Bug 74297 - DoS in X font server
Summary: DoS in X font server
Keywords:
Status: CLOSED DUPLICATE of bug 66658
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: XFree86
Version: 8.0
Hardware: i386
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Mike A. Harris
QA Contact: David Lawrence
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2002-09-19 21:50 UTC by Eugene Kanter
Modified: 2007-04-18 16:46 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2002-10-04 19:03:36 UTC
Embargoed:

Attachments (Terms of Use)

Description Eugene Kanter 2002-09-19 21:50:26 UTC 
Description of Problem:

DoS in X font server.

How Reproducible:

always.

Steps to Reproduce:

1. xfd -fn '-urw-helvetica-bold-r-normal--73727-*-*-*-*-*-*-*'

Actual Results:

xfs process crashes.

Expected Results:

xfs process does not crash.

Additional Information:
	
Quick and dirty patch to save from crash. Most likely does not address real problem.

--- xc/lib/font/util/fontxlfd.c.kad      Wed Sep 18 16:31:16 2002
+++ xc/lib/font/util/fontxlfd.c  Wed Sep 18 16:53:46 2002
@@ -412,6 +412,18 @@
           strchr(ptr + 1, '-'))/* charset_encoding */
       return FALSE;

+    /*
+       FIXME: kad
+       Check maximal pixel/point size of scalable font.
+       It must't be more than 8192 on most cases. (any other ideas ?)
+    */
+    if (tmpvals.pixel_matrix[3] < 0 || tmpvals.point_matrix[3] < 0)
+       return FALSE;
+    if (tmpvals.pixel_matrix[3] > 0 && tmpvals.pixel_matrix[3] > 8192)
+       return FALSE;
+    if (tmpvals.point_matrix[3] > 0 && tmpvals.point_matrix[3] > 8192)
+       return FALSE;
+
    /* Lop off HP charset subsetting enhancement.  Interpreting this
       field requires allocating some space in which to return the
       results.  So, to prevent memory leaks, this procedure will simply
Comment 1 Mike A. Harris 2002-09-21 09:13:59 UTC 
Known issue.  At this point in time, there is no fix available which
is considered correct.  Unfortunately the people with the expertise
in the area of code which allows this problem, are not interested in
fixing it and providing a patch.

Future XFree86 releases will be totally replacing the affected code
with completely new code, however such a solution is not viable for
existing XFree86 releases.

This issue continues to be in limbo awaiting a proper fix which both
solves the problem, and does not create any useability issues or
impede application usage.  Any given fix will need to be approved
by XFree86.org before applying to our sources as well.
Comment 2 Eugene Kanter 2002-09-23 14:05:35 UTC 
There are real applications on the NET which trigger this bug. There might be
bugs in applications but xfs should not crash. Until the "proper" fix is found
please provide ANY fix to cure the crash.

http://sourceforge.net/tracker/index.php?func=detail&aid=602320&group_id=56866&atid=482102
Comment 3 Kostas Georgiou 2002-10-04 17:36:01 UTC 
A quick fix for now will be to start xfs in wrapper that will restart it in
caseit dies (similar to safe_mysqld).
Comment 4 Leonid Kanter 2002-10-04 19:03:29 UTC 
If xfs dies the socket is closed. To connect your Xserer to new instace of xfs
you should type xset +fp ... or even restart your Xserver.
Comment 5 Mike A. Harris 2002-11-03 09:12:21 UTC 
Closing bug as duplicate

*** This bug has been marked as a duplicate of 66658 ***
Note You need to log in before you can comment on or make changes to this bug.