CVE-2014-0210: unvalidated length fields in fs_read_extent_info()

Looping over the extents in the reply could go past the end of the reply buffer if the reply indicated more extents than could fit in the specified reply length. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Adam Jackson <ajax@redhat.com> Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-04-25 23:03:05 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2014-05-12 23:32:10 -0700
commit: a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 (patch)
tree: dcb5e27d1c6f7c2dca0fc2a22890c6a34704681f /src/fc/fserve.c
parent: a42f707f8a62973f5e8bbcd08afb10a79e9cee33 (diff)
1 files changed, 10 insertions, 0 deletions
diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index 96abd0e..232e969 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 #endif
 	pCI = NULL;
     }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
     else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-04-25 23:03:05 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2014-05-12 23:32:10 -0700
commit	a3f21421537620fc4e1f844a594a4bcd9f7e2bd8 (patch)
tree	dcb5e27d1c6f7c2dca0fc2a22890c6a34704681f /src/fc/fserve.c
parent	a42f707f8a62973f5e8bbcd08afb10a79e9cee33 (diff)