> switch (token) {
> case NAME:
> strcpy(alias, lexToken);
>
> If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow
> occurs.
I note that this code also ocurs in Xvnc,
and that ReadFontAlias is essentially unchanged in XFree86 CVS since
version 1.1, which has the CVS id string
/* $XConsortium: dirfile.c,v 1.11 94/04/17 20:17:01 gildea Exp $ */
I would expect that X servers from many vendors have the same
vunerablility.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison (at) dpmms.cam.ac (dot) uk [email concealed] http://www.dpmms.cam.ac.uk/~werdna
> - - - From XFree86-4.2.1/xc/lib/font/fontfile/dirfile.c:
>
> ReadFontAlias(char *directory, Bool isFile, FontDirectoryPtr *pdir)
> {
> char alias[MAXFONTNAMELEN];
> switch (token) {
> case NAME:
> strcpy(alias, lexToken);
>
> If lexToken is longer than MAXFONTNAMELEN (1024 chars) an overflow
> occurs.
I note that this code also ocurs in Xvnc,
and that ReadFontAlias is essentially unchanged in XFree86 CVS since
version 1.1, which has the CVS id string
/* $XConsortium: dirfile.c,v 1.11 94/04/17 20:17:01 gildea Exp $ */
I would expect that X servers from many vendors have the same
vunerablility.
--
Dr. Andrew C. Aitchison Computer Officer, DPMMS, Cambridge
A.C.Aitchison (at) dpmms.cam.ac (dot) uk [email concealed] http://www.dpmms.cam.ac.uk/~werdna
[ reply ]