[OE-core] [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803
Li Zhou
li.zhou at windriver.com
Fri Apr 24 02:19:18 UTC 2015
bdfReadCharacters: bailout if a char's bitmap cannot be read
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Signed-off-by: Li Zhou <li.zhou at windriver.com>
---
...acters-bailout-if-a-char-s-bitmap-cannot-.patch | 36 ++++++++++++++++++++
meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 +
2 files changed, 37 insertions(+)
create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
new file mode 100644
index 0000000..05ab7af
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
@@ -0,0 +1,36 @@
+From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith at oracle.com>
+Date: Fri, 6 Feb 2015 15:54:00 -0800
+Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read
+ [CVE-2015-1803]
+
+Previously would charge on ahead with a NULL pointer in ci->bits, and
+then crash later in FontCharInkMetrics() trying to access the bits.
+
+Found with afl-1.23b.
+
+Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
+Reviewed-by: Julien Cristau <jcristau at debian.org>
+---
+ src/bitmap/bdfread.c | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 6387908..1b29b81 100644
+--- a/src/bitmap/bdfread.c
++++ b/src/bitmap/bdfread.c
+@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+ ci->metrics.descent = -bb;
+ ci->metrics.characterWidth = wx;
+ ci->bits = NULL;
+- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
++ bdfError("could not read bitmap for character '%s'\n", charName);
++ goto BAILOUT;
++ }
+ ci++;
+ ndx++;
+ } else
+--
+1.7.9.5
+
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index 4a3c9b7..64ec6a3 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -19,6 +19,7 @@ XORG_PN = "libXfont"
BBCLASSEXTEND = "native"
SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
+ file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
"
SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"
--
1.7.9.5
More information about the Openembedded-core
mailing list