[X2Go-Dev] [X2Go-Commits] [nx-libs] 27/52: CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565

Mihai Moldovan ionic at ionic.de
Sun Feb 15 21:49:45 CET 2015


On 14.02.2015 05:47 PM, git-admin at x2go.org wrote:
> This is an automated email from the git hooks/post-receive script.
>
> x2go pushed a commit to branch 3.6.x
> in repository nx-libs.
>
> commit ece51493f1d970f45e53588e33a700464a42fbab
> Author: Mike DePaulo <mikedep333 at gmail.com>
> Date:   Sun Feb 8 22:27:47 2015 -0500
>
>     CVE-2014-0210: unvalidated length fields in fs_read_glyphs() from xorg/lib/libXfont commit 520683652564c2a4e42328ae23eef9bb63271565
>     
>     fs_read_glyphs() parses a reply from the font server.  The reply
>     contains embedded length fields, none of which are validated.
>     This can cause out of bound reads when looping over the glyph
>     bitmaps in the reply.
> ---
>  nx-X11/lib/font/fc/fserve.c |   29 ++++++++++++++++++++++++++++-
>  1 file changed, 28 insertions(+), 1 deletion(-)
>
> diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
> index 79de4f3..26218e5 100644
> --- a/nx-X11/lib/font/fc/fserve.c
> +++ b/nx-X11/lib/font/fc/fserve.c
> @@ -1916,6 +1916,7 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
>      FontInfoPtr		    pfi = &pfont->info;
>      fsQueryXBitmaps16Reply  *rep;
>      char		    *buf;
> +    long		    bufleft; /* length of reply left to use */

I'd also initialize this:

long		    bufleft = 0;



Everything else here is OK.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 884 bytes
Desc: OpenPGP digital signature
URL: <http://lists.x2go.org/pipermail/x2go-dev/attachments/20150215/ddec917f/attachment-0001.pgp>


More information about the x2go-dev mailing list