libXfont2/0001-bitscale-fix-integer-overflow-in-BitmapScaleBitmaps-.patch
2026-07-08 15:55:17 +02:00

72 lines
2.5 KiB
Diff

From be0b08e2d354138d3222b4490e2a77c6ee42f778 Mon Sep 17 00:00:00 2001
From: Peter Hutterer <peter.hutterer@who-t.net>
Date: Mon, 1 Jun 2026 16:46:10 +1000
Subject: [PATCH libXfont 1/3] bitscale: fix integer overflow in
BitmapScaleBitmaps bytestoalloc
bytestoalloc is declared as unsigned int (32-bit). When the sum of
per-glyph byte counts exceeds 2^32, the value wraps around and calloc()
allocates a buffer that is too small. The subsequent ScaleBitmap loop
then writes past the end of the allocated buffer.
Change bytestoalloc from unsigned int to size_t to match the actual
allocation size type, and add an explicit overflow check in the
accumulation loop to bail out if the total would exceed SIZE_MAX.
This vulnerability was discovered by:
Anonymous working with TrendAI Zero Day Initiative
CVE-2026-56001/ZDI-CAN-30558
Assisted-by: Claude:claude-opus-4-6
Signed-off-by: Peter Hutterer <peter.hutterer@who-t.net>
Part-of: <https://gitlab.freedesktop.org/xorg/lib/libxfont/-/merge_requests/34>
---
src/bitmap/bitscale.c | 23 ++++++++++++++++++++---
1 file changed, 20 insertions(+), 3 deletions(-)
diff --git a/src/bitmap/bitscale.c b/src/bitmap/bitscale.c
index 3f3c10e..5f465d1 100644
--- a/src/bitmap/bitscale.c
+++ b/src/bitmap/bitscale.c
@@ -1456,7 +1456,7 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */
opci;
FontInfoPtr pfi;
int glyph;
- unsigned bytestoalloc = 0;
+ size_t bytestoalloc = 0;
int firstCol, lastCol, firstRow, lastRow;
double xform[4], inv_xform[4];
@@ -1483,8 +1483,25 @@ BitmapScaleBitmaps(FontPtr pf, /* scaled font */
glyph = pf->glyph;
for (i = 0; i < nchars; i++)
{
- if ((pci = ACCESSENCODING(bitmapFont->encoding, i)))
- bytestoalloc += BYTES_FOR_GLYPH(pci, glyph);
+ if ((pci = ACCESSENCODING(bitmapFont->encoding, i))) {
+ size_t glyphsize = BYTES_FOR_GLYPH(pci, glyph);
+ if (bytestoalloc > SIZE_MAX - glyphsize) {
+ fprintf(stderr,
+ "Error: bitmap allocation overflow for scaled font\n");
+ goto bail;
+ }
+ bytestoalloc += glyphsize;
+ }
+ }
+
+ /* Reject unreasonably large bitmap allocations that could result
+ * from malicious fonts with extreme scale factors. 256 MiB is
+ * far beyond any legitimate scaled bitmap font. */
+#define BITMAP_SCALE_MAX_ALLOC (256 * 1024 * 1024)
+ if (bytestoalloc > BITMAP_SCALE_MAX_ALLOC) {
+ fprintf(stderr,
+ "Error: scaled bitmap size %zu exceeds limit\n", bytestoalloc);
+ goto bail;
}
/* Do we add the font malloc stuff for VALUE ADDED ? */
--
2.55.0