File u_0009-CVE-2014-0210-unvalidated-length-fields-in-fs_read_e.patch of Package libXfont.1655

From 97c27af9e2dcb6127f7030f0bd35e9034e464f0f Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Fri, 25 Apr 2014 23:03:05 -0700
Subject: [PATCH:libXfont 09/12] CVE-2014-XXXB: unvalidated length fields in
 fs_read_extent_info()

Looping over the extents in the reply could go past the end of the
reply buffer if the reply indicated more extents than could fit in
the specified reply length.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Adam Jackson <ajax@redhat.com>
Reviewed-by: Matthieu Herrb <matthieu@herrb.eu>
---
 src/fc/fserve.c |   10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/fc/fserve.c b/src/fc/fserve.c
index 96abd0e..232e969 100644
--- a/src/fc/fserve.c
+++ b/src/fc/fserve.c
@@ -1059,6 +1059,16 @@ fs_read_extent_info(FontPathElementPtr fpe, FSBlockDataPtr blockrec)
 #endif
 	pCI = NULL;
     }
+    else if (numExtents > ((rep->length - LENGTHOF(fsQueryXExtents16Reply))
+			    / LENGTHOF(fsXCharInfo))) {
+#ifdef DEBUG
+	fprintf(stderr,
+		"fsQueryXExtents16: numExtents (%d) > (%d - %d) / %d\n",
+		numExtents, rep->length,
+		LENGTHOF(fsQueryXExtents16Reply), LENGTHOF(fsXCharInfo));
+#endif
+	pCI = NULL;
+    }
     else
 	pCI = malloc(sizeof(CharInfoRec) * numInfos);
 
-- 
1.7.9.2