buffer overflow in XDGASetMode() [CVE-2013-2000 2/2]

When reading the name strings for the mode off the network, we never checked to make sure the length of the name strings didn't overflow the size of the buffer we'd allocated based on the reported rep.length for the total reply size. Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com> Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
author: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-04-13 12:45:41 -0700
committer: Alan Coopersmith <alan.coopersmith@oracle.com> 2013-05-04 19:05:02 -0700
commit: b69d6d51a82b1d1e8c68a233360acb742c879375 (patch)
tree: 0058aa795be45ef0f603356a5e24a0eda6c633db /src
parent: f89cf306a60facdf102696840bc05acebd7d1772 (diff)
1 files changed, 8 insertions, 2 deletions
diff --git a/src/XF86DGA2.c b/src/XF86DGA2.c
index 90ca918..4d13677 100644
--- a/src/XF86DGA2.c
+++ b/src/XF86DGA2.c
@@ -444,8 +444,14 @@ XDGASetMode(
 		dev->mode.reserved1 = info.reserved1;
 		dev->mode.reserved2 = info.reserved2;
 
-		dev->mode.name = (char*)(&dev[1]);
-		_XRead(dpy, dev->mode.name, info.name_size);
+		if (info.name_size > 0 && info.name_size <= size) {
+		    dev->mode.name = (char*)(&dev[1]);
+		    _XRead(dpy, dev->mode.name, info.name_size);
+		    dev->mode.name[info.name_size - 1] = '\0';
+		} else {
+		    dev->mode.name = NULL;
+		    _XEatDataWords(dpy, rep.length);
+		}
 
 		dev->pixmap = (rep.flags & XDGAPixmap) ? pid : 0;
 		dev->data = XDGAGetMappedMemory(screen);
author	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-04-13 12:45:41 -0700
committer	Alan Coopersmith <alan.coopersmith@oracle.com>	2013-05-04 19:05:02 -0700
commit	b69d6d51a82b1d1e8c68a233360acb742c879375 (patch)
tree	0058aa795be45ef0f603356a5e24a0eda6c633db /src
parent	f89cf306a60facdf102696840bc05acebd7d1772 (diff)