Initial commit
This commit is contained in:
matt
73
contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff
Normal file
73
contrib/packages/rpm/el5/SOURCES/CVE-2015-1804.diff
Normal file
@@ -0,0 +1,73 @@
|
||||
From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
|
||||
From: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Date: Fri, 6 Mar 2015 22:54:58 -0800
|
||||
Subject: bdfReadCharacters: ensure metrics fit into xCharInfo struct
|
||||
[CVE-2015-1804]
|
||||
|
||||
We use 32-bit ints to read from the bdf file, but then try to stick
|
||||
into a 16-bit int in the xCharInfo struct, so make sure they won't
|
||||
overflow that range.
|
||||
|
||||
Found by afl-1.24b.
|
||||
|
||||
v2: Verify that additions won't overflow 32-bit int range either.
|
||||
v3: As Julien correctly observes, the previous check for bh & bw not
|
||||
being < 0 reduces the number of cases we need to check for overflow.
|
||||
|
||||
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||||
Reviewed-by: Julien Cristau <jcristau@debian.org>
|
||||
|
||||
diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
|
||||
index 1b29b81..a0ace8f 100644
|
||||
--- a/src/bitmap/bdfread.c
|
||||
+++ b/src/bitmap/bdfread.c
|
||||
@@ -62,8 +62,16 @@ from The Open Group.
|
||||
|
||||
#if HAVE_STDINT_H
|
||||
#include <stdint.h>
|
||||
-#elif !defined(INT32_MAX)
|
||||
-#define INT32_MAX 0x7fffffff
|
||||
+#else
|
||||
+# ifndef INT32_MAX
|
||||
+# define INT32_MAX 0x7fffffff
|
||||
+# endif
|
||||
+# ifndef INT16_MAX
|
||||
+# define INT16_MAX 0x7fff
|
||||
+# endif
|
||||
+# ifndef INT16_MIN
|
||||
+# define INT16_MIN (0 - 0x8000)
|
||||
+# endif
|
||||
#endif
|
||||
|
||||
#define INDICES 256
|
||||
@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
||||
bdfError("DWIDTH y value must be zero\n");
|
||||
goto BAILOUT;
|
||||
}
|
||||
+ /* xCharInfo metrics are stored as INT16 */
|
||||
+ if ((wx < 0) || (wx > INT16_MAX)) {
|
||||
+ bdfError("character '%s' has out of range width, %d\n",
|
||||
+ charName, wx);
|
||||
+ goto BAILOUT;
|
||||
+ }
|
||||
line = bdfGetLine(file, lineBuf, BDFLINELEN);
|
||||
if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
|
||||
bdfError("bad 'BBX'\n");
|
||||
@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
|
||||
charName, bw, bh);
|
||||
goto BAILOUT;
|
||||
}
|
||||
+ /* xCharInfo metrics are read as int, but stored as INT16 */
|
||||
+ if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
|
||||
+ (bb > INT16_MAX) || (bb < INT16_MIN) ||
|
||||
+ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
|
||||
+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
|
||||
+ charName, bl, (bl+bw), (bh+bb), -bb);
|
||||
+ goto BAILOUT;
|
||||
+ }
|
||||
line = bdfGetLine(file, lineBuf, BDFLINELEN);
|
||||
if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
|
||||
for (p = line + strlen("ATTRIBUTES ");
|
||||
--
|
||||
cgit v0.10.2
|
||||
|
||||
Reference in New Issue
Block a user