diff options
Diffstat (limited to 'meta')
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch | 40 | ||||
-rw-r--r-- | meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 |
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch new file mode 100644 index 0000000000..cc66c12452 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch | |||
@@ -0,0 +1,40 @@ | |||
1 | From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 | ||
2 | From: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
3 | Date: Fri, 6 Feb 2015 15:54:00 -0800 | ||
4 | Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read | ||
5 | [CVE-2015-1803] | ||
6 | |||
7 | Previously would charge on ahead with a NULL pointer in ci->bits, and | ||
8 | then crash later in FontCharInkMetrics() trying to access the bits. | ||
9 | |||
10 | Found with afl-1.23b. | ||
11 | |||
12 | Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> | ||
13 | Reviewed-by: Julien Cristau <jcristau@debian.org> | ||
14 | |||
15 | Upstream-Status: backport | ||
16 | |||
17 | Signed-off-by: Li Zhou <li.zhou@windriver.com> | ||
18 | --- | ||
19 | src/bitmap/bdfread.c | 5 ++++- | ||
20 | 1 file changed, 4 insertions(+), 1 deletion(-) | ||
21 | |||
22 | diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c | ||
23 | index 6387908..1b29b81 100644 | ||
24 | --- a/src/bitmap/bdfread.c | ||
25 | +++ b/src/bitmap/bdfread.c | ||
26 | @@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, | ||
27 | ci->metrics.descent = -bb; | ||
28 | ci->metrics.characterWidth = wx; | ||
29 | ci->bits = NULL; | ||
30 | - bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); | ||
31 | + if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { | ||
32 | + bdfError("could not read bitmap for character '%s'\n", charName); | ||
33 | + goto BAILOUT; | ||
34 | + } | ||
35 | ci++; | ||
36 | ndx++; | ||
37 | } else | ||
38 | -- | ||
39 | 1.7.9.5 | ||
40 | |||
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 4a3c9b7db7..64ec6a3422 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | |||
@@ -19,6 +19,7 @@ XORG_PN = "libXfont" | |||
19 | BBCLASSEXTEND = "native" | 19 | BBCLASSEXTEND = "native" |
20 | 20 | ||
21 | SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ | 21 | SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ |
22 | file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ | ||
22 | " | 23 | " |
23 | 24 | ||
24 | SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" | 25 | SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" |