Bug 8001 - cidafm() integer overflows
cidafm() integer overflows
Product: xorg
Classification: Unclassified
Component: Server/General
x86 (IA32) Linux (All)
: high normal
Assigned To: X.Org Security
: security
: 8005 (view as bug list)
Depends on:
  Show dependency treegraph
Reported: 2006-08-25 08:55 UTC by Daniel Stone
Modified: 2006-09-13 15:48 UTC (History)
4 users (show)

See Also:
i915 platform:
i915 features:


Note You need to log in before you can comment on or make changes to this bug.
Description Daniel Stone 2006-08-25 08:55:55 UTC
i'm so very happy.  no embargo date as yet.  quoting idefense:
Local exploitation of an integer overflow vulnerability in the 'CIDAFM()'
function in the X.Org and XFree86 X server could allow an attacker to
+execute arbitrary code with privileges of the X server, typically root.

The vulnerability specifically exists in the 'CIDADM()' function of the code
responsible for handling AFM (Adobe Font Metrics) files. The number of character
metrics is obtained from the "StartCharMetrics" line of an AFM file and that
value is then multiplied by the size of a single character metric record in
order to calculate the space required to store the metrics. If the result of the
multiplication is larger than the largest value that can be held in an integer,
the amount actually allocated will be much smaller. Following this, the function
attempts to read as many metric records as were specified on the line into that
memory. As the contents of the file can be specified by a local user, and as the
function will stop reading if an error is detected in the input, a controlled
heap overflow may occur which may allow the execution of arbitrary code.
Comment 1 Alan Coopersmith 2006-08-28 14:16:26 UTC
*** Bug 8005 has been marked as a duplicate of this bug. ***
Comment 2 Matthieu Herrb 2006-09-01 02:47:37 UTC
This is CVE-2006-3739
Comment 3 Alan Coopersmith 2006-09-13 15:48:29 UTC
Patches committed and advisory released.