diff options
author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-01 19:30:09 -0800 |
---|---|---|
committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-09 18:59:51 -0700 |
commit | cddc4e7e3cb4b9b7ad25f8591971a86901c249f2 (patch) | |
tree | 4cd6944715ca9ab042e28f40f18d1080aaaa666b | |
parent | 2cd62b5eb99ffbb2fce99f3c459455e630b35bf7 (diff) |
unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]
If a broken server returned larger than requested values for nPixels or
nMasks, XAllocColorCells would happily overflow the buffers provided by
the caller to write the results into.
Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
-rw-r--r-- | src/AllCells.c | 9 |
1 files changed, 7 insertions, 2 deletions
diff --git a/src/AllCells.c b/src/AllCells.c index ddd9c22e..6e97e118 100644 --- a/src/AllCells.c +++ b/src/AllCells.c @@ -53,8 +53,13 @@ Status XAllocColorCells( status = _XReply(dpy, (xReply *)&rep, 0, xFalse); if (status) { - _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); - _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); + if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) { + _XEatDataWords(dpy, rep.length); + status = 0; /* Failure */ + } else { + _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels)); + _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks)); + } } UnlockDisplay(dpy); |