Description of Problem: DoS in X font server. How Reproducible: always. Steps to Reproduce: 1. xfd -fn '-urw-helvetica-bold-r-normal--73727-*-*-*-*-*-*-*' Actual Results: xfs process crashes. Expected Results: xfs process does not crash. Additional Information: Quick and dirty patch to save from crash. Most likely does not address real problem. --- xc/lib/font/util/fontxlfd.c.kad Wed Sep 18 16:31:16 2002 +++ xc/lib/font/util/fontxlfd.c Wed Sep 18 16:53:46 2002 @@ -412,6 +412,18 @@ strchr(ptr + 1, '-'))/* charset_encoding */ return FALSE; + /* + FIXME: kad + Check maximal pixel/point size of scalable font. + It must't be more than 8192 on most cases. (any other ideas ?) + */ + if (tmpvals.pixel_matrix[3] < 0 || tmpvals.point_matrix[3] < 0) + return FALSE; + if (tmpvals.pixel_matrix[3] > 0 && tmpvals.pixel_matrix[3] > 8192) + return FALSE; + if (tmpvals.point_matrix[3] > 0 && tmpvals.point_matrix[3] > 8192) + return FALSE; + /* Lop off HP charset subsetting enhancement. Interpreting this field requires allocating some space in which to return the results. So, to prevent memory leaks, this procedure will simply
Known issue. At this point in time, there is no fix available which is considered correct. Unfortunately the people with the expertise in the area of code which allows this problem, are not interested in fixing it and providing a patch. Future XFree86 releases will be totally replacing the affected code with completely new code, however such a solution is not viable for existing XFree86 releases. This issue continues to be in limbo awaiting a proper fix which both solves the problem, and does not create any useability issues or impede application usage. Any given fix will need to be approved by XFree86.org before applying to our sources as well.
There are real applications on the NET which trigger this bug. There might be bugs in applications but xfs should not crash. Until the "proper" fix is found please provide ANY fix to cure the crash. http://sourceforge.net/tracker/index.php?func=detail&aid=602320&group_id=56866&atid=482102
A quick fix for now will be to start xfs in wrapper that will restart it in caseit dies (similar to safe_mysqld).
If xfs dies the socket is closed. To connect your Xserer to new instace of xfs you should type xset +fp ... or even restart your Xserver.
Closing bug as duplicate *** This bug has been marked as a duplicate of 66658 ***