~ubuntu-branches/ubuntu/utopic/libxfont/utopic-proposed

Viewing changes to debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch

Committer: Package Import Robot
Author(s): Julien Cristau
Date: 2014-05-13 17:25:49 UTC
Revision ID: package-import@ubuntu.com-20140513172549-0tospr47im3q9bej

Tags: 1:1.4.7-2

http://bugs.debian.org/746052

* Pull from upstream git to fix FTBFS with new fontsproto (closes: #746052)
* CVE-2014-0209: integer overflow of allocations in font metadata
* CVE-2014-0210: unvalidated length fields when parsing xfs protocol replies
* CVE-2014-0211: integer overflows calculating memory needs for xfs replies
* Add breaks on xfs because we broke it by disabling font protocol support
in 1.4.7.

files added:
debian/patches

debian/patches/0001-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-Fo.patch

debian/patches/0002-CVE-2014-XXXA-integer-overflow-of-realloc-size-in-le.patch

debian/patches/0003-CVE-2014-XXXB-unvalidated-length-in-_fs_recv_conn_se.patch

debian/patches/0004-CVE-2014-XXXB-unvalidated-lengths-when-reading-repli.patch

debian/patches/0005-CVE-2014-XXXC-Integer-overflow-in-fs_get_reply-_fs_s.patch

debian/patches/0006-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_q.patch

debian/patches/0007-CVE-2014-XXXC-integer-overflow-in-fs_read_extent_inf.patch

debian/patches/0008-CVE-2014-XXXC-integer-overflow-in-fs_alloc_glyphs.patch

debian/patches/0009-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_e.patch

debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch

debian/patches/0011-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch

debian/patches/0012-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_l.patch

debian/patches/series

files modified:
ChangeLog

README

configure.ac

debian/changelog

debian/control

include/X11/fonts/fntfil.h

include/X11/fonts/fontmisc.h

src/FreeType/ftfuncs.c

src/FreeType/xttcap.c

src/bitmap/bitscale.c

src/builtins/builtin.h

src/builtins/dir.c

src/builtins/file.c

src/builtins/fpe.c

src/fc/fsconvert.c

src/fc/fserve.c

src/fc/fserve.h

src/fontfile/bufio.c

src/fontfile/catalogue.c

src/fontfile/dirfile.c

src/fontfile/fontfile.c

src/util/patcache.c

Show diffs side-by-side

added added

removed removed

debian/patches/0010-CVE-2014-XXXB-unvalidated-length-fields-in-fs_read_g.patch

From b6002903efd840672d070d317911c675c2d23c1c Mon Sep 17 00:00:00 2001

From: Alan Coopersmith <alan.coopersmith@oracle.com>

Date: Fri, 25 Apr 2014 23:03:24 -0700

Subject: [PATCH:libXfont 10/12] CVE-2014-XXXB: unvalidated length fields in

fs_read_glyphs()

fs_read_glyphs() parses a reply from the font server. The reply

contains embedded length fields, none of which are validated.

This can cause out of bound reads when looping over the glyph

bitmaps in the reply.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Reviewed-by: Adam Jackson <ajax@redhat.com>

Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

---

src/fc/fserve.c | 29 ++++++++++++++++++++++++++++-

1 file changed, 28 insertions(+), 1 deletion(-)

Index: libxfont/src/fc/fserve.c

===================================================================

--- libxfont.orig/src/fc/fserve.c

+++ libxfont/src/fc/fserve.c

@@ -1909,6 +1909,7 @@ fs_read_glyphs(FontPathElementPtr fpe, F

FontInfoPtr pfi = &pfont->info;

fsQueryXBitmaps16Reply *rep;

char *buf;

+ long bufleft; /* length of reply left to use */

fsOffset32 *ppbits;

fsOffset32 local_off;

char *off_adr;

@@ -1940,9 +1941,33 @@ fs_read_glyphs(FontPathElementPtr fpe, F

buf = (char *) rep;

buf += SIZEOF (fsQueryXBitmaps16Reply);

+ bufleft = rep->length << 2;

+ bufleft -= SIZEOF (fsQueryXBitmaps16Reply);

+ if ((bufleft / SIZEOF (fsOffset32)) < rep->num_chars)

+ {

+#ifdef DEBUG

+ fprintf(stderr,

+ "fsQueryXBitmaps16: num_chars (%d) > bufleft (%ld) / %d\n",

+ rep->num_chars, bufleft, SIZEOF (fsOffset32));

+#endif

+ err = AllocError;

+ goto bail;

+ }

ppbits = (fsOffset32 *) buf;

buf += SIZEOF (fsOffset32) * (rep->num_chars);

+ bufleft -= SIZEOF (fsOffset32) * (rep->num_chars);

+ if (bufleft < rep->nbytes)

+ {

+#ifdef DEBUG

+ fprintf(stderr,

+ "fsQueryXBitmaps16: nbytes (%d) > bufleft (%ld)\n",

+ rep->nbytes, bufleft);

+#endif

+ err = AllocError;

+ goto bail;

+ }

pbitmaps = (pointer ) buf;

if (blockrec->type == FS_LOAD_GLYPHS)

@@ -2000,7 +2025,9 @@ fs_read_glyphs(FontPathElementPtr fpe, F

if (NONZEROMETRICS(&fsdata->encoding[minchar].metrics))

{

- if (local_off.length)

+ if (local_off.length &&

+ (local_off.position < rep->nbytes) &&

+ (local_off.length <= (rep->nbytes - local_off.position)))

{

bits = allbits;

allbits += local_off.length;

Older »