[X2Go-Commits] [nx-libs] 26/52: CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8

[git-admin at x2go.org]

This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit d2b96c5d59766f96181de95da1906fd6e32785ba
Author: Mike DePaulo <mikedep333 at gmail.com>
Date:   Sun Feb 8 22:26:16 2015 -0500

    CVE-2014-0210: unvalidated length fields in fs_read_extent_info() from xorg/lib/libXfont commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8
    
    Looping over the extents in the reply could go past the end of the
    reply buffer if the reply indicated more extents than could fit in
    the specified reply length.
---
 nx-X11/lib/font/fc/fserve.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
index 639964c..79de4f3 100644
--- a/nx-X11/lib/font/fc/fserve.c
+++ b/nx-X11/lib/font/fc/fserve.c
@@ -1069,6 +1069,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 #endif
 	pCI = NULL;
     }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
     else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
 

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git