[OE-core] [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802

Fri Apr 24 02:19:17 UTC 2015

bdfReadProperties: property count needs range check

Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.

Signed-off-by: Li Zhou <li.zhou at windriver.com>
---
 ...erties-property-count-needs-range-check-C.patch |   38 ++++++++++++++++++++
 meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb   |    3 ++
 2 files changed, 41 insertions(+)
 create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch

diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch
new file mode 100644
index 0000000..0779c26
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch
@@ -0,0 +1,38 @@
+From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 6 Feb 2015 15:50:45 -0800
+Subject: [PATCH] bdfReadProperties: property count needs range check
+ [CVE-2015-1802]
+
+Avoid integer overflow or underflow when allocating memory arrays
+by multiplying the number of properties reported for a BDF font.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+
+Upstream-Status: backport
+
+Signed-off-by: Li Zhou <li.zhou at windriver.com>
+---
+ src/bitmap/bdfread.c |    4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 914a024..6387908 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
+ 	bdfError("missing 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-    if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
++    if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
++	(nProps <= 0) ||
++	(nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ 	bdfError("bad 'STARTPROPERTIES'\n");
+ 	return (FALSE);
+     }
+-- 
+1.7.9.5
+
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index ef0bde2..4a3c9b7 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -18,5 +18,8 @@ XORG_PN = "libXfont"
 
 BBCLASSEXTEND = "native"
 
+SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
+           "
+
 SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"
 SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f"
-- 
1.7.9.5


