libxfont: Security Advisory - libxfont - CVE-2015-1802

bdfReadProperties: property count needs range check

Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.

(From OE-Core rev: 0ff9f2bf0e44a7b47a98234a12714c780825e286)

(From OE-Core rev: ddc4889d7028d0388b1521d49ab1d3b8decba524)

Signed-off-by: Li Zhou <li.zhou@windriver.com>
Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
This commit is contained in:
Li Zhou
2015-04-23 17:20:06 +08:00
committed by Richard Purdie
parent 3e3507d02e
commit b611530351
2 changed files with 41 additions and 0 deletions

View File

@@ -0,0 +1,38 @@
From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 6 Feb 2015 15:50:45 -0800
Subject: [PATCH] bdfReadProperties: property count needs range check
[CVE-2015-1802]
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Julien Cristau <jcristau@debian.org>
Upstream-Status: backport
Signed-off-by: Li Zhou <li.zhou@windriver.com>
---
src/bitmap/bdfread.c | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
index 914a024..6387908 100644
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
bdfError("missing 'STARTPROPERTIES'\n");
return (FALSE);
}
- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
+ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
+ (nProps <= 0) ||
+ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
bdfError("bad 'STARTPROPERTIES'\n");
return (FALSE);
}
--
1.7.9.5

View File

@@ -18,5 +18,8 @@ XORG_PN = "libXfont"
BBCLASSEXTEND = "native"
SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
"
SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"
SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f"