[X2Go-Commits] [nx-libs] 23/52: CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f

git-admin at x2go.org git-admin at x2go.org
Sat Feb 14 17:47:09 CET 2015 

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit c6aebf9284855a0e24ad9c5ffdd36aa65e16bec7
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sun Feb 8 22:08:09 2015 -0500

    CVE-2014-0210: unvalidated length fields in fs_read_query_info() from xorg/lib/libXfont commit 491291cabf78efdeec8f18b09e14726a9030cc8f
    
    fs_read_query_info() parses a reply from the font server.  The reply
    contains embedded length fields, none of which are validated.  This
    can cause out of bound reads in either fs_read_query_info() or in
    _fs_convert_props() which it calls to parse the fsPropInfo in the reply.
---
 nx-X11/lib/font/fc/fsconvert.c |   19 ++++++++++++++-----
 nx-X11/lib/font/fc/fserve.c    |   40 ++++++++++++++++++++++++++++++++++++++--
 2 files changed, 52 insertions(+), 7 deletions(-)

diff --git a/nx-X11/lib/font/fc/fsconvert.c b/nx-X11/lib/font/fc/fsconvert.c
index 9ff54f5..d41e0b8 100644
--- a/nx-X11/lib/font/fc/fsconvert.c
+++ b/nx-X11/lib/font/fc/fsconvert.c
@@ -123,6 +123,10 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
     for (i = 0; i < nprops; i++, dprop++, is_str++) 
     {
 	memcpy(&local_off, off_adr, SIZEOF(fsPropOffset));
+	if ((local_off.name.position >= pi->data_len) ||
+		(local_off.name.length >
+		 (pi->data_len - local_off.name.position)))
+	    goto bail;
 	dprop->name = MakeAtom(&pdc[local_off.name.position],
 			       local_off.name.length, 1);
 	if (local_off.type != PropTypeString) {
@@ -130,15 +134,20 @@ _fs_convert_props(fsPropInfo *pi, fsPropOffset *po, pointer pd,
 	    dprop->value = local_off.value.position;
 	} else {
 	    *is_str = TRUE;
+	    if ((local_off.value.position >= pi->data_len) ||
+			(local_off.value.length >
+			 (pi->data_len - local_off.value.position)))
+			goto bail;
 	    dprop->value = (INT32) MakeAtom(&pdc[local_off.value.position],
 					    local_off.value.length, 1);
 	    if (dprop->value == BAD_RESOURCE)
 	    {
-		xfree (pfi->props);
-		pfi->nprops = 0;
-		pfi->props = 0;
-		pfi->isStringProp = 0;
-		return -1;
+		  bail:
+			xfree (pfi->props);
+			pfi->nprops = 0;
+			pfi->props = 0;
+			pfi->isStringProp = 0;
+			return -1;
 	    }
 	}
 	off_adr += SIZEOF(fsPropOffset);
diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 7762653..2a6f6c9 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -865,6 +865,7 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     FSFpePtr		conn = (FSFpePtr) fpe->private;
     fsQueryXInfoReply	*rep;
     char		*buf;
+    long		bufleft; /* length of reply left to use */
     fsPropInfo		*pi;
     fsPropOffset	*po;
     pointer		pd;
@@ -895,7 +896,10 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 
     buf = (char *) rep;
     buf += SIZEOF(fsQueryXInfoReply);
-    
+ 
+    bufleft = rep->length << 2;
+    bufleft -= SIZEOF(fsQueryXInfoReply);
+
     /* move the data over */
     fsUnpack_XFontInfoHeader(rep, pInfo);
     
@@ -903,19 +907,51 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
     _fs_init_fontinfo(conn, pInfo);
 
     /* Compute offsets into the reply */
+    if (bufleft < SIZEOF(fsPropInfo))
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr, "fsQueryXInfo: bufleft (%ld) < SIZEOF(fsPropInfo)\n",
+		bufleft);
+#endif
+	goto bail;
+    }
     pi = (fsPropInfo *) buf;
     buf += SIZEOF (fsPropInfo);
+    bufleft -= pi->num_offsets * SIZEOF(fsPropOffset);
     
+    if (bufleft < pi->data_len)
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
+		bufleft, pi->data_len);
+#endif
+	goto bail;
+    }
     po = (fsPropOffset *) buf;
     buf += pi->num_offsets * SIZEOF(fsPropOffset);
+    bufleft -= pi->data_len;
 
+    {
+	ret = -1;
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXInfo: bufleft (%ld) < data_len (%d)\n",
+		bufleft, pi->data_len);
+#endif
+	goto bail;
+    }
     pd = (pointer) buf;
     buf += pi->data_len;
+    bufleft -= pi->data_len;
     
     /* convert the properties and step over the reply */
     ret = _fs_convert_props(pi, po, pd, pInfo);
+  bail:    
     _fs_done_read (conn, rep->length << 2);
-    
+
     if (ret == -1)
     {
 	fs_cleanup_bfont (bfont);

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git

More information about the x2go-commits mailing list