From e83722768fd5c467ef61fa159e8c6278770b45c2 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Fri, 27 Jul 2018 16:38:00 +0200
Subject: [PATCH] Fixed crash on invalid reply (CVE-2018-14598).

If the server sends a reply in which even the first string would
overflow the transmitted bytes, list[0] (or flist[0]) will be set to
NULL and a count of 0 is returned.

If the resulting list is freed with XFreeExtensionList or
XFreeFontPath later on, the first Xfree call:

    Xfree (list[0]-1)
 turns into
    Xfree (NULL-1)

which will most likely trigger a segmentation fault.

I have modified the code to return NULL if the first string would
overflow, thus protecting the freeing functions later on.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
---
 src/GetFPath.c | 5 +++++
 src/ListExt.c  | 5 +++++
 2 files changed, 10 insertions(+)

diff --git a/src/GetFPath.c b/src/GetFPath.c
index 813757cc..87d25761 100644
--- a/src/GetFPath.c
+++ b/src/GetFPath.c
@@ -78,6 +78,11 @@ char **XGetFontPath(
 		    length = *(unsigned char *)ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
+		} else if (i == 0) {
+		    Xfree(flist);
+		    Xfree(ch);
+		    flist = NULL;
+		    break;
 		} else
 		    flist[i] = NULL;
 	    }
diff --git a/src/ListExt.c b/src/ListExt.c
index 0498aa18..a795041d 100644
--- a/src/ListExt.c
+++ b/src/ListExt.c
@@ -83,6 +83,11 @@ char **XListExtensions(
 		    length = *(unsigned char *)ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
+		} else if (i == 0) {
+		    Xfree(list);
+		    Xfree(ch);
+		    list = NULL;
+		    break;
 		} else
 		    list[i] = NULL;
 	    }