SwallowOS/xorg_lib_libxfont
1
0
Fork 0
mirror of https://github.com/SwallowOS/xorg_lib_libxfont synced 2025-11-04 05:45:47 +08:00
Code Issues Packages Projects Releases Wiki Activity

CVE-2014-0210: unvalidated length fields in fs_read_list()

Browse Source 
fs_read_list() parses a reply from the font server.  The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
This commit is contained in:
Alan Coopersmith
2014-05-02 19:24:17 -07:00
parent 5206836525
commit 5fa73ac184
1 changed files with 15 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

15
src/fc/fserve.c
View File

@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
fsListFontsReply *rep;
char *data;
long dataleft; /* length of reply left to use */
int length,
i,
ret;
@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
return AllocError;
}
data = (char *) rep + SIZEOF (fsListFontsReply);
dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
err = Successful;
/* copy data into FontPathRecord */
for (i = 0; i < rep->nFonts; i++)
{
if (dataleft < 1)
break;
length = *(unsigned char *)data++;
dataleft--; /* used length byte */
if (length > dataleft) {
#ifdef DEBUG
fprintf(stderr,
"fsListFonts: name length (%d) > dataleft (%ld)\n",
length, dataleft);
#endif
err = BadFontName;
break;
}
err = AddFontNamesName(blist->names, data, length);
if (err != Successful)
break;
data += length;
dataleft -= length;
}
_fs_done_read (conn, rep->length << 2);
return err;