summaryrefslogtreecommitdiffstats
path: root/meta
diff options
context:
space:
mode:
Diffstat (limited to 'meta')
-rw-r--r--meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch40
-rw-r--r--meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb1
2 files changed, 41 insertions, 0 deletions
diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
new file mode 100644
index 0000000000..cc66c12452
--- /dev/null
+++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch
@@ -0,0 +1,40 @@
1From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001
2From: Alan Coopersmith <alan.coopersmith@oracle.com>
3Date: Fri, 6 Feb 2015 15:54:00 -0800
4Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read
5 [CVE-2015-1803]
6
7Previously would charge on ahead with a NULL pointer in ci->bits, and
8then crash later in FontCharInkMetrics() trying to access the bits.
9
10Found with afl-1.23b.
11
12Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
13Reviewed-by: Julien Cristau <jcristau@debian.org>
14
15Upstream-Status: backport
16
17Signed-off-by: Li Zhou <li.zhou@windriver.com>
18---
19 src/bitmap/bdfread.c | 5 ++++-
20 1 file changed, 4 insertions(+), 1 deletion(-)
21
22diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c
23index 6387908..1b29b81 100644
24--- a/src/bitmap/bdfread.c
25+++ b/src/bitmap/bdfread.c
26@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState,
27 ci->metrics.descent = -bb;
28 ci->metrics.characterWidth = wx;
29 ci->bits = NULL;
30- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes);
31+ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) {
32+ bdfError("could not read bitmap for character '%s'\n", charName);
33+ goto BAILOUT;
34+ }
35 ci++;
36 ndx++;
37 } else
38--
391.7.9.5
40
diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
index 4a3c9b7db7..64ec6a3422 100644
--- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
+++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb
@@ -19,6 +19,7 @@ XORG_PN = "libXfont"
19BBCLASSEXTEND = "native" 19BBCLASSEXTEND = "native"
20 20
21SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ 21SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \
22 file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \
22 " 23 "
23 24
24SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" 25SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb"