debian/changelog | 7 +++++++ src/bitmap/pcfread.c | 13 +++++++++++-- src/fontfile/fontdir.c | 4 +++- 3 files changed, 21 insertions(+), 3 deletions(-)
New commits: commit d8276b49b39e4f23f92ba35ac0e043df90b7d5dd Author: Julien Cristau <[email protected]> Date: Fri Oct 6 22:19:57 2017 +0200 Upload to unstable diff --git a/debian/changelog b/debian/changelog index 68bd037..ef50820 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +libxfont (1:2.0.1-4) unstable; urgency=high + + * Check for end of string in PatternMatch (CVE-2017-13720) + * pcfGetProperties: Check string boundaries (CVE-2017-13722) + + -- Julien Cristau <[email protected]> Fri, 06 Oct 2017 22:19:41 +0200 + libxfont (1:2.0.1-3) unstable; urgency=medium [ Andreas Boll ] commit 823fa6c9987b53d5c03d5af7c9ccb36da3e2050c Author: Michal Srb <[email protected]> Date: Thu Jul 20 17:05:23 2017 +0200 pcfGetProperties: Check string boundaries (CVE-2017-13722) Without the checks a malformed PCF file can cause the library to make atom from random heap memory that was behind the `strings` buffer. This may crash the process or leak information. Signed-off-by: Julien Cristau <[email protected]> (cherry picked from commit 672bb944311392e2415b39c0d63b1e1902905bcd) diff --git a/src/bitmap/pcfread.c b/src/bitmap/pcfread.c index dab1c44..ae34c28 100644 --- a/src/bitmap/pcfread.c +++ b/src/bitmap/pcfread.c @@ -45,6 +45,7 @@ from The Open Group. #include <stdarg.h> #include <stdint.h> +#include <string.h> void pcfError(const char* message, ...) @@ -311,11 +312,19 @@ pcfGetProperties(FontInfoPtr pFontInfo, FontFilePtr file, if (IS_EOF(file)) goto Bail; position += string_size; for (i = 0; i < nprops; i++) { + if (props[i].name >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].name, string_size); + goto Bail; + } props[i].name = MakeAtom(strings + props[i].name, - strlen(strings + props[i].name), TRUE); + strnlen(strings + props[i].name, string_size - props[i].name), TRUE); if (isStringProp[i]) { + if (props[i].value >= string_size) { + pcfError("pcfGetProperties(): String starts out of bounds (%ld/%d)\n", props[i].value, string_size); + goto Bail; + } props[i].value = MakeAtom(strings + props[i].value, - strlen(strings + props[i].value), TRUE); + strnlen(strings + props[i].value, string_size - props[i].value), TRUE); } } free(strings); commit 433924ffdaf5b3929d6ac5f8012bcc22c789cedf Author: Michal Srb <[email protected]> Date: Thu Jul 20 13:38:53 2017 +0200 Check for end of string in PatternMatch (CVE-2017-13720) If a pattern contains '?' character, any character in the string is skipped, even if it is '\0'. The rest of the matching then reads invalid memory. Reviewed-by: Peter Hutterer <[email protected]> Signed-off-by: Julien Cristau <[email protected]> (cherry picked from commit d1e670a4a8704b8708e493ab6155589bcd570608) diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c index 4ce2473..996b7d1 100644 --- a/src/fontfile/fontdir.c +++ b/src/fontfile/fontdir.c @@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes) } } case '?': - if (*string++ == XK_minus) + if ((t = *string++) == XK_minus) stringdashes--; + if (!t) + return 0; break; case '\0': return (*string == '\0');
