fdo-mirrors/xorg-libx11
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/lib/libx11.git synced 2026-05-09 07:18:06 +02:00
Code Issues Projects Releases Packages Wiki Activity Actions

unvalidated lengths in XAllocColorCells() [CVE-2013-1997 1/15]

Browse source 
If a broken server returned larger than requested values for nPixels or
nMasks, XAllocColorCells would happily overflow the buffers provided by
the caller to write the results into.

Reported-by: Ilja Van Sprundel <ivansprundel@ioactive.com>
Signed-off-by: Alan Coopersmith <alan.coopersmith@oracle.com>
Reviewed-by: Matthieu Herrb <matthieu.herrb@laas.fr>
This commit is contained in:
Alan Coopersmith 2013-03-01 19:30:09 -08:00
parent 2cd62b5eb9
commit cddc4e7e3c
1 changed files with 7 additions and 2 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

9
src/AllCells.c
View file

@ -53,8 +53,13 @@ Status XAllocColorCells(
status = _XReply(dpy, (xReply *)&rep, 0, xFalse);
if (status) {
_XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
_XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
if ((rep.nPixels > ncolors) || (rep.nMasks > nplanes)) {
_XEatDataWords(dpy, rep.length);
status = 0; /* Failure */
} else {
_XRead32 (dpy, (long *) pixels, 4L * (long) (rep.nPixels));
_XRead32 (dpy, (long *) masks, 4L * (long) (rep.nMasks));
}
}
UnlockDisplay(dpy);