1403N/AFrom c8855746aec2a9b732502da0ca3258b4e701c61a Mon Sep 17 00:00:00 2001
1403N/AFrom: Peter Harris <pharris@opentext.com>
1403N/ADate: Mon, 7 Apr 2014 14:25:02 -0400
1403N/ASubject: [PATCH:libXfont] Fix buffer read overrun
1403N/A"FreeType" is only eight bytes long. The atom "FreeType\x00\x??" is
1403N/Aprobably not what the author intended.
1403N/ASigned-off-by: Peter Harris <pharris@opentext.com>
1403N/AReviewed-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/A 1 file changed, 1 insertion(+), 1 deletion(-)
1403N/A@@ -1867,7 +1867,7 @@ FreeTypeAddProperties(FTFontPtr font, FontScalablePtr vals, FontInfoPtr info,
1403N/A info->props[i].name = MakeAtom("RASTERIZER_NAME", 15, TRUE);
1403N/A- info->props[i].value = MakeAtom("FreeType", 10, TRUE);
1403N/A+ info->props[i].value = MakeAtom("FreeType", 8, TRUE);
1403N/AFrom 371f8582a33235afa1b61d76e4fe98bdc9d7c083 Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Sun, 20 Apr 2014 17:59:14 -0700
1403N/ASubject: [PATCH:libXfont 01/16] Check if pointer returned by BufFileCreate is
1403N/AFixes clang analyzer warning:
1403N/Abufio.c:165:13: warning: Access to field 'bufp' results in a dereference
1403N/A of a null pointer (loaded from variable 'f')
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Thomas Klausner <wiz@NetBSD.org>
1403N/A(cherry picked from commit c77a0784bdfc8c178f0742689cf6ae02a2fce37f)
1403N/A 1 file changed, 4 insertions(+), 2 deletions(-)
1403N/A@@ -162,8 +162,10 @@ BufFileOpenWrite (int fd)
1403N/A f = BufFileCreate ((char *)(long) fd, 0, BufFileRawFlush, 0, BufFileFlush);
1403N/AFrom 0a37bf2d9977db81573f300b0dc203df8fe108b5 Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Fri, 25 Apr 2014 23:01:11 -0700
1403N/ASubject: [PATCH:libXfont 05/16] CVE-2014-0209: integer overflow of realloc()
1403N/AContent-Transfer-Encoding: 8bit
1403N/Aline in an fscanf loop. For each successful entry read (font name,
1403N/Afile name) a call is made to FontFileAddFontFile().
1403N/AFontFileAddFontFile() will add a font file entry (for the font name
1403N/Aand file) each time it’s called, by calling FontFileAddEntry().
1403N/AFontFileAddEntry() will do the actual adding. If the table it has
1403N/Ato add to is full, it will do a realloc, adding 100 more entries
1403N/Ato the table size without checking to see if that will overflow the
1403N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1403N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1403N/A(cherry picked from commit 2f5e57317339c526e6eaee1010b0e2ab8089c42e)
1403N/A 1 file changed, 5 insertions(+)
1403N/Aindex ef7ffa5..7271603 100644
1403N/A@@ -177,6 +177,11 @@ FontFileAddEntry(FontTablePtr table, FontEntryPtr prototype)
1403N/A return (FontEntryPtr) 0; /* "cannot" happen */
1403N/A if (table->used == table->size) {
1403N/A+ if (table->size >= ((INT32_MAX / sizeof(FontEntryRec)) - 100))
1403N/A+ /* If we've read so many entries we're going to ask for 2gb
1403N/A+ or more of memory, something is so wrong with this font
1403N/A+ directory that we should just give up before we overflow. */
1403N/A newsize = table->size + 100;
1403N/A entry = realloc(table->entries, newsize * sizeof(FontEntryRec));
1403N/AFrom 26643c0c3f4e53945516e20e00dfbb4d69a39c65 Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Fri, 25 Apr 2014 23:01:48 -0700
1403N/ASubject: [PATCH:libXfont 06/16] CVE-2014-0209: integer overflow of realloc()
1403N/AlexAlias() reads from a file in a loop. It does this by starting with a
1403N/A64 byte buffer. If that size limit is hit, it does a realloc of the
1403N/Abuffer size << 1, basically doubling the needed length every time the
1403N/AEventually, this will shift out to 0 (for a length of ~4gig), and that
1403N/Alength will be passed on to realloc(). A length of 0 (with a valid
1403N/Apointer) causes realloc to free the buffer on most POSIX platforms,
1403N/Abut the caller will still have a pointer to it, leading to use after
1403N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1403N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1403N/A(cherry picked from commit 05c8020a49416dd8b7510cbba45ce4f3fc81a7dc)
1403N/A 1 file changed, 4 insertions(+)
1403N/Aindex 0d34db9..639310c 100644
1403N/A@@ -42,6 +42,7 @@ in this Software without prior written authorization from The Open Group.
1403N/A static Bool AddFileNameAliases ( FontDirectoryPtr dir );
1403N/A static int ReadFontAlias ( char *directory, Bool isFile,
1403N/A@@ -374,6 +375,9 @@ lexAlias(FILE *file, char **lexToken)
1403N/A+ if (tokenSize >= (INT_MAX >> 2))
1403N/A+ /* Stop before we overflow */
1403N/A nsize = tokenSize ? (tokenSize << 1) : 64;
1403N/A nbuf = realloc(tokenBuf, nsize);
1403N/AFrom 23dcf6b1da8b5088856aef12b4a3f4581836f63a Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Fri, 25 Apr 2014 23:02:00 -0700
1403N/ASubject: [PATCH:libXfont 07/16] CVE-2014-0210: unvalidated length in
1403N/AThe connection setup reply from the font server can include a list
1403N/Aof alternate servers to contact if this font server stops working.
1403N/AThe reply specifies a total size of all the font server names, and
1403N/Athen provides a list of names. _fs_recv_conn_setup() allocated the
1403N/Aspecified total size for copying the names to, but didn't check to
1403N/Amake sure it wasn't copying more data to that buffer than the size
1403N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1403N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1403N/A(cherry picked from commit 891e084b26837162b12f841060086a105edde86d)
1403N/A 1 file changed, 18 insertions(+), 2 deletions(-)
1403N/Aindex 92f90b2..46418bd 100644
1403N/A@@ -2784,7 +2784,7 @@ _fs_recv_conn_setup (FSFpePtr conn)
1403N/A char *alt_save, *alt_names;
1403N/A@@ -2811,8 +2811,9 @@ _fs_recv_conn_setup (FSFpePtr conn)
1403N/A+ size_t alt_name_len = setup->alternate_len << 2;
1403N/A alts = malloc (setup->num_alternates * sizeof (FSFpeAltRec) +
1403N/A- (setup->alternate_len << 2));
1403N/A alt_names = (char *) (setup + 1);
1403N/A@@ -2821,10 +2822,25 @@ _fs_recv_conn_setup (FSFpePtr conn)
1403N/A alts[i].subset = alt_names[0];
1403N/A+ if (alt_len >= alt_name_len) {
1403N/A+ * Length is longer than setup->alternate_len
1403N/A+ * told us to allocate room for, assume entire
1403N/A+ * alternate list is corrupted.
1403N/A+ "invalid alt list (length %lx >= %lx)\n",
1403N/A+ (long) alt_len, (long) alt_name_len);
1403N/A memcpy (alt_save, alt_names + 2, alt_len);
1403N/A+ alt_name_len -= alt_len + 1;
1403N/A alt_names += _fs_pad_length (alt_len + 2);
1403N/A conn->numAlts = setup->num_alternates;
1403N/AFrom 647d9ea15e34779afa442d362997d92488778907 Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Fri, 25 Apr 2014 23:02:12 -0700
1403N/ASubject: [PATCH:libXfont 08/16] CVE-2014-0210: unvalidated lengths when
1403N/A reading replies from font server
1403N/AFunctions to handle replies to font server requests were casting replies
1403N/Afrom the generic form to reply specific structs without first checking
1403N/Athat the reply was at least as long as the struct being cast to.
1403N/AReported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1403N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1403N/A(cherry picked from commit cbb64aef35960b2882be721f4b8fbaa0fb649d12)
1403N/A 1 file changed, 38 insertions(+), 6 deletions(-)
1403N/Aindex 46418bd..97b7659 100644
1403N/A@@ -91,6 +91,12 @@ in this Software without prior written authorization from The Open Group.
1403N/A+ * SIZEOF(r) is in bytes, length fields in the protocol are in 32-bit words,
1403N/A+ * so this converts for doing size comparisons.
1403N/A+#define LENGTHOF(r) (SIZEOF(r) >> 2)
1403N/A extern void ErrorF(const char *f, ...);
1403N/A static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
1403N/A@@ -206,9 +212,22 @@ _fs_add_rep_log (FSFpePtr conn, fsGenericReply *rep)
1403N/A conn->reqbuffer[i].opcode);
1403N/A+#define _fs_reply_failed(rep, name, op) do { \
1403N/A+ if (rep->type == FS_Error) \
1403N/A+ fprintf (stderr, "Error: %d Request: %s\n", \
1403N/A+ ((fsError *)rep)->request, #name); \
1403N/A+ fprintf (stderr, "Bad Length for %s Reply: %d %s %d\n", \
1403N/A+ #name, rep->length, op, LENGTHOF(name)); \
1403N/A #define _fs_add_req_log(conn,op) ((conn)->current_seq++)
1403N/A #define _fs_add_rep_log(conn,rep)
1403N/A+#define _fs_reply_failed(rep,name,op)
1403N/A@@ -682,13 +701,15 @@ fs_read_open_font(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A rep = (fsOpenBitmapFontReply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ (rep->length != LENGTHOF(fsOpenBitmapFontReply)))
1403N/A _fs_done_read (conn, rep->length << 2);
1403N/A+ _fs_reply_failed (rep, fsOpenBitmapFontReply, "!=");
1403N/A@@ -824,13 +845,15 @@ fs_read_query_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A rep = (fsQueryXInfoReply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ (rep->length < LENGTHOF(fsQueryXInfoReply)))
1403N/A _fs_done_read (conn, rep->length << 2);
1403N/A+ _fs_reply_failed (rep, fsQueryXInfoReply, "<");
1403N/A@@ -951,13 +974,15 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A FontInfoRec *fi = &bfont->pfont->info;
1403N/A rep = (fsQueryXExtents16Reply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ (rep->length < LENGTHOF(fsQueryXExtents16Reply)))
1403N/A _fs_done_read (conn, rep->length << 2);
1403N/A+ _fs_reply_failed (rep, fsQueryXExtents16Reply, "<");
1403N/A@@ -1823,13 +1848,15 @@ fs_read_glyphs(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A unsigned long minchar, maxchar;
1403N/A rep = (fsQueryXBitmaps16Reply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ (rep->length < LENGTHOF(fsQueryXBitmaps16Reply)))
1403N/A _fs_done_read (conn, rep->length << 2);
1403N/A+ _fs_reply_failed (rep, fsQueryXBitmaps16Reply, "<");
1403N/A@@ -2232,12 +2259,14 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A rep = (fsListFontsReply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ (rep->length < LENGTHOF(fsListFontsReply)))
1403N/A _fs_done_read (conn, rep->length << 2);
1403N/A+ _fs_reply_failed (rep, fsListFontsReply, "<");
1403N/A data = (char *) rep + SIZEOF (fsListFontsReply);
1403N/A@@ -2356,12 +2385,15 @@ fs_read_list_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
1403N/A _fs_free_props (&binfo->info);
1403N/A rep = (fsListFontsWithXInfoReply *) fs_get_reply (conn, &ret);
1403N/A- if (!rep || rep->type == FS_Error)
1403N/A+ if (!rep || rep->type == FS_Error ||
1403N/A+ ((rep->nameLength != 0) &&
1403N/A+ (rep->length < LENGTHOF(fsListFontsWithXInfoReply))))
1403N/A binfo->status = FS_LFWI_FINISHED;
1403N/A+ _fs_reply_failed (rep, fsListFontsWithXInfoReply, "<");
1403N/AFrom 633005ac24a44dacaf6beb3ed240ae0ea7e022d7 Mon Sep 17 00:00:00 2001
1403N/AFrom: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/ADate: Fri, 25 Apr 2014 23:02:25 -0700
1403N/ASubject: [PATCH:libXfont 09/16] CVE-2014-0211: Integer overflow in
1403N/A fs_get_reply/_fs_start_read
1403N/Afs_get_reply() would take any reply size, multiply it by 4 and pass to
1403N/A_fs_start_read. If that size was bigger than the current reply buffer
1403N/Asize, _fs_start_read would add it to the existing buffer size plus the
1403N/Abuffer size increment constant and realloc the buffer to that result.
1403N/AThis math could overflow, causing the code to allocate a smaller
1403N/Abuffer than the amount it was about to read into that buffer from
1403N/Athe network. It could also succeed, allowing the remote font server
1403N/Ato cause massive allocations in the X server, possibly using up all
1403N/Athe address space in a 32-bit X server, allowing the triggering of
1403N/Aother bugs in code that fails to handle malloc failure properly.
1403N/AThis patch protects against both problems, by disconnecting any
1403N/Afont server trying to feed us more than (the somewhat arbitrary)
1403N/ASigned-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
1403N/AReviewed-by: Adam Jackson <ajax@redhat.com>
1403N/AReviewed-by: Matthieu Herrb <matthieu@herrb.eu>
1403N/A(cherry picked from commit 0f1a5d372c143f91a602bdf10c917d7eabaee09b)
1403N/A 1 file changed, 18 insertions(+)
1403N/A@@ -97,6 +97,9 @@ in this Software without prior written authorization from The Open Group.
1403N/A #define LENGTHOF(r) (SIZEOF(r) >> 2)
1403N/A+/* Somewhat arbitrary limit on maximum reply size we'll try to read. */
1403N/A+#define MAX_REPLY_LENGTH ((64 * 1024 * 1024) >> 2)
1403N/A extern void ErrorF(const char *f, ...);
1403N/A static int fs_read_glyphs ( FontPathElementPtr fpe, FSBlockDataPtr blockrec );
1403N/A@@ -619,6 +622,21 @@ fs_get_reply (FSFpePtr conn, int *error)
1403N/A rep = (fsGenericReply *) buf;
1403N/A+ * Refuse to accept replies longer than a maximum reasonable length,
1403N/A+ * before we pass to _fs_start_read, since it will try to resize the
1403N/A+ * incoming connection buffer to this size. Also avoids integer overflow
1403N/A+ if (rep->length > MAX_REPLY_LENGTH)
1403N/A+ ErrorF("fserve: reply length %d > MAX_REPLY_LENGTH, disconnecting"
1403N/A+ " from font server\n", rep->length);
1403N/A+ _fs_connection_died (conn);
1403N/A ret = _fs_start_read (conn, rep->length << 2, &buf);