libXfont: Changes to 'libXfont-1.4-branch'
Alan Coopersmith
alanc at kemper.freedesktop.org
Tue May 13 08:35:49 PDT 2014
src/fc/fsconvert.c | 16 +++
src/fc/fserve.c | 243 ++++++++++++++++++++++++++++++++++++++++++++++---
src/fc/fsio.h | 3
src/fontfile/dirfile.c | 4
src/fontfile/fontdir.c | 5 +
5 files changed, 256 insertions(+), 15 deletions(-)
New commits:
commit 23a7a10aaada0a4b00272b512bd430545ce799e3
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri May 2 19:24:17 2014 -0700
CVE-2014-0210: unvalidated length fields in fs_read_list_info()
fs_read_list_info() parses a reply from the font server. The reply
contains a number of additional data items with embedded length or
count fields, none of which are validated. This can cause out of
bound reads when looping over these items in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit d338f81df1e188eb16e1d6aeea7f4800f89c1218)
commit a455f111eb2779e3258d49c1c003d3023d1b9bab
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri May 2 19:24:17 2014 -0700
CVE-2014-0210: unvalidated length fields in fs_read_list()
fs_read_list() parses a reply from the font server. The reply
contains a list of strings with embedded length fields, none of
which are validated. This can cause out of bound reads when looping
over the strings in the reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 5fa73ac18474be3032ee7af9c6e29deab163ea39)
commit 2b7b6f21ec67c2e4fdc3cee9db3199a6edef5c5c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:03:24 2014 -0700
CVE-2014-0210: unvalidated length fields in fs_read_glyphs()
fs_read_glyphs() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated.
This can cause out of bound reads when looping over the glyph
bitmaps in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 520683652564c2a4e42328ae23eef9bb63271565)
commit 573c3fdcb934ca1f3243f6ced40e1f037ea6cefe
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:03:05 2014 -0700
CVE-2014-0210: unvalidated length fields in fs_read_extent_info()
Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit a3f21421537620fc4e1f844a594a4bcd9f7e2bd8)
commit 4b762a7eb73d4d84466331be2d48565561018fc1
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:54 2014 -0700
CVE-2014-0211: integer overflow in fs_alloc_glyphs()
fs_alloc_glyphs() is a malloc wrapper used by the font code.
It contains a classic integer overflow in the malloc() call,
which can cause memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit a42f707f8a62973f5e8bbcd08afb10a79e9cee33)
commit e6d9db84113650c4f4d9bebddb60cdb72690d798
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:42 2014 -0700
CVE-2014-0211: integer overflow in fs_read_extent_info()
fs_read_extent_info() parses a reply from the font server.
The reply contains a 32bit number of elements field which is used
to calculate a buffer length. There is an integer overflow in this
calculation which can lead to memory corruption.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit c578408c1fd4db09e4e3173f8a9e65c81cc187c1)
commit fb4ecda3014744fa690959da9c5b09233b73c016
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:34 2014 -0700
CVE-2014-0210: unvalidated length fields in fs_read_query_info()
fs_read_query_info() parses a reply from the font server. The reply
contains embedded length fields, none of which are validated. This
can cause out of bound reads in either fs_read_query_info() or in
_fs_convert_props() which it calls to parse the fsPropInfo in the reply.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 491291cabf78efdeec8f18b09e14726a9030cc8f)
commit 633005ac24a44dacaf6beb3ed240ae0ea7e022d7
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:25 2014 -0700
CVE-2014-0211: Integer overflow in fs_get_reply/_fs_start_read
fs_get_reply() would take any reply size, multiply it by 4 and pass to
_fs_start_read. If that size was bigger than the current reply buffer
size, _fs_start_read would add it to the existing buffer size plus the
buffer size increment constant and realloc the buffer to that result.
This math could overflow, causing the code to allocate a smaller
buffer than the amount it was about to read into that buffer from
the network. It could also succeed, allowing the remote font server
to cause massive allocations in the X server, possibly using up all
the address space in a 32-bit X server, allowing the triggering of
other bugs in code that fails to handle malloc failure properly.
This patch protects against both problems, by disconnecting any
font server trying to feed us more than (the somewhat arbitrary)
64 mb in a single reply.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b)
commit 647d9ea15e34779afa442d362997d92488778907
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:12 2014 -0700
CVE-2014-0210: unvalidated lengths when reading replies from font server
Functions to handle replies to font server requests were casting replies
from the generic form to reply specific structs without first checking
that the reply was at least as long as the struct being cast to.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit cbb64aef35960b2882be721f4b8fbaa0fb649d12)
commit 23dcf6b1da8b5088856aef12b4a3f4581836f63a
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:02:00 2014 -0700
CVE-2014-0210: unvalidated length in _fs_recv_conn_setup()
The connection setup reply from the font server can include a list
of alternate servers to contact if this font server stops working.
The reply specifies a total size of all the font server names, and
then provides a list of names. _fs_recv_conn_setup() allocated the
specified total size for copying the names to, but didn't check to
make sure it wasn't copying more data to that buffer than the size
it had allocated.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 891e084b26837162b12f841060086a105edde86d)
commit 26643c0c3f4e53945516e20e00dfbb4d69a39c65
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:01:48 2014 -0700
CVE-2014-0209: integer overflow of realloc() size in lexAlias()
lexAlias() reads from a file in a loop. It does this by starting with a
64 byte buffer. If that size limit is hit, it does a realloc of the
buffer size << 1, basically doubling the needed length every time the
length limit is hit.
Eventually, this will shift out to 0 (for a length of ~4gig), and that
length will be passed on to realloc(). A length of 0 (with a valid
pointer) causes realloc to free the buffer on most POSIX platforms,
but the caller will still have a pointer to it, leading to use after
free issues.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc)
commit 0a37bf2d9977db81573f300b0dc203df8fe108b5
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Apr 25 23:01:11 2014 -0700
CVE-2014-0209: integer overflow of realloc() size in FontFileAddEntry()
FontFileReadDirectory() opens a fonts.dir file, and reads over every
line in an fscanf loop. For each successful entry read (font name,
file name) a call is made to FontFileAddFontFile().
FontFileAddFontFile() will add a font file entry (for the font name
and file) each time it’s called, by calling FontFileAddEntry().
FontFileAddEntry() will do the actual adding. If the table it has
to add to is full, it will do a realloc, adding 100 more entries
to the table size without checking to see if that will overflow the
int used to store the size.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Adam Jackson <ajax at redhat.com>
Reviewed-by: Matthieu Herrb <matthieu at herrb.eu>
(cherry picked from commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e)
commit c1ccb7d4eb34c99178ace3956768abfb4cf866fd
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Tue Apr 22 23:49:29 2014 -0700
Clean up warnings when src/fc is built with -DDEBUG
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit 77902e1422315963364fcba3736ff9b5b0f32d47)
commit e9a07053d2b5aa55634c2bb2fd080fae77020e3c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Tue Apr 22 23:45:41 2014 -0700
Allow enabling src/fc DEBUG helpers via CPPFLAGS
Instead of editing fsio.h to turn on debugging logs, just add
-DDEBUG to CPPFLAGS when building.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
(cherry picked from commit f75f7bde4cedc36d5ca1289988b3daebb80528d2)
More information about the xorg-commit
mailing list