~ubuntu-branches/ubuntu/lucid/libxfont/lucid-updates

« back to all changes in this revision

Viewing changes to debian/patches/CVE-2015-1803.patch

  • Committer: Package Import Robot
  • Author(s): Marc Deslauriers
  • Date: 2015-03-18 07:33:52 UTC
  • Revision ID: package-import@ubuntu.com-20150318073352-mtauev9hbwork6fz
Tags: 1:1.4.1-1ubuntu0.4
* SECURITY UPDATE: arbitrary code exection via invalid property count
  - debian/patches/CVE-2015-1802.patch: check for integer overflow in
    src/bitmap/bdfread.c.
  - CVE-2015-1802
* SECURITY UPDATE: arbitrary code execution via bitmap data parse failure
  - debian/patches/CVE-2015-1803.patch: bail out if bitmap can't be read
    in src/bitmap/bdfread.c.
  - CVE-2015-1803
* SECURITY UPDATE: arbitrary code execution via invalid metrics
  - debian/patches/CVE-2015-1804.patch: ensure metrics fit in struct in
    src/bitmap/bdfread.c.
  - CVE-2015-1804

Show diffs side-by-side

added added

removed removed

Lines of Context:
 
1
From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
 
2
From: Alan Coopersmith <alan.coopersmith@oracle.com>
 
3
Date: Fri, 6 Feb 2015 15:54:00 -0800
 
4
Subject: bdfReadCharacters: bailout if a char's bitmap cannot be read
 
5
 [CVE-2015-1803]
 
6
 
 
7
Previously would charge on ahead with a NULL pointer in ci->bits, and
 
8
then crash later in FontCharInkMetrics() trying to access the bits.
 
9
 
 
10
Found with afl-1.23b.
 
11
 
 
12
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
 
13
Reviewed-by: Julien Cristau <jcristau@debian.org>
 
14
 
 
15
Index: libxfont-1.4.1/src/bitmap/bdfread.c
 
16
===================================================================
 
17
--- libxfont-1.4.1.orig/src/bitmap/bdfread.c    2015-03-18 07:33:40.854856415 -0400
 
18
+++ libxfont-1.4.1/src/bitmap/bdfread.c 2015-03-18 07:33:40.854856415 -0400
 
19
@@ -460,7 +460,10 @@
 
20
            ci->metrics.descent = -bb;
 
21
            ci->metrics.characterWidth = wx;
 
22
            ci->bits = NULL;
 
23
-           bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
 
24
+           if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
 
25
+               bdfError("could not read bitmap for character '%s'\n", charName);
 
26
+               goto BAILOUT;
 
27
+           }
 
28
            ci++;
 
29
            ndx++;
 
30
        } else