* [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802 @ 2015-04-24 2:19 Li Zhou 2015-04-24 2:19 ` [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803 Li Zhou 2015-04-24 2:19 ` [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 Li Zhou 0 siblings, 2 replies; 5+ messages in thread From: Li Zhou @ 2015-04-24 2:19 UTC (permalink / raw) To: openembedded-core bdfReadProperties: property count needs range check Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...erties-property-count-needs-range-check-C.patch | 38 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 3 ++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch new file mode 100644 index 0000000..0779c26 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch @@ -0,0 +1,38 @@ +From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Feb 2015 15:50:45 -0800 +Subject: [PATCH] bdfReadProperties: property count needs range check + [CVE-2015-1802] + +Avoid integer overflow or underflow when allocating memory arrays +by multiplying the number of properties reported for a BDF font. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> + +Upstream-Status: backport + +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/bitmap/bdfread.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 914a024..6387908 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) + bdfError("missing 'STARTPROPERTIES'\n"); + return (FALSE); + } +- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { ++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || ++ (nProps <= 0) || ++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { + bdfError("bad 'STARTPROPERTIES'\n"); + return (FALSE); + } +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index ef0bde2..4a3c9b7 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -18,5 +18,8 @@ XORG_PN = "libXfont" BBCLASSEXTEND = "native" +SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ + " + SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803 2015-04-24 2:19 [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802 Li Zhou @ 2015-04-24 2:19 ` Li Zhou 2015-04-24 2:19 ` [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 Li Zhou 1 sibling, 0 replies; 5+ messages in thread From: Li Zhou @ 2015-04-24 2:19 UTC (permalink / raw) To: openembedded-core bdfReadCharacters: bailout if a char's bitmap cannot be read Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...acters-bailout-if-a-char-s-bitmap-cannot-.patch | 36 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + 2 files changed, 37 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch new file mode 100644 index 0000000..05ab7af --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch @@ -0,0 +1,36 @@ +From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Feb 2015 15:54:00 -0800 +Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read + [CVE-2015-1803] + +Previously would charge on ahead with a NULL pointer in ci->bits, and +then crash later in FontCharInkMetrics() trying to access the bits. + +Found with afl-1.23b. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + src/bitmap/bdfread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 6387908..1b29b81 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + ci->metrics.descent = -bb; + ci->metrics.characterWidth = wx; + ci->bits = NULL; +- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); ++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { ++ bdfError("could not read bitmap for character '%s'\n", charName); ++ goto BAILOUT; ++ } + ci++; + ndx++; + } else +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 4a3c9b7..64ec6a3 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -19,6 +19,7 @@ XORG_PN = "libXfont" BBCLASSEXTEND = "native" SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ + file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ " SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 2015-04-24 2:19 [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802 Li Zhou 2015-04-24 2:19 ` [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803 Li Zhou @ 2015-04-24 2:19 ` Li Zhou 2015-04-24 10:16 ` Richard Purdie 1 sibling, 1 reply; 5+ messages in thread From: Li Zhou @ 2015-04-24 2:19 UTC (permalink / raw) To: openembedded-core bdfReadCharacters: ensure metrics fit into xCharInfo struct We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...acters-ensure-metrics-fit-into-xCharInfo-.patch | 76 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + 2 files changed, 77 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch new file mode 100644 index 0000000..5187788 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch @@ -0,0 +1,76 @@ +From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Mar 2015 22:54:58 -0800 +Subject: [PATCH] bdfReadCharacters: ensure metrics fit into xCharInfo struct + [CVE-2015-1804] + +We use 32-bit ints to read from the bdf file, but then try to stick +into a 16-bit int in the xCharInfo struct, so make sure they won't +overflow that range. + +Found by afl-1.24b. + +v2: Verify that additions won't overflow 32-bit int range either. +v3: As Julien correctly observes, the previous check for bh & bw not + being < 0 reduces the number of cases we need to check for overflow. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> +--- + src/bitmap/bdfread.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 1b29b81..a0ace8f 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -62,8 +62,16 @@ from The Open Group. + + #if HAVE_STDINT_H + #include <stdint.h> +-#elif !defined(INT32_MAX) +-#define INT32_MAX 0x7fffffff ++#else ++# ifndef INT32_MAX ++# define INT32_MAX 0x7fffffff ++# endif ++# ifndef INT16_MAX ++# define INT16_MAX 0x7fff ++# endif ++# ifndef INT16_MIN ++# define INT16_MIN (0 - 0x8000) ++# endif + #endif + + #define INDICES 256 +@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + bdfError("DWIDTH y value must be zero\n"); + goto BAILOUT; + } ++ /* xCharInfo metrics are stored as INT16 */ ++ if ((wx < 0) || (wx > INT16_MAX)) { ++ bdfError("character '%s' has out of range width, %d\n", ++ charName, wx); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { + bdfError("bad 'BBX'\n"); +@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + charName, bw, bh); + goto BAILOUT; + } ++ /* xCharInfo metrics are read as int, but stored as INT16 */ ++ if ((bl > INT16_MAX) || (bl < INT16_MIN) || ++ (bb > INT16_MAX) || (bb < INT16_MIN) || ++ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { ++ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", ++ charName, bl, (bl+bw), (bh+bb), -bb); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { + for (p = line + strlen("ATTRIBUTES "); +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 64ec6a3..dfd2dc6 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -20,6 +20,7 @@ BBCLASSEXTEND = "native" SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ + file://0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch \ " SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 2015-04-24 2:19 ` [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 Li Zhou @ 2015-04-24 10:16 ` Richard Purdie 2015-04-27 3:03 ` Zhou, Li 0 siblings, 1 reply; 5+ messages in thread From: Richard Purdie @ 2015-04-24 10:16 UTC (permalink / raw) To: Li Zhou; +Cc: openembedded-core On Fri, 2015-04-24 at 10:19 +0800, Li Zhou wrote: > bdfReadCharacters: ensure metrics fit into xCharInfo struct > > We use 32-bit ints to read from the bdf file, but then try to stick > into a 16-bit int in the xCharInfo struct, so make sure they won't > overflow that range. > > Signed-off-by: Li Zhou <li.zhou@windriver.com> > --- > ...acters-ensure-metrics-fit-into-xCharInfo-.patch | 76 ++++++++++++++++++++ > meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + > 2 files changed, 77 insertions(+) > create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch No Upstream-Status in 2/3 or 3/3. Cheers, Richard ^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 2015-04-24 10:16 ` Richard Purdie @ 2015-04-27 3:03 ` Zhou, Li 0 siblings, 0 replies; 5+ messages in thread From: Zhou, Li @ 2015-04-27 3:03 UTC (permalink / raw) To: Richard Purdie; +Cc: openembedded-core [-- Attachment #1: Type: text/plain, Size: 915 bytes --] Update the patches for adding Upstream-Status in 2/3 and 3/3. On 04/24/2015 06:16 PM, Richard Purdie wrote: > On Fri, 2015-04-24 at 10:19 +0800, Li Zhou wrote: >> bdfReadCharacters: ensure metrics fit into xCharInfo struct >> >> We use 32-bit ints to read from the bdf file, but then try to stick >> into a 16-bit int in the xCharInfo struct, so make sure they won't >> overflow that range. >> >> Signed-off-by: Li Zhou <li.zhou@windriver.com> >> --- >> ...acters-ensure-metrics-fit-into-xCharInfo-.patch | 76 ++++++++++++++++++++ >> meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + >> 2 files changed, 77 insertions(+) >> create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch > No Upstream-Status in 2/3 or 3/3. > > Cheers, > > Richard > -- Best Regards! Zhou Li Phone number: 86-10-84778511 [-- Attachment #2: 0001-libxfont-Security-Advisory-libxfont-CVE-2015-1802.patch --] [-- Type: text/x-patch, Size: 3185 bytes --] From effa7442a818879923e2d143f512615e8bd33056 Mon Sep 17 00:00:00 2001 From: Li Zhou <li.zhou@windriver.com> Date: Thu, 23 Apr 2015 17:20:06 +0800 Subject: [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802 bdfReadProperties: property count needs range check Avoid integer overflow or underflow when allocating memory arrays by multiplying the number of properties reported for a BDF font. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...erties-property-count-needs-range-check-C.patch | 38 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 3 ++ 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch new file mode 100644 index 0000000..0779c26 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadProperties-property-count-needs-range-check-C.patch @@ -0,0 +1,38 @@ +From 2deda9906480f9c8ae07b8c2a5510cc7e4c59a8e Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Feb 2015 15:50:45 -0800 +Subject: [PATCH] bdfReadProperties: property count needs range check + [CVE-2015-1802] + +Avoid integer overflow or underflow when allocating memory arrays +by multiplying the number of properties reported for a BDF font. + +Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> + +Upstream-Status: backport + +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/bitmap/bdfread.c | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 914a024..6387908 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -604,7 +604,9 @@ bdfReadProperties(FontFilePtr file, FontPtr pFont, bdfFileState *pState) + bdfError("missing 'STARTPROPERTIES'\n"); + return (FALSE); + } +- if (sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) { ++ if ((sscanf((char *) line, "STARTPROPERTIES %d", &nProps) != 1) || ++ (nProps <= 0) || ++ (nProps > ((INT32_MAX / sizeof(FontPropRec)) - BDF_GENPROPS))) { + bdfError("bad 'STARTPROPERTIES'\n"); + return (FALSE); + } +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index ef0bde2..4a3c9b7 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -18,5 +18,8 @@ XORG_PN = "libXfont" BBCLASSEXTEND = "native" +SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ + " + SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" SRC_URI[sha256sum] = "3a3c52c4adf9352b2160f07ff0596af17ab14f91d6509564e606678a1261c25f" -- 1.7.9.5 [-- Attachment #3: 0002-libxfont-Security-Advisory-libxfont-CVE-2015-1803.patch --] [-- Type: text/x-patch, Size: 3188 bytes --] From cd5efd9d1bea0671adebc4fca836fd6353ac0234 Mon Sep 17 00:00:00 2001 From: Li Zhou <li.zhou@windriver.com> Date: Mon, 27 Apr 2015 10:49:22 +0800 Subject: [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803 bdfReadCharacters: bailout if a char's bitmap cannot be read Previously would charge on ahead with a NULL pointer in ci->bits, and then crash later in FontCharInkMetrics() trying to access the bits. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...acters-bailout-if-a-char-s-bitmap-cannot-.patch | 40 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + 2 files changed, 41 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch new file mode 100644 index 0000000..cc66c12 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch @@ -0,0 +1,40 @@ +From 78c2e3d70d29698244f70164428bd2868c0ab34c Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Feb 2015 15:54:00 -0800 +Subject: [PATCH] bdfReadCharacters: bailout if a char's bitmap cannot be read + [CVE-2015-1803] + +Previously would charge on ahead with a NULL pointer in ci->bits, and +then crash later in FontCharInkMetrics() trying to access the bits. + +Found with afl-1.23b. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> + +Upstream-Status: backport + +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/bitmap/bdfread.c | 5 ++++- + 1 file changed, 4 insertions(+), 1 deletion(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 6387908..1b29b81 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -458,7 +458,10 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + ci->metrics.descent = -bb; + ci->metrics.characterWidth = wx; + ci->bits = NULL; +- bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes); ++ if (!bdfReadBitmap(ci, file, bit, byte, glyph, scan, bitmapsSizes)) { ++ bdfError("could not read bitmap for character '%s'\n", charName); ++ goto BAILOUT; ++ } + ci++; + ndx++; + } else +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 4a3c9b7..64ec6a3 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -19,6 +19,7 @@ XORG_PN = "libXfont" BBCLASSEXTEND = "native" SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ + file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ " SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" -- 1.7.9.5 [-- Attachment #4: 0003-libxfont-Security-Advisory-libxfont-CVE-2015-1804.patch --] [-- Type: text/x-patch, Size: 4669 bytes --] From 994f2f34c54d9bbb26e6f8546f4bc34131d328f0 Mon Sep 17 00:00:00 2001 From: Li Zhou <li.zhou@windriver.com> Date: Mon, 27 Apr 2015 10:54:22 +0800 Subject: [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 bdfReadCharacters: ensure metrics fit into xCharInfo struct We use 32-bit ints to read from the bdf file, but then try to stick into a 16-bit int in the xCharInfo struct, so make sure they won't overflow that range. Signed-off-by: Li Zhou <li.zhou@windriver.com> --- ...acters-ensure-metrics-fit-into-xCharInfo-.patch | 80 ++++++++++++++++++++ meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb | 1 + 2 files changed, 81 insertions(+) create mode 100644 meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch diff --git a/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch new file mode 100644 index 0000000..b64f1d9 --- /dev/null +++ b/meta/recipes-graphics/xorg-lib/libxfont/0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch @@ -0,0 +1,80 @@ +From 2351c83a77a478b49cba6beb2ad386835e264744 Mon Sep 17 00:00:00 2001 +From: Alan Coopersmith <alan.coopersmith@oracle.com> +Date: Fri, 6 Mar 2015 22:54:58 -0800 +Subject: [PATCH] bdfReadCharacters: ensure metrics fit into xCharInfo struct + [CVE-2015-1804] + +We use 32-bit ints to read from the bdf file, but then try to stick +into a 16-bit int in the xCharInfo struct, so make sure they won't +overflow that range. + +Found by afl-1.24b. + +v2: Verify that additions won't overflow 32-bit int range either. +v3: As Julien correctly observes, the previous check for bh & bw not + being < 0 reduces the number of cases we need to check for overflow. + +Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> +Reviewed-by: Julien Cristau <jcristau@debian.org> + +Upstream-Status: backport + +Signed-off-by: Li Zhou <li.zhou@windriver.com> +--- + src/bitmap/bdfread.c | 26 ++++++++++++++++++++++++-- + 1 file changed, 24 insertions(+), 2 deletions(-) + +diff --git a/src/bitmap/bdfread.c b/src/bitmap/bdfread.c +index 1b29b81..a0ace8f 100644 +--- a/src/bitmap/bdfread.c ++++ b/src/bitmap/bdfread.c +@@ -62,8 +62,16 @@ from The Open Group. + + #if HAVE_STDINT_H + #include <stdint.h> +-#elif !defined(INT32_MAX) +-#define INT32_MAX 0x7fffffff ++#else ++# ifndef INT32_MAX ++# define INT32_MAX 0x7fffffff ++# endif ++# ifndef INT16_MAX ++# define INT16_MAX 0x7fff ++# endif ++# ifndef INT16_MIN ++# define INT16_MIN (0 - 0x8000) ++# endif + #endif + + #define INDICES 256 +@@ -417,6 +425,12 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + bdfError("DWIDTH y value must be zero\n"); + goto BAILOUT; + } ++ /* xCharInfo metrics are stored as INT16 */ ++ if ((wx < 0) || (wx > INT16_MAX)) { ++ bdfError("character '%s' has out of range width, %d\n", ++ charName, wx); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((!line) || (sscanf((char *) line, "BBX %d %d %d %d", &bw, &bh, &bl, &bb) != 4)) { + bdfError("bad 'BBX'\n"); +@@ -427,6 +441,14 @@ bdfReadCharacters(FontFilePtr file, FontPtr pFont, bdfFileState *pState, + charName, bw, bh); + goto BAILOUT; + } ++ /* xCharInfo metrics are read as int, but stored as INT16 */ ++ if ((bl > INT16_MAX) || (bl < INT16_MIN) || ++ (bb > INT16_MAX) || (bb < INT16_MIN) || ++ (bw > (INT16_MAX - bl)) || (bh > (INT16_MAX - bb))) { ++ bdfError("character '%s' has out of range metrics, %d %d %d %d\n", ++ charName, bl, (bl+bw), (bh+bb), -bb); ++ goto BAILOUT; ++ } + line = bdfGetLine(file, lineBuf, BDFLINELEN); + if ((line) && (bdfIsPrefix(line, "ATTRIBUTES"))) { + for (p = line + strlen("ATTRIBUTES "); +-- +1.7.9.5 + diff --git a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb index 64ec6a3..dfd2dc6 100644 --- a/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb +++ b/meta/recipes-graphics/xorg-lib/libxfont_1.5.0.bb @@ -20,6 +20,7 @@ BBCLASSEXTEND = "native" SRC_URI += "file://0001-bdfReadProperties-property-count-needs-range-check-C.patch \ file://0001-bdfReadCharacters-bailout-if-a-char-s-bitmap-cannot-.patch \ + file://0001-bdfReadCharacters-ensure-metrics-fit-into-xCharInfo-.patch \ " SRC_URI[md5sum] = "664629bfa7cdf8b984155019fd395dcb" -- 1.7.9.5 ^ permalink raw reply related [flat|nested] 5+ messages in thread
end of thread, other threads:[~2015-04-27 3:03 UTC | newest] Thread overview: 5+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-04-24 2:19 [PATCH 1/3] libxfont: Security Advisory - libxfont - CVE-2015-1802 Li Zhou 2015-04-24 2:19 ` [PATCH 2/3] libxfont: Security Advisory - libxfont - CVE-2015-1803 Li Zhou 2015-04-24 2:19 ` [PATCH 3/3] libxfont: Security Advisory - libxfont - CVE-2015-1804 Li Zhou 2015-04-24 10:16 ` Richard Purdie 2015-04-27 3:03 ` Zhou, Li
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.