Bug 8001 - cidafm() integer overflows
Summary: cidafm() integer overflows
Alias: None
Product: xorg
Classification: Unclassified
Component: Server/General (show other bugs)
Version: git
Hardware: x86 (IA32) Linux (All)
: high normal
Assignee: X.Org Security
QA Contact:
Keywords: security
: 8005 (view as bug list)
Depends on:
Reported: 2006-08-25 08:55 UTC by Daniel Stone
Modified: 2006-09-13 15:48 UTC (History)
4 users (show)

See Also:
i915 platform:
i915 features:


Description Daniel Stone 2006-08-25 08:55:55 UTC
i'm so very happy.  no embargo date as yet.  quoting idefense:
Local exploitation of an integer overflow vulnerability in the 'CIDAFM()'
function in the X.Org and XFree86 X server could allow an attacker to
+execute arbitrary code with privileges of the X server, typically root.

The vulnerability specifically exists in the 'CIDADM()' function of the code
responsible for handling AFM (Adobe Font Metrics) files. The number of character
metrics is obtained from the "StartCharMetrics" line of an AFM file and that
value is then multiplied by the size of a single character metric record in
order to calculate the space required to store the metrics. If the result of the
multiplication is larger than the largest value that can be held in an integer,
the amount actually allocated will be much smaller. Following this, the function
attempts to read as many metric records as were specified on the line into that
memory. As the contents of the file can be specified by a local user, and as the
function will stop reading if an error is detected in the input, a controlled
heap overflow may occur which may allow the execution of arbitrary code.
Comment 1 Alan Coopersmith 2006-08-28 14:16:26 UTC
*** Bug 8005 has been marked as a duplicate of this bug. ***
Comment 2 Matthieu Herrb 2006-09-01 02:47:37 UTC
This is CVE-2006-3739
Comment 3 Alan Coopersmith 2006-09-13 15:48:29 UTC
Patches committed and advisory released.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.