From 15ab7dec17d686c38f2c82ac23a17cac5622322a Mon Sep 17 00:00:00 2001 From: Alan Coopersmith Date: Sat, 13 Apr 2013 00:16:14 -0700 Subject: [PATCH 3/5] buffer overflow in XvQueryPortAttributes() [CVE-2013-2066] Each attribute returned in the reply includes the number of bytes to read for its marker. We had been always trusting it, and never validating that it wouldn't cause us to write past the end of the buffer we allocated based on the reported text_size. Reported-by: Ilja Van Sprundel Signed-off-by: Alan Coopersmith --- src/Xv.c | 10 ++++++++-- 1 file changed, 8 insertions(+), 2 deletions(-) diff --git a/src/Xv.c b/src/Xv.c index 3cbad35..f9813eb 100644 --- a/src/Xv.c +++ b/src/Xv.c @@ -864,14 +864,20 @@ XvQueryPortAttributes(Display *dpy, XvPortID port, int *num) xvAttributeInfo Info; int i; + /* keep track of remaining room for text strings */ + size = rep.text_size; + for(i = 0; i < rep.num_attributes; i++) { _XRead(dpy, (char*)(&Info), sz_xvAttributeInfo); ret[i].flags = (int)Info.flags; ret[i].min_value = Info.min; ret[i].max_value = Info.max; ret[i].name = marker; - _XRead(dpy, marker, Info.size); - marker += Info.size; + if (Info.size <= size) { + _XRead(dpy, marker, Info.size); + marker += Info.size; + size -= Info.size; + } (*num)++; } } else -- 1.8.2.3