Bugzilla will be upgraded to version 5.0. The upgrade date is tentatively scheduled for 2 December 2018, pending final testing and feedback.
Bug 74297 - DoS in X font server
DoS in X font server
Status: CLOSED DUPLICATE of bug 66658
Product: Red Hat Linux
Classification: Retired
Component: XFree86 (Show other bugs)
i386 Linux
medium Severity medium
: ---
: ---
Assigned To: Mike A. Harris
David Lawrence
Depends On:
  Show dependency treegraph
Reported: 2002-09-19 17:50 EDT by Eugene Kanter
Modified: 2007-04-18 12:46 EDT (History)
6 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2002-10-04 15:03:36 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Eugene Kanter 2002-09-19 17:50:26 EDT
Description of Problem:

DoS in X font server.

How Reproducible:


Steps to Reproduce:

1. xfd -fn '-urw-helvetica-bold-r-normal--73727-*-*-*-*-*-*-*'

Actual Results:

xfs process crashes.

Expected Results:

xfs process does not crash.

Additional Information:
Quick and dirty patch to save from crash. Most likely does not address real problem.

--- xc/lib/font/util/fontxlfd.c.kad      Wed Sep 18 16:31:16 2002
+++ xc/lib/font/util/fontxlfd.c  Wed Sep 18 16:53:46 2002
@@ -412,6 +412,18 @@
           strchr(ptr + 1, '-'))/* charset_encoding */
       return FALSE;

+    /*
+       FIXME: kad@blackcatlinux.com
+       Check maximal pixel/point size of scalable font.
+       It must't be more than 8192 on most cases. (any other ideas ?)
+    */
+    if (tmpvals.pixel_matrix[3] < 0 || tmpvals.point_matrix[3] < 0)
+       return FALSE;
+    if (tmpvals.pixel_matrix[3] > 0 && tmpvals.pixel_matrix[3] > 8192)
+       return FALSE;
+    if (tmpvals.point_matrix[3] > 0 && tmpvals.point_matrix[3] > 8192)
+       return FALSE;
    /* Lop off HP charset subsetting enhancement.  Interpreting this
       field requires allocating some space in which to return the
       results.  So, to prevent memory leaks, this procedure will simply
Comment 1 Mike A. Harris 2002-09-21 05:13:59 EDT
Known issue.  At this point in time, there is no fix available which
is considered correct.  Unfortunately the people with the expertise
in the area of code which allows this problem, are not interested in
fixing it and providing a patch.

Future XFree86 releases will be totally replacing the affected code
with completely new code, however such a solution is not viable for
existing XFree86 releases.

This issue continues to be in limbo awaiting a proper fix which both
solves the problem, and does not create any useability issues or
impede application usage.  Any given fix will need to be approved
by XFree86.org before applying to our sources as well.
Comment 2 Eugene Kanter 2002-09-23 10:05:35 EDT
There are real applications on the NET which trigger this bug. There might be
bugs in applications but xfs should not crash. Until the "proper" fix is found
please provide ANY fix to cure the crash.

Comment 3 Kostas Georgiou 2002-10-04 13:36:01 EDT
A quick fix for now will be to start xfs in wrapper that will restart it in
caseit dies (similar to safe_mysqld).
Comment 4 Leonid Kanter 2002-10-04 15:03:29 EDT
If xfs dies the socket is closed. To connect your Xserer to new instace of xfs
you should type xset +fp ... or even restart your Xserver.
Comment 5 Mike A. Harris 2002-11-03 04:12:21 EST
Closing bug as duplicate

*** This bug has been marked as a duplicate of 66658 ***

Note You need to log in before you can comment on or make changes to this bug.