CVE-2026-56001, CVE-2026-56002, CVE-2026-56003 Resolves: https://redhat.atlassian.net/browse/RHEL-191877 Resolves: https://redhat.atlassian.net/browse/RHEL-191928 Resolves: https://redhat.atlassian.net/browse/RHEL-191948
72 lines
2.5 KiB
Diff
72 lines
2.5 KiB
Diff
From be0b08e2d354138d3222b4490e2a77c6ee42f778 Mon Sep 17 00:00:00 2001
|
|
From: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Date: Mon, 1 Jun 2026 16:46:10 +1000
|
|
Subject: [PATCH libXfont 1/3] bitscale: fix integer overflow in
|
|
BitmapScaleBitmaps bytestoalloc
|
|
|
|
bytestoalloc is declared as unsigned int (32-bit). When the sum of
|
|
per-glyph byte counts exceeds 2^32, the value wraps around and calloc()
|
|
allocates a buffer that is too small. The subsequent ScaleBitmap loop
|
|
then writes past the end of the allocated buffer.
|
|
|
|
Change bytestoalloc from unsigned int to size_t to match the actual
|
|
allocation size type, and add an explicit overflow check in the
|
|
accumulation loop to bail out if the total would exceed SIZE_MAX.
|
|
|
|
This vulnerability was discovered by:
|
|
Anonymous working with TrendAI Zero Day Initiative
|
|
|
|
CVE-2026-56001/ZDI-CAN-30558
|
|
|
|
Assisted-by: Claude:claude-opus-4-6
|
|
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
|
|
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>
|
|
---
|
|
src/bitmap/bitscale.c | 23 ++++++++++++++++++++---
|
|
1 file changed, 20 insertions(+), 3 deletions(-)
|
|
|
|
diff --git a/src/bitmap/bitscale.c b/src/bitmap/bitscale.c
|
|
index 3f3c10e..5f465d1 100644
|
|
--- a/src/bitmap/bitscale.c
|
|
+++ b/src/bitmap/bitscale.c
|
|
@@ -1456,7 +1456,7 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */
|
|
opci;
|
|
FontInfoPtr pfi;
|
|
int glyph;
|
|
- unsigned bytestoalloc = 0;
|
|
+ size_t bytestoalloc = 0;
|
|
int firstCol, lastCol, firstRow, lastRow;
|
|
|
|
double xform[4], inv_xform[4];
|
|
@@ -1483,8 +1483,25 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */
|
|
glyph = pf->glyph;
|
|
for (i = 0; i < nchars; i++)
|
|
{
|
|
- if ((pci = ACCESSENCODING(bitmapFont->encoding, i)))
|
|
- bytestoalloc += BYTES_FOR_GLYPH(pci, glyph);
|
|
+ if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) {
|
|
+ size_t glyphsize = BYTES_FOR_GLYPH(pci, glyph);
|
|
+ if (bytestoalloc > SIZE_MAX - glyphsize) {
|
|
+ fprintf(stderr,
|
|
+ "Error: bitmap allocation overflow for scaled font\n");
|
|
+ goto bail;
|
|
+ }
|
|
+ bytestoalloc += glyphsize;
|
|
+ }
|
|
+ }
|
|
+
|
|
+ /* Reject unreasonably large bitmap allocations that could result
|
|
+ * from malicious fonts with extreme scale factors. 256 MiB is
|
|
+ * far beyond any legitimate scaled bitmap font. */
|
|
+#define BITMAP_SCALE_MAX_ALLOC (256 * 1024 * 1024)
|
|
+ if (bytestoalloc > BITMAP_SCALE_MAX_ALLOC) {
|
|
+ fprintf(stderr,
|
|
+ "Error: scaled bitmap size %zu exceeds limit\n", bytestoalloc);
|
|
+ goto bail;
|
|
}
|
|
|
|
/* Do we add the font malloc stuff for VALUE ADDED ? */
|
|
--
|
|
2.55.0
|
|
|