• News
• Infocus
• Foundations
• Microsoft
• Unix
• IDS
• Incidents
• Virus
• Pen-Test
• Firewalls
• Columnists
• Mailing Lists
• Newsletters
• Bugtraq
• Focus on IDS
• Focus on Linux
• Focus on Microsoft
• Forensics
• Pen-test
• Security Basics
• Vuln Dev
• Vulnerabilities
• Jobs
• Job Opportunities
• Resumes
• Job Seekers
• Employers
• Tools
• RSS
• News
• Vulns
• Security Research

• info
• discussion
• exploit
• solution
• references

XFree86 fbglyph Denial of Service Vulnerability

Solution:
A patch is available:

Index: fbglyph.c
===================================================================
RCS file: /xf86/xc/programs/Xserver/fb/fbglyph.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- fbglyph.c 2001/05/29 04:54:09 1.11
+++ fbglyph.c 2001/09/07 15:16:00 1.12
@@ -34,9 +34,19 @@
int height)
{
BoxRec box;
+ BoxPtr pExtents = REGION_EXTENTS (0, pRegion);

- if (x + width < 0) return FALSE;
- if (y + height < 0) return FALSE;
+ /*
+ * Check extents by hand to avoid 16 bit overflows
+ */
+ if (x < (int) pExtents->x1)
+ return FALSE;
+ if ((int) pExtents->x2 < x + width)
+ return FALSE;
+ if (y < (int) pExtents->y1)
+ return FALSE;
+ if ((int) pExtents->y2 < y + height)
+ return FALSE;
box.x1 = x;
box.x2 = x + width;
box.y1 = y;
@@ -261,10 +271,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;

glyph = 0;
if (pGC->fillStyle == FillSolid && pPriv->and == 0)
@@ -352,10 +362,10 @@
FbBits,
int,
int);
- FbBits *dst;
- FbStride dstStride;
- int dstBpp;
- int dstXoff, dstYoff;
+ FbBits *dst = 0;
+ FbStride dstStride = 0;
+ int dstBpp = 0;
+ int dstXoff = 0, dstYoff = 0;

glyph = 0;
if (pPriv->and == 0)