at ionic.de
Sun Feb 15 21:49:45 CET 2015
On 14.02.2015 05:47 PM, git-admin at x2go.org wrote:
> This is an automated email from the git hooks/post-receive script.
>
> x2go pushed a commit to branch 3.6.x
> in repository nx-libs.
>
> commit ece51493f1d970f45e53588e33a700464a42fbab
> Author: Mike DePaulo <mikedep333 at gmail.com>
> Date: Sun Feb 8 22:27:47 2015 -0500
>
> CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565
>
> fs_read_glyphs() parses a reply from the font server. The reply
> contains embedded length fields, none of which are validated.
> This can cause out of bound reads when looping over the glyph
> bitmaps in the reply.
> ---
> nx-X11/lib/font/fc/fserve.c | 29 ++++++++++++++++++++++++++++-
> 1 file changed, 28 insertions(+), 1 deletion(-)
>
> diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
> index 79de4f3..26218e5 100644
> --- a/nx-X11/lib/font/fc/fserve.c
> +++ b/nx-X11/lib/font/fc/fserve.c
> @@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
> FontInfoPtr pfi = &pfont->info;
> fsQueryXBitmaps16Reply *rep;
> char *buf;
> + long bufleft; /* length of reply left to use */
I'd also initialize this:
long bufleft = 0;
Everything else here is OK.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150215/ddec917f/attachment-0001.pgp>
More information about the x2go-dev
mailing list