diff options
| author | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-03-09 23:37:23 -0800 |
|---|---|---|
| committer | Alan Coopersmith <alan.coopersmith@oracle.com> | 2013-05-23 08:13:25 -0700 |
| commit | 91434737f592e8f5cc1762383882a582b55fc03a (patch) | |
| tree | 29a8b0225f43680f66a810f616886608465f06ca | |
| parent | f3e08e4fbe40016484ba795feecf1a742170ffc1 (diff) | |
memory corruption in _XIPassiveGrabDevice() [CVE-2013-1998 2/3]
If the server returned more modifiers than the caller asked for,
we'd just keep copying past the end of the array provided by the
caller, writing over who-knows-what happened to be there.
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Peter Hutterer <peter.hutterer@who-t.net>
| -rw-r--r-- | src/XIPassiveGrab.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/src/XIPassiveGrab.c b/src/XIPassiveGrab.c index ac17c01..53b4084 100644 --- a/src/XIPassiveGrab.c +++ b/src/XIPassiveGrab.c @@ -88,7 +88,7 @@ _XIPassiveGrabDevice(Display* dpy, int deviceid, int grabtype, int detail, return -1; _XRead(dpy, (char*)failed_mods, reply.num_modifiers * sizeof(xXIGrabModifierInfo)); - for (i = 0; i < reply.num_modifiers; i++) + for (i = 0; i < reply.num_modifiers && i < num_modifiers; i++) { modifiers_inout[i].status = failed_mods[i].status; modifiers_inout[i].modifiers = failed_mods[i].modifiers; |