Per iDefense [IDEF1751]: The vulnerability specifically exists in the 'CIDADM()' function of the code responsible for handling AFM (Adobe Font Metrics) files. The number of character metrics is obtained from the "StartCharMetrics" line of an AFM file and that value is then multiplied by the size of a single character metric record in order to calculate the space required to store the metrics. If the result of the multiplication is larger than the largest value that can be held in an integer, the amount actually allocated will be much smaller. Following this, the function attempts to read as many metric records as were specified on the line into that memory. As the contents of the file can be specified by a local user, and as the function will stop reading if an error is detected in the input, a controlled heap overflow may occur which may allow the execution of arbitrary code.
Looks like this code came in the SGI CID support donated to XFree86 in 1999, during the 3.9 development releases, so would be present in XFree86 4.0 & later and X11R6.7 & later.
Created attachment 6692 [details] [review] Patch against git head lib/libXfont/src/Type1/afm.c I think this should close the hole, but haven't been successful in getting Xorg to load a CID-keyed font to verify.
*** This bug has been marked as a duplicate of 8001 ***
Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.