From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001
From: Alan Coopersmith <alan.coopersmith@oracle.com>
Date: Sat, 13 Apr 2013 00:16:14 -0700
Subject: buffer overflow in XvQueryPortAttributes() [CVE-2013-2066]

Each attribute returned in the reply includes the number of bytes
to read for its marker.  We had been always trusting it, and never
validating that it wouldn't cause us to write past the end of the
buffer we allocated based on the reported text_size.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
---
 src/Xv.c | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/src/Xv.c b/src/Xv.c
index 3cbad35..f9813eb 100644
--- a/src/Xv.c
+++ b/src/Xv.c
@@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num)
 	  xvAttributeInfo Info;
 	  int i;
 
+	  /* keep track of remaining room for text strings */
+	  size = rep.text_size;
+
 	  for(i = 0; i < rep.num_attributes; i++) {
              _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo);
 	      ret[i].flags = (int)Info.flags;
 	      ret[i].min_value = Info.min;
 	      ret[i].max_value = Info.max;
 	      ret[i].name = marker;
-	      _XRead(dpy, marker, Info.size);
-	      marker += Info.size;
+	      if (Info.size <= size) {
+		  _XRead(dpy, marker, Info.size);
+		  marker += Info.size;
+		  size -= Info.size;
+	      }
 	      (*num)++;
 	  }
       } else
-- 
cgit v1.2.3