Fixed crash on invalid reply (CVE-2018-14598).

If the server sends a reply in which even the first string would overflow the transmitted bytes, list[0] (or flist[0]) will be set to NULL and a count of 0 is returned. If the resulting list is freed with XFreeExtensionList or XFreeFontPath later on, the first Xfree call: Xfree (list[0]-1) turns into Xfree (NULL-1) which will most likely trigger a segmentation fault. I have modified the code to return NULL if the first string would overflow, thus protecting the freeing functions later on. Signed-off-by: Tobias Stoeckmann <tobias@stoeckmann.org>
2026-05-08 11:28:03 +02:00 · 2018-07-27 16:38:00 +02:00 · 2018-07-27 16:38:00 +02:00 · e83722768f
commit e83722768f
parent dbf72805fd
2 changed files with 10 additions and 0 deletions
--- a/src/GetFPath.c
+++ b/src/GetFPath.c
@ -78,6 +78,11 @@ char **XGetFontPath(
 		    length = *(unsigned char *)ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
+		} else if (i == 0) {
+		    Xfree(flist);
+		    Xfree(ch);
+		    flist = NULL;
+		    break;
 		} else
 		    flist[i] = NULL;
 	    }
--- a/src/ListExt.c
+++ b/src/ListExt.c
@ -83,6 +83,11 @@ char **XListExtensions(
 		    length = *(unsigned char *)ch;
 		    *ch = '\0'; /* and replace with null-termination */
 		    count++;
+		} else if (i == 0) {
+		    Xfree(list);
+		    Xfree(ch);
+		    list = NULL;
+		    break;
 		} else
 		    list[i] = NULL;
 	    }