From 4384e622471dbdab88dd5dae28f9eecbfe79ddd8 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 22:26:52 -0800 Subject: [PATCH 04/16] Stack buffer overflow in XGetDeviceButtonMapping() [CVE-2013-1998 1/3] We copy the entire reply sent by the server into the fixed size mapping[] array on the stack, even if the server says it's a larger size than the mapping array can hold. HULK SMASH STACK! Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith Reviewed-by: Peter Hutterer (cherry picked from commit f3e08e4fbe40016484ba795feecf1a742170ffc1) (cherry picked from commit d7537ad6fba36af4536c576220c135a63507789c) --- src/XGetBMap.c | 21 +++++++++++++-------- 1 files changed, 13 insertions(+), 8 deletions(-) diff --git a/src/XGetBMap.c b/src/XGetBMap.c index 610795b..a37c714 100644 --- a/src/XGetBMap.c +++ b/src/XGetBMap.c @@ -56,6 +56,7 @@ SOFTWARE. #include #include #include "XIint.h" +#include #ifdef MIN /* some systems define this in */ #undef MIN @@ -71,7 +72,6 @@ XGetDeviceButtonMapping( { int status = 0; unsigned char mapping[256]; /* known fixed size */ - long nbytes; XExtDisplayInfo *info = XInput_find_display(dpy); register xGetDeviceButtonMappingReq *req; @@ -88,13 +88,18 @@ XGetDeviceButtonMapping( status = _XReply(dpy, (xReply *) & rep, 0, xFalse); if (status == 1) { - nbytes = (long)rep.length << 2; - _XRead(dpy, (char *)mapping, nbytes); - - /* don't return more data than the user asked for. */ - if (rep.nElts) - memcpy((char *)map, (char *)mapping, MIN((int)rep.nElts, nmap)); - status = rep.nElts; + if (rep.length <= (sizeof(mapping) >> 2)) { + unsigned long nbytes = rep.length << 2; + _XRead(dpy, (char *)mapping, nbytes); + + /* don't return more data than the user asked for. */ + if (rep.nElts) + memcpy(map, mapping, MIN((int)rep.nElts, nmap)); + status = rep.nElts; + } else { + _XEatDataWords(dpy, rep.length); + status = 0; + } } else status = 0; UnlockDisplay(dpy); -- 1.7.7.1