From d11ee5886e9d9ec610051a206b135a4cdc1e09a0 Mon Sep 17 00:00:00 2001
From: Thomas Hoger <thoger@redhat.com>
Date: Mon, 08 Aug 2011 16:03:09 +0000
Subject: LZW decompress: fix for CVE-2011-2895
Specially crafted LZW stream can crash an application using libXfont
that is used to open untrusted font files. With X server, this may
allow privilege escalation when exploited
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Matthieu Herrb <matthieu.herrb@laas.fr>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
diff --git a/src/fontfile/decompress.c b/src/fontfile/decompress.c
index b1fc37b..c8171dd 100644
--- a/src/fontfile/decompress.c
+++ b/src/fontfile/decompress.c
@@ -259,6 +259,8 @@ BufCompressedFill (BufFilePtr f)
*/
while ( code >= 256 )
{
+ if (stackp - de_stack >= STACK_SIZE - 1)
+ return BUFFILEEOF;
*stackp++ = file->tab_suffix[code];
code = file->tab_prefix[code];
}
--
cgit v0.9.0.2-2-gbebe
distrib
>
Mageia
>
1
>
i586
>
media
>
core-updates-src
>
by-pkgid
>
0aa1526723140bf9ab43604cf631dfc2
>
files
>
2
