diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-02 11:25:25 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:52 -0700 |
commit | b9ba832401734e1cbd30a930c0d11d850293f3f9 (patch) | |
tree | 83438ddd8397c05f2397998ec35d5335bee5376d | |
parent | de2e6c322c4aca22856b380f67f8e488e7510015 (diff) |
unvalidated length in _XimXGetReadData() [CVE-2013-1997 12/15]
Check the provided buffer size against the amount of data we're going to
write into it, not against the reported length from the ClientMessage.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | modules/im/ximcp/imTrX.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/modules/im/ximcp/imTrX.c b/modules/im/ximcp/imTrX.c index 1412d704..76ff20e5 100644 --- a/modules/im/ximcp/imTrX.c +++ b/modules/im/ximcp/imTrX.c @@ -372,7 +372,7 @@ _XimXGetReadData( XFree(prop_ret); return False; } - if (buf_len >= length) { + if (buf_len >= (int)nitems) { (void)memcpy(buf, prop_ret, (int)nitems); *ret_len = (int)nitems; if (bytes_after_ret > 0) { |