[OE-core] [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802
Li Zhou
li.zhou at windriver.com
Fri Apr 24 02:19:17 UTC 2015
bdfReadProperties: property count needs range check
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Signed-off-by: Li Zhou <li.zhou at windriver.com>
---
...erties-property-count-needs-range-check-C.patch | 38 ++++++++++++++++++++
meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 3 ++
2 files changed, 41 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch
new file mode 100644
index 0000000..0779c26
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch
@@ -0,0 +1,38 @@
+From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 6 Feb 2015 15:50:45 -0800
+Subject: [PATCH] bdfReadProperties: property count needs range check
+ [CVE-2015-1802]
+
+Avoid integer overflow or underflow when allocating memory arrays
+by multiplying the number of properties reported for a BDF font.
+
+Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+
+Upstream-Status: backport
+
+Signed-off-by: Li Zhou <li.zhou at windriver.com>
+---
+ src/bitmap/bdfread.c | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 914a024..6387908 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState)
+ bdfError("missing 'STARTPROPERTIES'\n");
+ return (FALSE);
+ }
+- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) {
++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) ||
++ (nProps <= 0) ||
++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) {
+ bdfError("bad 'STARTPROPERTIES'\n");
+ return (FALSE);
+ }
+--
+1.7.9.5
+
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index ef0bde2..4a3c9b7 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -18,5 +18,8 @@ XORG_PN = "libXfont"
BBCLASSEXTEND = "native"
+SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
+ "
+
SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"
SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f"
--
1.7.9.5
More information about the Openembedded-core
mailing list