buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]

Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 00:16:14 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-07 14:04:08 -0700
commit: 15ab7dec17d686c38f2c82ac23a17cac5622322a (patch)
tree: ecf3f834d59b8157cf0cd326f7d2f213455a96d8
parent: 6e1b743a276651195be3cd68dff41e38426bf3ab (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
 	  xvAttributeInfo Info;
 	  int i;
 
+	  /* keep track of remaining room for text strings */
+	  size = rep.text_size;
+
 	  for(i = 0; i < rep.num_attributes; i++) {
              _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
 	      ret[i].flags = (int)Info.flags;
 	      ret[i].min_value = Info.min;
 	      ret[i].max_value = Info.max;
 	      ret[i].name = marker;
-	      _XRead(dpy, marker, Info.size);
-	      marker += Info.size;
+	      if (Info.size <= size) {
+		  _XRead(dpy, marker, Info.size);
+		  marker += Info.size;
+		  size -= Info.size;
+	      }
 	      (*num)++;
 	  }
       } else
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 00:16:14 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-07 14:04:08 -0700
commit	15ab7dec17d686c38f2c82ac23a17cac5622322a (patch)
tree	ecf3f834d59b8157cf0cd326f7d2f213455a96d8
parent	6e1b743a276651195be3cd68dff41e38426bf3ab (diff)