Re: [X2Go-Dev] [X2Go-Commits] [nx-libs] 28/52: CVE-2014-0210: unvalidated length fields in fs_read_list() from xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39

Sun, 15 Feb 2015 13:03:32 -0800 

On 14.02.2015 05:47 PM, [email protected] wrote:
> This is an automated email from the git hooks/post-receive script.
>
> x2go pushed a commit to branch 3.6.x
> in repository nx-libs.
>
> commit ef439da38d3a4c00a4e03e7d8f83cb359cd9a230
> Author: Mike DePaulo <[email protected]>
> Date:   Sun Feb 8 22:35:21 2015 -0500
>
>     CVE-2014-0210: unvalidated length fields in fs_read_list() from 
> xorg/lib/libXfont commit 5fa73ac18474be3032ee7af9c6e29deab163ea39
>     
>     fs_read_list() parses a reply from the font server.  The reply
>     contains a list of strings with embedded length fields, none of
>     which are validated. This can cause out of bound reads when looping
>     over the strings in the reply.
> ---
>  nx-X11/lib/font/fc/fserve.c |   15 +++++++++++++++
>  1 file changed, 15 insertions(+)
>
> diff --git a/nx-X11/lib/font/fc/fserve.c b/nx-X11/lib/font/fc/fserve.c
> index 26218e5..60d9017 100644
> --- a/nx-X11/lib/font/fc/fserve.c
> +++ b/nx-X11/lib/font/fc/fserve.c
> @@ -2365,6 +2365,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr 
> blockrec)
>      FSBlockedListPtr blist = (FSBlockedListPtr) blockrec->data;
>      fsListFontsReply *rep;
>      char             *data;
> +    long             dataleft; /* length of reply left to use */

Same here.

long            dataleft = 0;


>      int                      length,
>                       i,
>                       ret;
> @@ -2382,16 +2383,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr 
> blockrec)
>       return AllocError;
>      }
>      data = (char *) rep + SIZEOF (fsListFontsReply);
> +    dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);
>  
>      err = Successful;
>      /* copy data into FontPathRecord */
>      for (i = 0; i < rep->nFonts; i++) 
>      {
> +     if (dataleft < 1)
> +         break;

Just as a heads-up: I would have moved this into the for loop condition
like so:

for (i = 0; (i < rep->nFonts) && (dataleft > 0); i++)

to make clear, that it's really part of the looping condition.

The current patch as provided by upstream is functionally equivalent and OK, 
though.



Everything else in the patch looks good.

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
x2go-dev mailing list
[email protected]
http://lists.x2go.org/listinfo/x2go-dev

Reply via email to