Bug 8005

Summary: X Server CID-keyed Fonts 'CIDAFM()' Integer Overflow Vulnerability
Product: xorg Reporter: Alan Coopersmith <alan.coopersmith>
Component: Lib/XfontAssignee: X.Org Security <xorg_security>
Status: RESOLVED DUPLICATE QA Contact:
Severity: blocker    
Priority: highest CC: ajax, xorg_security
Version: git   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:
Attachments:
Description Flags
Patch against git head lib/libXfont/src/Type1/afm.c none

Description Alan Coopersmith 2006-08-25 11:21:17 UTC 
Per iDefense [IDEF1751]:

The vulnerability specifically exists in the 'CIDADM()' function of the code 
responsible for handling AFM (Adobe Font Metrics) files. The number of character 
metrics is obtained from the "StartCharMetrics" line of an AFM file and that 
value is then multiplied by the size of a single character metric record in 
order to calculate the space required to store the metrics. If the result of the 
multiplication is larger than the largest value that can be held in an integer, 
the amount actually allocated will be much smaller. Following this, the function 
attempts to read as many metric records as were specified on the line into that 
memory. As the contents of the file can be specified by a local user, and as the 
function will stop reading if an error is detected in the input, a controlled 
heap overflow may occur which may allow the execution of arbitrary code.
Comment 1 Alan Coopersmith 2006-08-25 13:57:21 UTC 
Looks like this code came in the SGI CID support donated to XFree86 in 1999,
during the 3.9 development releases, so would be present in XFree86 4.0 & later
and X11R6.7 & later.
Comment 2 Alan Coopersmith 2006-08-25 15:07:19 UTC 
Created attachment 6692 [details] [review]
Patch against git head lib/libXfont/src/Type1/afm.c

I think this should close the hole, but haven't been successful in getting Xorg

to load a CID-keyed font to verify.
Comment 3 Alan Coopersmith 2006-08-28 14:16:26 UTC 

*** This bug has been marked as a duplicate of 8001 ***

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.