libXfont: Changes to 'master'
Alan Coopersmith
alanc at kemper.freedesktop.org
Tue Mar 17 08:02:14 PDT 2015
src/bitmap/bdfread.c | 35 +++++++++++++++++++++++++++++++----
1 file changed, 31 insertions(+), 4 deletions(-)
New commits:
commit 2351c83a77a478b49cba6beb2ad386835e264744
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Mar 6 22:54:58 2015 -0800
bdfReadCharacters: ensure metrics fit into xCharInfo struct [CVE-2015-1804]
We use 32-bit ints to read from the bdf file, but then try to stick
into a 16-bit int in the xCharInfo struct, so make sure they won't
overflow that range.
Found by afl-1.24b.
v2: Verify that additions won't overflow 32-bit int range either.
v3: As Julien correctly observes, the previous check for bh & bw not
being < 0 reduces the number of cases we need to check for overflow.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
commit 78c2e3d70d29698244f70164428bd2868c0ab34c
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Feb 6 15:54:00 2015 -0800
bdfReadCharacters: bailout if a char's bitmap cannot be read [CVE-2015-1803]
Previously would charge on ahead with a NULL pointer in ci->bits, and
then crash later in FontCharInkMetrics() trying to access the bits.
Found with afl-1.23b.
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
commit 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e
Author: Alan Coopersmith <alan.coopersmith at oracle.com>
Date: Fri Feb 6 15:50:45 2015 -0800
bdfReadProperties: property count needs range check [CVE-2015-1802]
Avoid integer overflow or underflow when allocating memory arrays
by multiplying the number of properties reported for a BDF font.
Reported-by: Ilja Van Sprundel <ivansprundel at ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith at oracle.com>
Reviewed-by: Julien Cristau <jcristau at debian.org>
More information about the xorg-commit
mailing list