From 5fa73ac18474be3032ee7af9c6e29deab163ea39 Mon Sep 17 00:00:00 2001

From: Alan Coopersmith <alan.coopersmith@oracle.com>

Date: Fri, 2 May 2014 19:24:17 -0700

Subject: [PATCH 11/12] CVE-2014-0210: unvalidated length fields in fs_read_list()

fs_read_list() parses a reply from the font server.  The reply

contains a list of strings with embedded length fields, none of

which are validated. This can cause out of bound reads when looping

over the strings in the reply.

Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>

---

 src/fc/fserve.c |   15 +++++++++++++++

 1 files changed, 15 insertions(+), 0 deletions(-)

diff --git a/src/fc/fserve.c b/src/fc/fserve.c

index 581bb1b..4dcdc04 100644

--- a/src/fc/fserve.c

+++ b/src/fc/fserve.c

@@ -2355,6 +2355,7 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)

     FSBlockedListPtr	blist = (FSBlockedListPtr) blockrec->data;

     fsListFontsReply	*rep;

     char		*data;

+    long		dataleft; /* length of reply left to use */

     int			length,

 			i,

 			ret;

@@ -2372,16 +2373,30 @@ fs_read_list(FontPathElementPtr fpe, FSBlockDataPtr blockrec)

 	return AllocError;

     }

     data = (char *) rep + SIZEOF (fsListFontsReply);

+    dataleft = (rep->length << 2) - SIZEOF (fsListFontsReply);

     err = Successful;

     /* copy data into FontPathRecord */

     for (i = 0; i < rep->nFonts; i++)

     {

+	if (dataleft < 1)

+	    break;

 	length = *(unsigned char *)data++;

+	dataleft--; /* used length byte */

+	if (length > dataleft) {

+#ifdef DEBUG

+	    fprintf(stderr,

+		    "fsListFonts: name length (%d) > dataleft (%ld)\n",

+		    length, dataleft);

+#endif

+	    err = BadFontName;

+	    break;

+	}

 	err = AddFontNamesName(blist->names, data, length);

 	if (err != Successful)

 	    break;

 	data += length;

+	dataleft -= length;

     }

     _fs_done_read (conn, rep->length << 2);

     return err;

-- 

1.7.1