From c578408c1fd4db09e4e3173f8a9e65c81cc187c1 Mon Sep 17 00:00:00 2001

From: Alan Coopersmith <alan.coopersmith@oracle.com>

Date: Fri, 25 Apr 2014 23:02:42 -0700

Subject: [PATCH 07/12] CVE-2014-0211: integer overflow in fs_read_extent_info()

fs_read_extent_info() parses a reply from the font server.

The reply contains a 32bit number of elements field which is used

to calculate a buffer length. There is an integer overflow in this

calculation which can lead to memory corruption.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

Reviewed-by: Adam Jackson <ajax@redhat.com>

Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>

---

 src/fc/fserve.c |   12 +++++++++++-

 1 files changed, 11 insertions(+), 1 deletions(-)

diff --git a/src/fc/fserve.c b/src/fc/fserve.c

index ec5336e..96abd0e 100644

--- a/src/fc/fserve.c

+++ b/src/fc/fserve.c

@@ -70,6 +70,7 @@ in this Software without prior written authorization from The Open Group.

 #include	"fservestr.h"

 #include	<X11/fonts/fontutil.h>

 #include	<errno.h>

+#include	<limits.h>

 #include	<time.h>

 #define Time_t time_t

@@ -1050,7 +1051,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)

 	numInfos *= 2;

 	haveInk = TRUE;

     }

-    ci = pCI = malloc(sizeof(CharInfoRec) * numInfos);

+    if (numInfos >= (INT_MAX / sizeof(CharInfoRec))) {

+#ifdef DEBUG

+	fprintf(stderr,

+		"fsQueryXExtents16: numInfos (%d) >= %ld\n",

+		numInfos, (INT_MAX / sizeof(CharInfoRec)));

+#endif

+	pCI = NULL;

+    }

+    else

+	pCI = malloc(sizeof(CharInfoRec) * numInfos);

     if (!pCI)

     {

-- 

1.7.1