From 9264a21b688891dbdcee630ff72cf39aa75fc4e1 Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 9 Mar 2013 11:44:14 -0800 Subject: [PATCH 2/2] unvalidated length in _XtResourceConfigurationEH [CVE-2013-2002] The RCM_DATA property is expected to be in the format: resource_length, resource, value If the property contains a resource_length thats results in a pointer outside the property string, memory corruption can occur. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/ResConfig.c | 41 ++++++++++++++++++++++++++--------------- 1 file changed, 26 insertions(+), 15 deletions(-) diff --git a/src/ResConfig.c b/src/ResConfig.c index 68da536..1f3edbe 100644 --- a/src/ResConfig.c +++ b/src/ResConfig.c @@ -971,26 +971,37 @@ _XtResourceConfigurationEH ( * resource and value fields. */ if (data) { + char *data_end = data + nitems; + char *data_value; + resource_len = Strtoul ((void *)data, &data_ptr, 10); - data_ptr++; - data_ptr[resource_len] = '\0'; + if (data_ptr != (char *) data) { + data_ptr++; + data_value = data_ptr + resource_len; + } else /* strtoul failed to convert a number */ + data_ptr = data_value = NULL; + + if (data_value > data_ptr && data_value < data_end) { + *data_value++ = '\0'; - resource = XtNewString (data_ptr); - value = XtNewString (&data_ptr[resource_len + 1]); + resource = XtNewString (data_ptr); + value = XtNewString (data_value); #ifdef DEBUG - fprintf (stderr, "resource_len=%d\n",resource_len); - fprintf (stderr, "resource = %s\t value = %s\n", - resource, value); + fprintf (stderr, "resource_len=%d\n" + resource_len); + fprintf (stderr, "resource = %s\t value = %s\n", + resource, value); #endif - /* - * descend the application widget tree and - * apply the value to the appropriate widgets - */ - _search_widget_tree (w, resource, value); - - XtFree (resource); - XtFree (value); + /* + * descend the application widget tree and + * apply the value to the appropriate widgets + */ + _search_widget_tree (w, resource, value); + + XtFree (resource); + XtFree (value); + } } } -- 1.8.2.3