Go to:
Gentoo Home
Documentation
Forums
Lists
Bugs
Planet
Store
Wiki
Get Gentoo!
Gentoo's Bugzilla – Attachment 96288 Details for
Bug 145513
x11-base/xorg-x11 Integer overflow in CID parser (CVE-2006-37{39|40})
Home
|
New
–
[Ex]
|
Browse
|
Search
|
Privacy Policy
|
[?]
|
Reports
|
Requests
|
Help
|
New Account
|
Log In
[x]
|
Forgot Password
Login:
[x]
[patch]
1.2.0-cid-overflows.patch
1.2.0-cid-overflows.patch (text/plain), 2.18 KB, created by
Donnie Berkholz (RETIRED)
on 2006-09-07 09:37:32 UTC
(
hide
)
Description:
1.2.0-cid-overflows.patch
Filename:
MIME Type:
Creator:
Donnie Berkholz (RETIRED)
Created:
2006-09-07 09:37:32 UTC
Size:
2.18 KB
patch
obsolete
>diff -u -r lib/font/Type1/afm.c.orig lib/font/Type1/afm.c >--- lib/font/Type1/afm.c.orig 2006-09-05 21:38:13.000000000 +0200 >+++ lib/font/Type1/afm.c 2006-09-05 21:39:33.000000000 +0200 >@@ -29,6 +29,7 @@ > #include <stdio.h> > #include <string.h> > #include <stdlib.h> >+#include <limits.h> > #else > #include "Xmd.h" /* For INT32 declaration */ > #include "Xdefs.h" /* For Bool */ >@@ -118,6 +119,11 @@ > > fi->nChars = atoi(p); > >+ if (fi->nChars < 0 || fi->nChars > INT_MAX / sizeof(Metrics)) { >+ xfree(afmbuf); >+ xfree(fi); >+ return(1); >+ } > fi->metrics = (Metrics *)xalloc(fi->nChars * > sizeof(Metrics)); > if (fi->metrics == NULL) { >diff -u -r lib/font/Type1/scanfont.c.orig lib/font/Type1/scanfont.c >--- lib/font/Type1/scanfont.c.orig 2006-09-05 21:38:13.000000000 +0200 >+++ lib/font/Type1/scanfont.c 2006-09-05 21:39:22.000000000 +0200 >@@ -57,6 +57,7 @@ > > #ifndef FONTMODULE > #include <string.h> >+#include <limits.h> > #else > #include "Xdefs.h" /* Bool declaration */ > #include "Xmd.h" /* INT32 declaration */ >@@ -654,6 +655,7 @@ > arrayP->data.valueP = tokenStartP; > > /* allocate FDArray */ >+ /* No integer overflow since arrayP->len is unsigned short */ > FDArrayP = (psfont *)vm_alloc(arrayP->len*(sizeof(psfont))); > if (!(FDArrayP)) return(SCAN_OUT_OF_MEMORY); > >@@ -850,7 +852,8 @@ > } > return(SCAN_OK); > } >- >+ if (N > INT_MAX / sizeof(psobj)) >+ return (SCAN_ERROR); > arrayP = (psobj *)vm_alloc(N*sizeof(psobj)); > if (!(arrayP) ) return(SCAN_OUT_OF_MEMORY); > FontP->Subrs.len = N; >@@ -911,7 +914,7 @@ > } > else return(rc); /* if next token was not an Int */ > } >- if (N<=0) return(SCAN_ERROR); >+ if (N<=0 || N > INT_MAX / sizeof(psdict)) return(SCAN_ERROR); > /* save number of entries in the dictionary */ > > dictP = (psdict *)vm_alloc((N+1)*sizeof(psdict)); >@@ -1719,6 +1722,10 @@ > if (tokenType == TOKEN_INTEGER) > rangecnt = tokenValue.integer; > >+ if (rangecnt < 0 || rangecnt > INT_MAX / sizeof(spacerangecode)) { >+ rc = SCAN_ERROR; >+ break; >+ } > /* ==> tokenLength, tokenTooLong, tokenType, and */ > /* tokenValue are now set */ >
You cannot view the attachment while viewing its details because your browser does not support IFRAMEs.
View the attachment on a separate page
.
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 145513
:
95407
|
96088
|
96089
|
96254
|
96271
|
96288
|
96295