unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]

If a broken server returned larger than requested values for nPixels or nMasks, XAllocColorCells would happily overflow the buffers provided by the caller to write the results into. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com> Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-03-01 19:30:09 -0800
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-09 18:59:51 -0700
commit: cddc4e7e3cb4b9b7ad25f8591971a86901c249f2 (patch)
tree: 4cd6944715ca9ab042e28f40f18d1080aaaa666b /src
parent: 2cd62b5eb99ffbb2fce99f3c459455e630b35bf7 (diff)
1 files changed, 7 insertions, 2 deletions
diff --git a/src/AllCells.c b/src/AllCells.c
index ddd9c22e..6e97e118 100644
--- a/src/AllCells.c
+++ b/src/AllCells.c
@@ -53,8 +53,13 @@ Status XAllocColorCells(
     status = _XReply(dpy, (xReply *)&rep, 0, xFalse);
 
     if (status) {
-	_XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
-	_XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+	if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) {
+	    _XEatDataWords(dpy, rep.length);
+	    status = 0; /* Failure */
+	} else {
+	    _XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
+	    _XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
+	}
     }
 
     UnlockDisplay(dpy);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-03-01 19:30:09 -0800
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-09 18:59:51 -0700
commit	cddc4e7e3cb4b9b7ad25f8591971a86901c249f2 (patch)
tree	4cd6944715ca9ab042e28f40f18d1080aaaa666b /src
parent	2cd62b5eb99ffbb2fce99f3c459455e630b35bf7 (diff)