<<< Date Index >>>     <<< Thread Index >>>

Re: iDEFENSESecurityAdvisory02.10.04: XFree86FontInformationFileBufferOverflow



On Tue, 10 Feb 2004, iDefense Labs wrote:

> - - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c: 
>
> ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
> {
> char alias[MAXFONTNAMELEN]; 

>        switch (token) {
>        case NAME:
>          strcpy(alias, lexToken); 
> 
> If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow 
> occurs. 

I note that this code also ocurs in Xvnc,
and that ReadFontAlias is essentially unchanged in XFree86 CVS since 
version 1.1, which has the CVS id string
/* $XConsortium: dirfile.c,v 1.11 94/04/17 20:17:01 gildea Exp $ */

I would expect that X servers from many vendors have the same 
vunerablility.

-- 
Dr. Andrew C. Aitchison         Computer Officer, DPMMS, Cambridge
A.C.Aitchison@xxxxxxxxxxxxxxx   http://www.dpmms.cam.ac.uk/~werdna