guix/gnu/packages/patches/libxfont-CVE-2017-13720.patch
Marius Bakke 97ecd75e28
gnu: libxfont: Fix CVE-2017-13720, CVE-2017-13722.
* gnu/packages/patches/libxfont-CVE-2017-13720.patch,
  gnu/packages/patches/libxfont-CVE-2017-13722.patch: New files.
* gnu/local.mk (dist_patch_DATA): Register them.
* gnu/packages/xorg.scm (libxfont, libxfont2)[source]: Use them.
2017-10-10 19:34:02 +02:00

36 lines
1.1 KiB
Diff

Fix CVE-2017-13720.
Copied from upstream source repository:
<https://cgit.freedesktop.org/xorg/lib/libXfont/commit/?id=d1e670a4a8704b8708e493ab6155589bcd570608>
From d1e670a4a8704b8708e493ab6155589bcd570608 Mon Sep 17 00:00:00 2001
From: Michal Srb <msrb@suse.com>
Date: Thu, 20 Jul 2017 13:38:53 +0200
Subject: Check for end of string in PatternMatch (CVE-2017-13720)
If a pattern contains '?' character, any character in the string is skipped,
even if it is '\0'. The rest of the matching then reads invalid memory.
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
Signed-off-by: Julien Cristau <jcristau@debian.org>
diff --git a/src/fontfile/fontdir.c b/src/fontfile/fontdir.c
index 4ce2473..996b7d1 100644
--- a/src/fontfile/fontdir.c
+++ b/src/fontfile/fontdir.c
@@ -400,8 +400,10 @@ PatternMatch(char *pat, int patdashes, char *string, int stringdashes)
}
}
case '?':
- if (*string++ == XK_minus)
+ if ((t = *string++) == XK_minus)
stringdashes--;
+ if (!t)
+ return 0;
break;
case '\0':
return (*string == '\0');
--
cgit v0.10.2