From 9362c7ddd1af3b168953d0737877bc52d79c94f4 Mon Sep 17 00:00:00 2001
From: Tobias Stoeckmann <tobias@stoeckmann.org>
Date: Sun, 25 Sep 2016 21:43:09 +0200
Subject: Validate lengths while parsing server data.

Individual lengths inside received server data can overflow
the previously reserved memory.

It is therefore important to validate every single length
field to not overflow the previously agreed sum of all invidual
length fields.

v2: consume remaining bytes in the reply buffer on error.

Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
Reviewed-by: Matthieu Herrb@laas.fr
---
 src/Xrender.c | 18 ++++++++++++++++++
 1 file changed, 18 insertions(+)

diff --git a/src/Xrender.c b/src/Xrender.c
index 3102eb2..71cf3e6 100644
--- a/src/Xrender.c
+++ b/src/Xrender.c
@@ -533,12 +533,30 @@ XRenderQueryFormats (Display *dpy)
 	screen->fallback = _XRenderFindFormat (xri, xScreen->fallback);
 	screen->subpixel = SubPixelUnknown;
 	xDepth = (xPictDepth *) (xScreen + 1);
+	if (screen->ndepths > rep.numDepths) {
+	    Xfree (xri);
+	    Xfree (xData);
+	    _XEatDataWords (dpy, rep.length);
+	    UnlockDisplay (dpy);
+	    SyncHandle ();
+	    return 0;
+	}
+	rep.numDepths -= screen->ndepths;
 	for (nd = 0; nd < screen->ndepths; nd++)
 	{
 	    depth->depth = xDepth->depth;
 	    depth->nvisuals = xDepth->nPictVisuals;
 	    depth->visuals = visual;
 	    xVisual = (xPictVisual *) (xDepth + 1);
+	    if (depth->nvisuals > rep.numVisuals) {
+		Xfree (xri);
+		Xfree (xData);
+		_XEatDataWords (dpy, rep.length);
+		UnlockDisplay (dpy);
+		SyncHandle ();
+		return 0;
+	    }
+	    rep.numVisuals -= depth->nvisuals;
 	    for (nv = 0; nv < depth->nvisuals; nv++)
 	    {
 		visual->visual = _XRenderFindVisual (dpy, xVisual->visual);
-- 
cgit v1.2.3