libxfont: Security Advisory - libxfont - CVE-2015-1804

bdfReadCharacters: ensure metrics fit into xCharInfo struct We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. (From OE-Core rev: 4dd4b96b6d60246338bb30ede9f3ab1b2e757be9) Signed-off-by: Li Zhou <li.zhou@windriver.com> Signed-off-by: Richard Purdie <richard.purdie@linuxfoundation.org>
author: Li Zhou <li.zhou@windriver.com> 2015-04-27 10:54:22 +0800
committer: Richard Purdie <richard.purdie@linuxfoundation.org> 2015-04-28 07:56:57 +0100
commit: ae736dbdd140975ba43f06e635b461dbf36a117e (patch)
tree: 0f8f690377350ac878ba69d14083867eb02076f1 /meta/recipes-graphics/xorg-lib
parent: 8f8858bfb00a9a349069cb4e8f44c675a7913739 (diff)
download: poky-ae736dbdd140975ba43f06e635b461dbf36a117e.tar.gz
2 files changed, 81 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch
new file mode 100644
index 0000000000..b64f1d9a87
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch
@@ -0,0 +1,80 @@
+From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
+From: Alan Coopersmith <alan.coopersmith@oracle.com>
+Date: Fri, 6 Mar 2015 22:54:58 -0800
+Subject: [PATCH] bdfReadCharacters: ensure metrics fit into xCharInfo struct
+ [CVE-2015-1804]
+We use 32-bit ints to read from the bdf file, but then try to stick
+into a 16-bit int in the xCharInfo struct, so make sure they won't
+overflow that range.
+Found by afl-1.24b.
+v2: Verify that additions won't overflow 32-bit int range either.
+v3: As Julien correctly observes, the previous check for bh & bw not
+    being < 0 reduces the number of cases we need to check for overflow.
+Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
+Reviewed-by: Julien Cristau <jcristau@debian.org>
+Upstream-Status: backport
+Signed-off-by: Li Zhou <li.zhou@windriver.com>
+---
+ src/bitmap/bdfread.c |   26 ++++++++++++++++++++++++--
+ 1 file changed, 24 insertions(+), 2 deletions(-)
+diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
+index 1b29b81..a0ace8f 100644
+--- a/src/bitmap/bdfread.c
+++ b/src/bitmap/bdfread.c
+@@ -62,8 +62,16 @@ from The Open Group.
+ 
+ #if HAVE_STDINT_H
+ #include <stdint.h>
+-#elif !defined(INT32_MAX)
+-#define INT32_MAX 0x7fffffff
+#else
+# ifndef INT32_MAX
+#  define INT32_MAX 0x7fffffff
+# endif
+# ifndef INT16_MAX
+#  define INT16_MAX 0x7fff
+# endif
+# ifndef INT16_MIN
+#  define INT16_MIN (0 - 0x8000)
+# endif
+ #endif
+ 
+ #define INDICES 256
+@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+            bdfError("DWIDTH y value must be zero\n");
+            goto BAILOUT;
+        }
+       /* xCharInfo metrics are stored as INT16 */
+       if ((wx < 0) || (wx > INT16_MAX)) {
+           bdfError("character '%s' has out of range width, %d\n",
+                    charName, wx);
+           goto BAILOUT;
+       }
+        line = bdfGetLine(file, lineBuf, BDFLINELEN);
+        if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
+            bdfError("bad 'BBX'\n");
+@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
+                     charName, bw, bh);
+            goto BAILOUT;
+        }
+       /* xCharInfo metrics are read as int, but stored as INT16 */
+       if ((bl > INT16_MAX) || (bl < INT16_MIN) ||
+           (bb > INT16_MAX) || (bb < INT16_MIN) ||
+           (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) {
+           bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
+                    charName, bl, (bl+bw), (bh+bb), -bb);
+           goto BAILOUT;
+       }
+        line = bdfGetLine(file, lineBuf, BDFLINELEN);
+        if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
+            for (p = line + strlen("ATTRIBUTES ");
+-- 
+1.7.9.5
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index 64ec6a3422..dfd2dc67a2 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -20,6 +20,7 @@ BBCLASSEXTEND = "native"
 SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
            file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
+            file://0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch \
           "
 SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"
author	Li Zhou <li.zhou@windriver.com>	2015-04-27 10:54:22 +0800
committer	Richard Purdie <richard.purdie@linuxfoundation.org>	2015-04-28 07:56:57 +0100
commit	ae736dbdd140975ba43f06e635b461dbf36a117e (patch)
tree	0f8f690377350ac878ba69d14083867eb02076f1 /meta/recipes-graphics/xorg-lib
parent	8f8858bfb00a9a349069cb4e8f44c675a7913739 (diff)
download	poky-ae736dbdd140975ba43f06e635b461dbf36a117e.tar.gz

diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch new file mode 100644 index 0000000000..b64f1d9a87 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch
@@ -0,0 +1,80 @@
		1	From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001
		2	From: Alan Coopersmith <alan.coopersmith@oracle.com>
		3	Date: Fri, 6 Mar 2015 22:54:58 -0800
		4	Subject: [PATCH] bdfReadCharacters: ensure metrics fit into xCharInfo struct
		5	[CVE-2015-1804]
		6
		7	We use 32-bit ints to read from the bdf file, but then try to stick
		8	into a 16-bit int in the xCharInfo struct, so make sure they won't
		9	overflow that range.
		10
		11	Found by afl-1.24b.
		12
		13	v2: Verify that additions won't overflow 32-bit int range either.
		14	v3: As Julien correctly observes, the previous check for bh & bw not
		15	being < 0 reduces the number of cases we need to check for overflow.
		16
		17	Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
		18	Reviewed-by: Julien Cristau <jcristau@debian.org>
		19
		20	Upstream-Status: backport
		21
		22	Signed-off-by: Li Zhou <li.zhou@windriver.com>
		23	---
		24	src/bitmap/bdfread.c \| 26 ++++++++++++++++++++++++--
		25	1 file changed, 24 insertions(+), 2 deletions(-)
		26
		27	diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
		28	index 1b29b81..a0ace8f 100644
		29	--- a/src/bitmap/bdfread.c
		30	+++ b/src/bitmap/bdfread.c
		31	@@ -62,8 +62,16 @@ from The Open Group.
		32
		33	#if HAVE_STDINT_H
		34	#include <stdint.h>
		35	-#elif !defined(INT32_MAX)
		36	-#define INT32_MAX 0x7fffffff
		37	+#else
		38	+# ifndef INT32_MAX
		39	+# define INT32_MAX 0x7fffffff
		40	+# endif
		41	+# ifndef INT16_MAX
		42	+# define INT16_MAX 0x7fff
		43	+# endif
		44	+# ifndef INT16_MIN
		45	+# define INT16_MIN (0 - 0x8000)
		46	+# endif
		47	#endif
		48
		49	#define INDICES 256
		50	@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
		51	bdfError("DWIDTH y value must be zero\n");
		52	goto BAILOUT;
		53	}
		54	+ /* xCharInfo metrics are stored as INT16 */
		55	+ if ((wx < 0) \|\| (wx > INT16_MAX)) {
		56	+ bdfError("character '%s' has out of range width, %d\n",
		57	+ charName, wx);
		58	+ goto BAILOUT;
		59	+ }
		60	line = bdfGetLine(file, lineBuf, BDFLINELEN);
		61	if ((!line) \|\| (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) {
		62	bdfError("bad 'BBX'\n");
		63	@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
		64	charName, bw, bh);
		65	goto BAILOUT;
		66	}
		67	+ /* xCharInfo metrics are read as int, but stored as INT16 */
		68	+ if ((bl > INT16_MAX) \|\| (bl < INT16_MIN) \|\|
		69	+ (bb > INT16_MAX) \|\| (bb < INT16_MIN) \|\|
		70	+ (bw > (INT16_MAX - bl)) \|\| (bh > (INT16_MAX - bb))) {
		71	+ bdfError("character '%s' has out of range metrics, %d %d %d %d\n",
		72	+ charName, bl, (bl+bw), (bh+bb), -bb);
		73	+ goto BAILOUT;
		74	+ }
		75	line = bdfGetLine(file, lineBuf, BDFLINELEN);
		76	if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) {
		77	for (p = line + strlen("ATTRIBUTES ");
		78	--
		79	1.7.9.5
		80


diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 64ec6a3422..dfd2dc67a2 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -20,6 +20,7 @@ BBCLASSEXTEND = "native"
20		20
21	SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \	21	SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
22	file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \	22	file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
		23	file://0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch \
23	"	24	"
24		25
25	SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"	26	SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"