33 lines
1.0 KiB
Diff
33 lines
1.0 KiB
Diff
|
From d11ee5886e9d9ec610051a206b135a4cdc1e09a0 Mon Sep 17 00:00:00 2001
|
||
|
|
From: Thomas Hoger <thoger@redhat.com>
|
||
|
|
Date: Mon, 8 Aug 2011 18:03:09 +0200
|
||
|
|
Subject: [PATCH] LZW decompress: fix for CVE-2011-2895
|
||
|
|
|
||
|
|
Specially crafted LZW stream can crash an application using libXfont
|
||
|
|
that is used to open untrusted font files. With X server, this may
|
||
|
|
allow privilege escalation when exploited
|
||
|
|
|
||
|
|
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
|
||
|
|
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
|
||
|
|
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
|
||
|
|
---
|
||
|
|
src/fontfile/decompress.c | 2 ++
|
||
|
|
1 files changed, 2 insertions(+), 0 deletions(-)
|
||
|
|
|
||
|
|
diff --git a/src/fontfile/decompress.c b/src/fontfile/decompress.c
|
||
|
|
index b1fc37b..c8171dd 100644
|
||
|
|
--- a/src/fontfile/decompress.c
|
||
|
|
+++ b/src/fontfile/decompress.c
|
||
|
|
@@ -259,6 +259,8 @@ BufCompressedFill (BufFilePtr f)
|
||
|
|
*/
|
||
|
|
while ( code >= 256 )
|
||
|
|
{
|
||
|
|
+ if (stackp - de_stack >= STACK_SIZE - 1)
|
||
|
|
+ return BUFFILEEOF;
|
||
|
|
*stackp++ = file->tab_suffix[code];
|
||
|
|
code = file->tab_prefix[code];
|
||
|
|
}
|
||
|
|
--
|
||
|
|
1.7.4.1
|
||
|
|
|