Репозитории ALT
| S: | 1.5.4-alt2 |
| 5.1: | 1.3.4-alt1 |
| 4.1: | 1.3.3-alt0.M41.2 |
| 4.0: | 1.2.7-alt2.M40.2 |
| +updates: | 1.2.7-alt2.M40.1 |
Группа :: Система/Библиотеки
Пакет: libXfont
навигация по пакетам
Главная Изменения Спек Патчи Sources Загрузить Gear Bugs and FR Repocop
Патч: libXfont-1.2.7-CVE-2007-1351-1352.patch
Скачать
Скачать
From: Matthieu Herrb <matthieu@roadrock.(none)>
Date: Tue, 3 Apr 2007 13:45:21 +0000 (+0200)
Subject: Integer overflow vulnerabilities
X-Git-Url: http://gitweb.freedesktop.org/?p=xorg/lib/libXfont.git;a=commitdiff;h=e7a59cfb5d442d2965cfcffeff405a4b05591190
Integer overflow vulnerabilities
CVE-2007-1351: BDFFont Parsing Integer Overflow
CVE-2007-1352: fonts.dir File Parsing Integer Overflow
---
--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
@@ -65,6 +65,12 @@ from The Open Group.
#include <X11/fonts/bitmap.h>
#include <X11/fonts/bdfint.h>
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
#define INDICES 256
#define MAXENCODING 0xFFFF
#define BDFLINELEN 1024
@@ -288,6 +294,11 @@ bdfReadCharacters(FontFilePtr file, Font
bdfError("invalid number of CHARS in BDF file\n");return (FALSE);
}
+ if (nchars > INT32_MAX / sizeof(CharInfoRec)) {+ bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,+ sizeof(CharInfoRec));
+ goto BAILOUT;
+ }
ci = (CharInfoPtr) xalloc(nchars * sizeof(CharInfoRec));
if (!ci) { bdfError("Couldn't allocate pCI (%d*%d)\n", nchars,--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -38,9 +38,17 @@ in this Software without prior written a
#include <X11/fonts/fntfilst.h>
#include <X11/keysym.h>
+#if HAVE_STDINT_H
+#include <stdint.h>
+#elif !defined(INT32_MAX)
+#define INT32_MAX 0x7fffffff
+#endif
+
Bool
FontFileInitTable (FontTablePtr table, int size)
{+ if (size < 0 || (size > INT32_MAX/sizeof(FontEntryRec)))
+ return FALSE;
if (size)
{table->entries = (FontEntryPtr) xalloc(sizeof(FontEntryRec) * size);