summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-02 15:08:21 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:53 -0700
commit0c404db6a92dc2c198328bf586c02d8abbe02013 (patch)
treee3fa9a37ebaa7c3c187da8eaedc5d9dda7678b77
parent0b0f5d4358c3de7563d6af03f0d2ce454702a06a (diff)
Avoid overflows in XListFonts() [CVE-2013-1997 13/15]
Ensure that when breaking the returned list into individual strings, we don't walk past the end of allocated memory to write the '\0' bytes Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--src/FontNames.c35
1 files changed, 22 insertions, 13 deletions
diff --git a/src/FontNames.c b/src/FontNames.c
index 3018cf2c..b5bc7b4b 100644
--- a/src/FontNames.c
+++ b/src/FontNames.c
@@ -29,6 +29,7 @@ in this Software without prior written authorization from The Open Group.
#include <config.h>
#endif
#include "Xlibint.h"
+#include <limits.h>
char **
XListFonts(
@@ -40,11 +41,13 @@ int *actualCount) /* RETURN */
register long nbytes;
register unsigned i;
register int length;
- char **flist;
- char *ch;
+ char **flist = NULL;
+ char *ch = NULL;
+ char *chend;
+ int count = 0;
xListFontsReply rep;
register xListFontsReq *req;
- register long rlen;
+ unsigned long rlen;
LockDisplay(dpy);
GetReq(ListFonts, req);
@@ -62,15 +65,17 @@ int *actualCount) /* RETURN */
}
if (rep.nFonts) {
- flist = (char **)Xmalloc ((unsigned)rep.nFonts * sizeof(char *));
- rlen = rep.length << 2;
- ch = (char *) Xmalloc((unsigned) (rlen + 1));
+ flist = Xmalloc (rep.nFonts * sizeof(char *));
+ if (rep.length < (LONG_MAX >> 2)) {
+ rlen = rep.length << 2;
+ ch = Xmalloc(rlen + 1);
/* +1 to leave room for last null-terminator */
+ }
if ((! flist) || (! ch)) {
if (flist) Xfree((char *) flist);
if (ch) Xfree(ch);
- _XEatData(dpy, (unsigned long) rlen);
+ _XEatDataWords(dpy, rep.length);
*actualCount = 0;
UnlockDisplay(dpy);
SyncHandle();
@@ -81,17 +86,21 @@ int *actualCount) /* RETURN */
/*
* unpack into null terminated strings.
*/
+ chend = ch + (rlen + 1);
length = *(unsigned char *)ch;
*ch = 1; /* make sure it is non-zero for XFreeFontNames */
for (i = 0; i < rep.nFonts; i++) {
- flist[i] = ch + 1; /* skip over length */
- ch += length + 1; /* find next length ... */
- length = *(unsigned char *)ch;
- *ch = '\0'; /* and replace with null-termination */
+ if (ch + length < chend) {
+ flist[i] = ch + 1; /* skip over length */
+ ch += length + 1; /* find next length ... */
+ length = *(unsigned char *)ch;
+ *ch = '\0'; /* and replace with null-termination */
+ count++;
+ } else
+ flist[i] = NULL;
}
}
- else flist = (char **) NULL;
- *actualCount = rep.nFonts;
+ *actualCount = count;
UnlockDisplay(dpy);
SyncHandle();
return (flist);