summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorAlan Coopersmith <alan.coopersmith@oracle.com>2013-03-01 18:37:37 -0800
committerAlan Coopersmith <alan.coopersmith@oracle.com>2013-05-09 18:59:52 -0700
commit460e8a223b87d4fa0ea1e97823e998a770e0f2a2 (patch)
treebd47e301efb06e7e02fc774d82f7362da8e0c411
parent226622349a4b1e16064649d4444a34fb4be4f464 (diff)
integer truncation in _XimParseStringFile() [CVE-2013-1981 8/13]
Called from _XimCreateDefaultTree() which uses getenv("XCOMPOSEFILE") to specify filename. If the size of off_t is larger than the size of unsigned long (as in 32-bit builds with large file flags), a file larger than 4 gigs could have its size truncated, leading to data from that file being written past the end of the undersized buffer allocated for it. While configure.ac does not use AC_SYS_LARGEFILE to set large file mode, builders may have added the large file compilation flags to CFLAGS on their own. size is left limited to an int, because if your Xim file is larger than 2gb, you're doing it wrong. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r--modules/im/ximcp/imLcPrs.c3
1 files changed, 3 insertions, 0 deletions
diff --git a/modules/im/ximcp/imLcPrs.c b/modules/im/ximcp/imLcPrs.c
index 4c7d6f0d..bcf45791 100644
--- a/modules/im/ximcp/imLcPrs.c
+++ b/modules/im/ximcp/imLcPrs.c
@@ -41,6 +41,7 @@ OR PERFORMANCE OF THIS SOFTWARE.
#include "Ximint.h"
#include <sys/stat.h>
#include <stdio.h>
+#include <limits.h>
#define XLC_BUFSIZE 256
@@ -688,6 +689,8 @@ parsestringfile(
if (fstat (fileno (fp), &st) != -1) {
unsigned long size = (unsigned long) st.st_size;
+ if (st.st_size >= INT_MAX)
+ return;
if (size <= sizeof tb) tbp = tb;
else tbp = malloc (size);