[X2Go-Commits] [nx-libs] 02/02: Do proper input validation to fix for CVE-2011-2895.

git-admin at x2go.org git-admin at x2go.org
Mon Feb 16 06:17:07 CET 2015


This is an automated email from the git hooks/post-receive script.

x2go pushed a commit to branch 3.6.x
in repository nx-libs.

commit 6acafc9334828da22446380c81af81bde14b5d86
Author: Joerg Sonnenberger <joerg at britannica.bec.de>
Date:   Sun Aug 21 18:51:53 2011 +0200

    Do proper input validation to fix for CVE-2011-2895.
    
    It ensures that all valid input can be decompressed, checks that the
    overflow conditions doesn't happen and generally tightens the
    validation of the LZW stream and doesn't pessimize the inner loop for
    no good reason. It's derived from a change in libarchive from 2004.
    
    v2: backports to nx-libs 3.6.x (Mihai Moldovan)
    Signed-off-by: Matthieu Herrb <matthieu.herrb at laas.fr>
    Reviewed-by: Tomas Hoger <thoger at redhat.com>
---
 nx-X11/lib/font/fontfile/decompress.c |   31 +++++++++++++++++--------------
 1 file changed, 17 insertions(+), 14 deletions(-)

diff --git a/nx-X11/lib/font/fontfile/decompress.c b/nx-X11/lib/font/fontfile/decompress.c
index 553b315..12b9f0a 100644
--- a/nx-X11/lib/font/fontfile/decompress.c
+++ b/nx-X11/lib/font/fontfile/decompress.c
@@ -99,7 +99,7 @@ static char_type magic_header[] = { "\037\235" };	/* 1F 9D */
 #define FIRST	257	/* first free entry */
 #define	CLEAR	256	/* table clear output code */
 
-#define STACK_SIZE  8192
+#define STACK_SIZE  65300
 
 typedef struct _compressedFILE {
     BufFilePtr	    file;
@@ -180,14 +180,12 @@ BufFilePushCompressed (BufFilePtr f)
 	file->tab_suffix[code] = (char_type) code;
     }
     file->free_ent = ((file->block_compress) ? FIRST : 256 );
+    file->oldcode = -1;
     file->clear_flg = 0;
     file->offset = 0;
     file->size = 0;
     file->stackp = file->de_stack;
     bzero(file->buf, BITS);
-    file->finchar = file->oldcode = getcode (file);
-    if (file->oldcode != -1)
-	*file->stackp++ = file->finchar;
     return BufFileCreate ((char *) file,
 			  BufCompressedFill,
 			  0,
@@ -232,9 +230,6 @@ BufCompressedFill (BufFilePtr f)
 	if (buf == bufend)
 	    break;
 
-	if (oldcode == -1)
-	    break;
-
 	code = getcode (file);
 	if (code == -1)
 	    break;
@@ -243,26 +238,34 @@ BufCompressedFill (BufFilePtr f)
 	    for ( code = 255; code >= 0; code-- )
 	    	file->tab_prefix[code] = 0;
 	    file->clear_flg = 1;
-	    file->free_ent = FIRST - 1;
-	    if ( (code = getcode (file)) == -1 )	/* O, untimely death! */
-	    	break;
+	    file->free_ent = FIRST;
+	    oldcode = -1;
+	    continue;
     	}
     	incode = code;
     	/*
      	 * Special case for KwKwK string.
      	 */
     	if ( code >= file->free_ent ) {
+	    if ( code > file->free_ent || oldcode == -1 ) {
+		/* Bad stream. */
+		return BUFFILEEOF;
+	    }
 	    *stackp++ = finchar;
 	    code = oldcode;
     	}
-    
++	/*
++	 * The above condition ensures that code < free_ent.
++	 * The construction of tab_prefixof in turn guarantees that
++	 * each iteration decreases code and therefore stack usage is
++	 * bound by 1 << BITS - 256.
++	 */
+
     	/*
      	 * Generate output characters in reverse order
      	 */
     	while ( code >= 256 )
     	{
-	    if (stackp - de_stack >= STACK_SIZE - 1)
-		return BUFFILEEOF;
 	    *stackp++ = file->tab_suffix[code];
 	    code = file->tab_prefix[code];
     	}
@@ -272,7 +275,7 @@ BufCompressedFill (BufFilePtr f)
     	/*
      	 * Generate the new entry.
      	 */
-    	if ( (code=file->free_ent) < file->maxmaxcode ) {
+    	if ( (code=file->free_ent) < file->maxmaxcode && oldcode != -1) {
 	    file->tab_prefix[code] = (unsigned short)oldcode;
 	    file->tab_suffix[code] = finchar;
 	    file->free_ent = code+1;

--
Alioth's /srv/git/_hooks_/post-receive-email on /srv/git/code.x2go.org/nx-libs.git


More information about the x2go-commits mailing list