summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorThomas Hoger <thoger@redhat.com>2011-08-08 16:03:09 (GMT)
committerAlan Coopersmith <alan.coopersmith@oracle.com>2011-08-10 20:22:01 (GMT)
commitd11ee5886e9d9ec610051a206b135a4cdc1e09a0 (patch)
tree615e5c47814c174538a68b8f620b3764e519f1e3
parent214ca6a7a2247544627e6dc7c8705811305ad007 (diff)
LZW decompress: fix for CVE-2011-2895
Specially crafted LZW stream can crash an application using libXfont that is used to open untrusted font files. With X server, this may allow privilege escalation when exploited Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
-rw-r--r--src/fontfile/decompress.c2
1 files changed, 2 insertions, 0 deletions
diff --git a/src/fontfile/decompress.c b/src/fontfile/decompress.c
index b1fc37b..c8171dd 100644
--- a/src/fontfile/decompress.c
+++ b/src/fontfile/decompress.c
@@ -259,6 +259,8 @@ BufCompressedFill (BufFilePtr f)
*/
while ( code >= 256 )
{
+ if (stackp - de_stack >= STACK_SIZE - 1)
+ return BUFFILEEOF;
*stackp++ = file->tab_suffix[code];
code = file->tab_prefix[code];
}